MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23973a47f42723d89b65a45b84487832e4dd3098464e29247efde2be101bf12e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23973a47f42723d89b65a45b84487832e4dd3098464e29247efde2be101bf12e
SHA3-384 hash: ac6bdaafd1e60b49294e3e7a0da18eda487b1aa8ea367cfc0eaff3fd3dc01a8e19c3cdbf67719e03baddb176a1172c6e
SHA1 hash: 0e8f508730e7856b9396d72b1d24082c7141257d
MD5 hash: a778a140a644dc7fa4e2ae0bfe45e0e5
humanhash: triple-may-mountain-asparagus
File name:0060422.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:7'478 bytes
First seen:2022-04-06 11:45:11 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 192:EvLWem+Rwpegge6JpV9EcbCNylctlyHtZt2:Qlm4VXbgyKz
TLSH T1BDF1BFAD9187F22ECE686AB19734570CEE61149DF40343040F255A738C9B74F83CB9C2
Reporter cocaman
Tags:FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: "MCS SDN BHD < ida.fre@healthexchangesny.com>" (likely spoofed)
Received: "from occupation.healthexchangesny.com (occupation.healthexchangesny.com [185.102.170.20]) "
Date: "5 Apr 2022 23:11:25 -0700"
Subject: "Fwd: Bank in copy"
Attachment: "0060422.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_exenum416.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.TrojanDownloader.MSIL.Seraph.bab8b723.12953.9602.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/624d7d7cdb9ca5cf842cb5d7/reports/e55a5c19-30f9-4b97-a127-1a3b12d1e210/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/23973a47f42723d89b65a45b84487832e4dd3098464e29247efde2be101bf12e
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23973a47f42723d89b65a45b84487832e4dd3098464e29247efde2be101bf12e/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-04-06 04:46:16 UTC
File Type:
Binary (Archive)
Extracted files:
13
AV detection:
12 of 42 (28.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eoltur7ue4r5rg3furnyisdyglsn2meyizhcsjd67xrl4ea36exa._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:oh75 persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220406-nxaffsfdcr/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/23973a47f42723d89b65a45b84487832e4dd3098464e29247efde2be101bf12e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 23973a47f42723d89b65a45b84487832e4dd3098464e29247efde2be101bf12e

(this sample)

Formbook

Executable exe 9ae7a32e1f8d49f2d13f632a946043dfe347f3d71ca95c146f0f2e597b54c4d5

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 9ae7a32e1f8d49f2d13f632a946043dfe347f3d71ca95c146f0f2e597b54c4d5

Comments