MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16a6035998ab93446a8f04d59c6e59ef5cfc6514fa41a6fd2367ff3d1f4540bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16a6035998ab93446a8f04d59c6e59ef5cfc6514fa41a6fd2367ff3d1f4540bf
SHA3-384 hash: eaf94698a9d035c1d2cb3596ce244c263791d2a9b318100dd7b4a4183c62595d8455fefef166efdeb68219a76a9f9505
SHA1 hash: 8da7b19b607dc84977ab6c2c6e3cc945c13e55da
MD5 hash: ae23b3027b10f2c48e3272bfe680dfc6
humanhash: autumn-kentucky-delaware-cat
File name:bank-info.rar
Download: download sample
Signature Formbook
Create hunting rule
File size:13'537 bytes
First seen:2022-06-21 06:38:27 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 384:Fw+lHMh6icYR3h2VU9zlVIhUnSO3x6s7G0LAtO2+ZNkv:GO0f3UinSEc0Ov
TLSH T15452C1D5788D056861EFF02496A3827FA4A80371069DD33417D1BAFFFEA4CA185F3444
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:FormBook rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Account <har.cro@arapeytermas.com>" (likely spoofed)
Received: "from irrotoln.arapeytermas.com (irrotoln.arapeytermas.com [193.233.182.92]) "
Date: "20 Jun 2022 21:18:20 -0700"
Subject: "Fwd: CONFIRM BANK DETAILS"
Attachment: "bank-info.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16a6035998ab93446a8f04d59c6e59ef5cfc6514fa41a6fd2367ff3d1f4540bf/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c2tagwmyvojui2upatkzy3sz55opyziu7ja2n7jdm77t2h2fic7q._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:fs44 collection persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220621-hem1yacacq/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/16a6035998ab93446a8f04d59c6e59ef5cfc6514fa41a6fd2367ff3d1f4540bf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 16a6035998ab93446a8f04d59c6e59ef5cfc6514fa41a6fd2367ff3d1f4540bf

(this sample)

Formbook

Executable exe 2fd76f5bd73eeec44ca3ef9a2783e496f66b07f0b6b814f0046ec3aaeac6f911

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 2fd76f5bd73eeec44ca3ef9a2783e496f66b07f0b6b814f0046ec3aaeac6f911
  
Dropping
MD5 f7f186620e0ea9f4278baaf94533b6aa

Comments