MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3361c124c5310bd0ec210907338a93a7f6cdb1313c78c8af72e385813913728a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3361c124c5310bd0ec210907338a93a7f6cdb1313c78c8af72e385813913728a
SHA3-384 hash: d4e0cf7ad9d83b0903554a06aa4b2876909ebed2dd74a2b311774deba7769f6118091be3abfd2880188191d03f52837a
SHA1 hash: cf38b300fd8767db95585f78ea427ba26b8cbd8d
MD5 hash: 111325614561306dcfbbb69f1c83a613
humanhash: neptune-foxtrot-neptune-five
File name:SHELL-RFQ-Project.cab
Download: download sample
Signature Formbook
Create hunting rule
File size:335'585 bytes
First seen:2021-04-12 12:23:14 UTC
Last seen:Never
File type: cab
MIME type:application/vnd.ms-cab-compressed
ssdeep 6144:Y0a3K34oIjJpCAKOnBpH2gYaGtZzj4S+nh4Gppv7xZtXORYEIeW0BMGUfe:za3K34oISynBRVYTtZzj6XVZtXOCeW0r
TLSH 3B6423D2B8E415012CDA39E1995A47507BA8A3F21D0EF24319B7CBBE058D29176F3E1A
Reporter abuse_ch
Tags:cab


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail-smail-vm51.hanmail.net
Sending IP: 203.133.180.239
From: Jaeho Lee <bjk8116@daum.net>
Subject: KHE RFQ No. PG6432 PROJECT Reactor/ Heat exchangers/ Materials/Equipment _KOC JURASSIC PRF Canada
Attachment: SHELL-RFQ-Project.cab (contains "PO.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Mal.DrodCab-A.1423.8244.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3361c124c5310bd0ec210907338a93a7f6cdb1313c78c8af72e385813913728a/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-11 23:35:42 UTC
AV detection:
18 of 48 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gnq4cjgfgef5b3bbbedthcutu73m3mjrhr4mrl3s4ocycoitokfa._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader agilenet loader rat
Link:
https://tria.ge/reports/210412-v3ea771hgs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.retro-e-scooter.com/sawc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/3361c124c5310bd0ec210907338a93a7f6cdb1313c78c8af72e385813913728a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

cab 3361c124c5310bd0ec210907338a93a7f6cdb1313c78c8af72e385813913728a

(this sample)

Formbook

Executable exe 4903d25c490e1b6c899c4fb9d3d3eb16d79c802245d4c2b667ff06f42724e358

  
Dropping
MD5 4bb710142c4fa183e24dbd3ce3c7b51d
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4903d25c490e1b6c899c4fb9d3d3eb16d79c802245d4c2b667ff06f42724e358

Comments