MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b3cf45f434beb73fa2df5cef7e5f61b2d0cb4fdb426e2053c888c8567085d4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b3cf45f434beb73fa2df5cef7e5f61b2d0cb4fdb426e2053c888c8567085d4d
SHA3-384 hash: f62d09c02042c8576e2ceda4c22a95124f2f38030b94f8dc23f5384ef4067ccd2f4681b43c47f8db7ba4dc55e9f9a936
SHA1 hash: fa19d373dd101b8307b8d641bb6c2b41dd2b2ff3
MD5 hash: c253838c7bbee048a3a034f7c57ee51e
humanhash: aspen-beer-butter-seven
File name:slip-12-6.lzh
Download: download sample
Signature Formbook
Create hunting rule
File size:1'093'346 bytes
First seen:2021-12-07 09:07:56 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 24576:hj6xptnIXEHIuiIE+XfLaf+woWO2uzRFW1rZ0owtT9lj5E2H2I:hj6ZIURiQvM+9WXYRaZ7ET9M2H2I
TLSH T10C353300103D6C88A9F5D2F9BBA0FF6E5BED56C0D2FDE191569FA2A3F4D14BC1280196
Reporter cocaman
Tags:FormBook lzh rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Chan Lai Peng <uzm.bry@nvgolfer.com>" (likely spoofed)
Received: "from slot0.nvgolfer.com (slot0.nvgolfer.com [194.99.46.168]) "
Date: "06 Dec 2021 11:49:06 +0100"
Subject: "BANK IN SLIP"
Attachment: "slip-12-6.lzh"

Intelligence

File Origin
# of uploads :
1
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61af2476fa72c81b5b0fc312/reports/463d610a-04ed-451d-bc61-14402a191cfd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b3cf45f434beb73fa2df5cef7e5f61b2d0cb4fdb426e2053c888c8567085d4d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-06 17:23:24 UTC
File Type:
Binary (Archive)
Extracted files:
23
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bm6pix2djpvxh6rn6xhppzpwdmwqznh5wqtoebj4rcgikzyilvgq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n3cs loader rat
Link:
https://tria.ge/reports/211207-k3xamabdd9/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.safetyeats.online/n3cs/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/0b3cf45f434beb73fa2df5cef7e5f61b2d0cb4fdb426e2053c888c8567085d4d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 0b3cf45f434beb73fa2df5cef7e5f61b2d0cb4fdb426e2053c888c8567085d4d

(this sample)

Formbook

Executable exe 8c9742ef470d7775d50747b430a247f90d491597395989269c2e42d640baa2df

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 8c9742ef470d7775d50747b430a247f90d491597395989269c2e42d640baa2df
  
Dropping
Formbook

Comments