MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a1ac513637736f7640e6988e63d82c17e58d475e9334973caaacdf8e148827a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a1ac513637736f7640e6988e63d82c17e58d475e9334973caaacdf8e148827a
SHA3-384 hash: 4a5a514e8789b919d928c1c661b13f7dcfa20df09d3afda39e540e5099ee7666fc199cdce0ddfbc032c2ba1f6fb820f7
SHA1 hash: 91569a72d7bff60337ee498b908134f8d465322f
MD5 hash: a1fddda4997ea73d2d493120e869be22
humanhash: alaska-beer-island-alpha
File name:PAYMENT COPY.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:411'884 bytes
First seen:2022-06-14 06:16:04 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:+pua/QJbypToAAp+D4exq2Vyl1yjnSG9Oy/ulzMO+Ku9:+pua/PpToAMaQ6yl69T/au9
TLSH T19F9423340F425372BFBE19555D5FA9B6EAB1AF9815374AB38443EC5203CC201BA7E2C9
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook payment SWIFT zip


Avatar
cocaman
Malicious email (T1566.001)
From: ""Morena" <sales@mecpac.com>" (likely spoofed)
Received: "from mageneet.com (unknown [194.31.98.179]) "
Date: "13 Jun 2022 22:18:36 -0700"
Subject: "RE: Swift Payment Advice"
Attachment: "PAYMENT COPY.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fs414.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/62a8281e2d4be2eac84e06c6/reports/a8a0aa2b-5d6d-46bc-9c27-cda8fd62d841/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/1a1ac513637736f7640e6988e63d82c17e58d475e9334973caaacdf8e148827a
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a1ac513637736f7640e6988e63d82c17e58d475e9334973caaacdf8e148827a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-14 04:25:56 UTC
File Type:
Binary (Archive)
Extracted files:
5
AV detection:
19 of 41 (46.34%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dinmke3do43pozaongeompmcyf7frvdv5ezus46kvlg7rykiqj5a._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:be3s loader rat suricata
Link:
https://tria.ge/reports/220614-g1gklscbhp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DYEPACK
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a1ac513637736f7640e6988e63d82c17e58d475e9334973caaacdf8e148827a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 1a1ac513637736f7640e6988e63d82c17e58d475e9334973caaacdf8e148827a

(this sample)

Formbook

Executable exe 4cbc3d311cd15acac45fae5abe10aaca1b301e9be6d646b77030c03a9791f453

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4cbc3d311cd15acac45fae5abe10aaca1b301e9be6d646b77030c03a9791f453
  
Dropping
Formbook
  
Dropping
MD5 b580f163caef88d45f28cf7c40c8a2d8

Comments