MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 226626815bd89794755b446ad9ab17aed9287f970e5aed3d184dc34e1ec34e8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 226626815bd89794755b446ad9ab17aed9287f970e5aed3d184dc34e1ec34e8a
SHA3-384 hash: 1c86aa5b0fdd88dd74d6c8bf4b9aba2a2c3a0bceca54b9403baae1d1d5c6629c6faffa0fb0169cb8f4475c6fb6a040e2
SHA1 hash: 2cdde1c0ad9a33deaa1992984398682d362da854
MD5 hash: fa1641b9d0b34483ebf416c926ebe2d4
humanhash: india-snake-nitrogen-september
File name:PO1.xll
Download: download sample
Signature Formbook
Create hunting rule
File size:566'784 bytes
First seen:2022-04-12 12:20:46 UTC
Last seen:2022-04-14 10:13:38 UTC
File type:Excel file xll
MIME type:application/x-dosexec
imphash a31761b5a590c4c499d5f4a347d75c12 (23 x Formbook, 17 x AgentTesla, 6 x RedLineStealer)
ssdeep 12288:Vn/zDvGHAykHSzLW/4+8bzbBSreMdzLKgFK/UqW:ZzbGHAzHAjX1wccL
Threatray 114 similar samples on MalwareBazaar
TLSH T11AC48D57F7C7FAB0E6BE827A86B1891C527774520260A78F674072896D23392493DF0F
Reporter abuse_ch
Tags:FormBook xll

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO1.xll
Verdict:
No threats detected
Analysis date:
2022-04-13 04:07:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c0f02f09-7871-409e-82fb-22f1eb849b1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Artemis4EBC548DF517.17970.15145.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/226626815bd89794755b446ad9ab17aed9287f970e5aed3d184dc34e1ec34e8a/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed packed
Link:
https://www.filescan.io/uploads/62556eceffe27d5119b558fb/reports/e05337eb-0fd3-4af0-890e-21197e4614e0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/226626815bd89794755b446ad9ab17aed9287f970e5aed3d184dc34e1ec34e8a/
Threat name:
ByteCode-MSIL.Trojan.ExcelAddin
Create hunting rule
Status:
Malicious
First seen:
2022-04-12 06:36:16 UTC
File Type:
PE+ (Dll)
Extracted files:
3
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejtcnak33clzi5k3irvntkyxv3msq74xbzno2piyjxbu4hwdj2fa._file
Verdict:
unknown
Similar samples:
0c425d6c6bce93fad4f32c275db574e8b3161a1ae55a9a957d50020b516d3e2c
Formbook
1c7e66126306537a453d7a792978464aa8ad5ac2f34bd1fccfffe7e0b9c6d85c
Formbook
2d9035fccfa410259c75bb54edc9c95c2d736e6bdf87832fc2062dcd89286b39
Formbook
2f617a71f3eaab15248aa9a964c464e71d8ec784417e79c38b5951ddfa39c2de
Formbook
30980176792fc176767dfd338ef7fd0b73f04b66cd63e1e3b0bbf485bc064ed4
Formbook
5f1beab27690a8ea9b9be78c5d34dd852dd3af4f5128feace84d1b2e10d73b59
Formbook
676ba4f2375a2e7c7dcd4949090db27254ddf06d5d8dc6ef88072ebef8a97784
Formbook
b2991de24bb7a821f3baf980d08ce4bb3d6bd851fefe846147a563340d398d73
Formbook
e0a8a096299e8b28d1166af3321045635294e03227d45515f5c48f4fd38e943b
Formbook
e8ec7dcf12edf07c6099157c32557f41ebd74ddee6b125d1e34dcc4259dc10a7
Formbook
+ 104 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:emm4 loader rat
Link:
https://tria.ge/reports/220412-pjbxsseec5/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Downloads MZ/PE file
Xloader Payload
Process spawned unexpected child process
Xloader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/226626815bd89794755b446ad9ab17aed9287f970e5aed3d184dc34e1ec34e8a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xll 226626815bd89794755b446ad9ab17aed9287f970e5aed3d184dc34e1ec34e8a

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments