MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37349aa3a19bd5aaa7be4227a6ead5a556c86061c05b89e96223a838390c6451. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37349aa3a19bd5aaa7be4227a6ead5a556c86061c05b89e96223a838390c6451
SHA3-384 hash: 329c938920c62316c5ddd606c1ac88e7959443727a98e2edbd177d33116ea3d1643ebc53eaa1a99bf0733b8e4bafab01
SHA1 hash: daec176824ef63bf29a6ddd8aa8d2f754c7fc5ef
MD5 hash: 238f43f256b1dfb74f6650f7e005dd0f
humanhash: magazine-equal-indigo-speaker
File name:MT103_20210701884_USD23,450.05.iso
Download: download sample
Signature Formbook
Create hunting rule
File size:1'046'528 bytes
First seen:2021-07-03 05:40:13 UTC
Last seen:2021-07-03 05:46:14 UTC
File type: iso
MIME type:application/x-iso9660-image
ssdeep 12288:s+4ICV1kXPZ20JOtj2PJSz2AwYyGg3ssnX0NAH6PYvm54bsTwrE8hbOl8gpnVbH9:DjJ25AhkNVYmSt4YjqH9
TLSH 86256B0EF7E0AF99D25A0F3AF41B0984ABE4C1176772F6AB2ED806D54611F4BCA0F151
Reporter cocaman
Tags:HSBC INVOICE iso


Avatar
cocaman
Malicious email (T1566.001)
From: "Yu Kuwahara - accounts dept HSBC <info@elux.ltd>" (likely spoofed)
Received: "from mail.elux.ltd (mail.elux.ltd [45.153.230.232]) "
Date: "02 Jul 2021 09:04:41 -0700"
Subject: "Fwd: MT103-Single Customer Credit Transfer for invoice"
Attachment: "MT103_20210701884_USD23,450.05.iso"

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.21351.20566.32599.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37349aa3a19bd5aaa7be4227a6ead5a556c86061c05b89e96223a838390c6451/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-02 10:13:45 UTC
File Type:
Binary (Archive)
Extracted files:
86
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g42jvi5btpk2vj56iit2n2wvuvlmqydbybnyt2lceoudqoimmriq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook agilenet rat spyware stealer trojan
Link:
https://tria.ge/reports/210703-gp7wt2bz82/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.efeded.club/vgnr/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/37349aa3a19bd5aaa7be4227a6ead5a556c86061c05b89e96223a838390c6451

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 37349aa3a19bd5aaa7be4227a6ead5a556c86061c05b89e96223a838390c6451

(this sample)

Formbook

Executable exe fd51e52869bd1108cdb034a1afe26267a273eba7b06eba90b866cdb5eab44863

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 fd51e52869bd1108cdb034a1afe26267a273eba7b06eba90b866cdb5eab44863

Comments