MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d85cd7dfc24cab7e73a92a9c6d8b3f43b05bb6abbcb0fad4c8fa174020a66a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d85cd7dfc24cab7e73a92a9c6d8b3f43b05bb6abbcb0fad4c8fa174020a66a3
SHA3-384 hash: 4459461b2225a78c31cb83411286d921e0e9a4ad6b8215eb68f17a8fb24adb33d6bc1c2be278deede240cb08c1783ee0
SHA1 hash: 82d8b5b2c11d54940810b2cd8cccef1f8a35d580
MD5 hash: da11d051665b2ed63f1212e8f4b0a07c
humanhash: rugby-salami-eleven-tennessee
File name:Statement of Accounts ( Shipped ) 08554-221320.r11
Download: download sample
Signature Formbook
Create hunting rule
File size:396'974 bytes
First seen:2022-01-13 10:31:40 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 6144:K6hST3yEOc1sEDRgIJrSNWrlU4NbHNn18Qc26fk6YXaLnFYJdteMAD5BmBVPdVOC:K6E3zOxT4xUsOT2RMyteMANBmBtdH
TLSH T16B8423D6334E9391B33C67CC6D9C6B282EEFDBBAC51D9C560A5959EB402C34C6A0CD21
Reporter cocaman
Tags:FormBook r11 rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Luck Siam Trade <mai@lucksiamtrade.co.th>" (likely spoofed)
Received: "from lucksiamtrade.co.th (unknown [45.137.22.35]) "
Date: "13 Jan 2022 08:30:51 +0100"
Subject: "Re:Statement of Accounts ( Shipped )"
Attachment: "Statement of Accounts ( Shipped ) 08554-221320.r11"

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61dfffa6e997359713e577fb/reports/f6dc156c-2d5b-44aa-9e2c-6010baf2054f/overview
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d85cd7dfc24cab7e73a92a9c6d8b3f43b05bb6abbcb0fad4c8fa174020a66a3/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-01-13 10:32:12 UTC
File Type:
Binary (Archive)
Extracted files:
10
AV detection:
7 of 43 (16.28%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fwc427p4etflpzz2sku4nwft6q5qlo3kxpfq7lkmr6qxiaqkm2rq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n8bs loader rat suricata
Link:
https://tria.ge/reports/220113-mky3lshebn/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/2d85cd7dfc24cab7e73a92a9c6d8b3f43b05bb6abbcb0fad4c8fa174020a66a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 2d85cd7dfc24cab7e73a92a9c6d8b3f43b05bb6abbcb0fad4c8fa174020a66a3

(this sample)

Formbook

Executable exe b59ebb440937c57845ec3a6b7251cecd72aed8a9f2e31966a31356cf1fac3eb0

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 b59ebb440937c57845ec3a6b7251cecd72aed8a9f2e31966a31356cf1fac3eb0

Comments