MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ad97ebf742720f93f46d8ca3b05f270e4366b1de222d8998e341d5ad431ca4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ad97ebf742720f93f46d8ca3b05f270e4366b1de222d8998e341d5ad431ca4d
SHA3-384 hash: 651c05f40b6393d4bdd2c158ff44db7134b2840153d01d3a2d3025a117168b3fbcac6fe4597d432223ddfde6065a2021
SHA1 hash: 68a232a0fcdf27f880c68bc11447d4100ca79a7c
MD5 hash: 6904aca678b3f26c76cf49f6e29273be
humanhash: red-sweet-charlie-november
File name:AWB & Shipping Documents pdf.tar
Download: download sample
Signature Formbook
Create hunting rule
File size:657'845 bytes
First seen:2021-07-14 14:50:30 UTC
Last seen:Never
File type: tar
MIME type:application/x-rar
ssdeep 12288:g4yzDO+htk1uYyJhfKM+kx6Sux/Raf/JJwRkEUJrA6EE4XhR:gLKq6uYyJUDF/+2RJL
TLSH T1FFE4233E7527AC19C80BDB7DFC22709BBD52C1E643B42228A953DCAF54E693BC605742
Reporter cocaman
Tags:DHL FormBook INVOICE tar


Avatar
cocaman
Malicious email (T1566.001)
From: "Khalil (DHL EXPRESS) <Khalil.Mohamed@dhI.com>" (likely spoofed)
Received: "from dhI.com (unknown [103.167.91.104]) "
Date: "14 Jul 2021 06:54:57 -0700"
Subject: "Fwd: Urgent Invoices with AWB & Shipping Doc"
Attachment: "AWB & Shipping Documents pdf.tar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Zmutzy.903.26042.6964.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ad97ebf742720f93f46d8ca3b05f270e4366b1de222d8998e341d5ad431ca4d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 14:51:05 UTC
File Type:
Binary (Archive)
Extracted files:
10
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=flmx5p3ue4qpsp2g3dfdwbpsodsdm2y54irnrgmogqovvvbrzjgq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210714-5vh4bxq2rj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.coffeyklatch.com/iuem/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ad97ebf742720f93f46d8ca3b05f270e4366b1de222d8998e341d5ad431ca4d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

tar 2ad97ebf742720f93f46d8ca3b05f270e4366b1de222d8998e341d5ad431ca4d

(this sample)

Formbook

Executable exe 4f588080c3618162c1bd0337092af0ba118b7277de6c2043a988562efdb0cbbb

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4f588080c3618162c1bd0337092af0ba118b7277de6c2043a988562efdb0cbbb
  
Dropping
Formbook

Comments