MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c55fbef2f04462f10f440ce6c2e3eacb987ffbdeb3cb5adfe92b566f98a65cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	1c55fbef2f04462f10f440ce6c2e3eacb987ffbdeb3cb5adfe92b566f98a65cf
SHA3-384 hash:	a6407a59803ef7a2c9dc9508031b34b2298cebcfd3aa21e56ffe66000ab5ee2f01057181430a8482ba05644a239396d8
SHA1 hash:	cef33521e580892516136db98e4dac3da1fa0a45
MD5 hash:	3ff1794dd1cfbe863a936e02b5ae2411
humanhash:	carbon-robert-princess-iowa
File name:	00098765434500987654323490000.pdf..zip
Download:	download sample
Signature	Formbook Create hunting rule
File size:	5'784 bytes
First seen:	2022-03-11 09:43:23 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	96:P5GrGPu9ZRf781Rgpy33A1YD1Me7GsU4e5uuXszDSh9sk2AIfLDP/nyfLR7x25:PdPQMR53Bz77Uz5J4WzskPyLbvyfLRlq
TLSH	T143C19F8294E81E19D54FDC72B35921A6E377E3989417AC03C939071A573E98A4F9C212
Reporter	cocaman
Tags:	FormBook INVOICE zip

cocaman

Malicious email (T1566.001)
From: "Goreti Corona Alejo<cgoreti@hotmail.com>" (likely spoofed)
Received: "from host.mm-online.ga (unknown [185.222.57.247]) "
Date: "10 Mar 2022 21:40:39 +0100"
Subject: "payment invoice"
Attachment: "00098765434500987654323490000.pdf..zip"

Intelligence

File Origin

# of uploads :

# of downloads :

201

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.39191430.14516.16975.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/622b19ec0cd58dbd927d1bd9/reports/29a94962-0614-4238-a4d9-e9d6a6a2e2ac/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/1c55fbef2f04462f10f440ce6c2e3eacb987ffbdeb3cb5adfe92b566f98a65cf

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c55fbef2f04462f10f440ce6c2e3eacb987ffbdeb3cb5adfe92b566f98a65cf/

Threat name:

ByteCode-MSIL.Downloader.Seraph

Status:

Malicious

First seen:

2022-03-11 09:44:13 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

17 of 42 (40.48%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=drk7x3zpardc6ehuidhgylr6vs4yp7555m6lllp6sk2wn6mkmxhq._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:pot0 loader rat suricata

Link:

https://tria.ge/reports/220311-lqjpfabhhp/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/1c55fbef2f04462f10f440ce6c2e3eacb987ffbdeb3cb5adfe92b566f98a65cf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 1c55fbef2f04462f10f440ce6c2e3eacb987ffbdeb3cb5adfe92b566f98a65cf

(this sample)

Formbook

exe 4c6c6d26b853d44fc189e67eaa4f65e440d6ee75ac8a5bde95ccc73b0b611c2a

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 4c6c6d26b853d44fc189e67eaa4f65e440d6ee75ac8a5bde95ccc73b0b611c2a

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample