MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39f9ad951a110966ab4905994f48498d3872e0a1ce5756df37fb68dd6681566f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	39f9ad951a110966ab4905994f48498d3872e0a1ce5756df37fb68dd6681566f
SHA3-384 hash:	09c1d88b44a4b1124400831dbf84f29c93bd3dd1201462a4160c7aafd429285f5a7f4b047c82ea064dd2c0afa2cd26d2
SHA1 hash:	50e25140e64d86f476ddd5bdbb8101f8991a9ec8
MD5 hash:	c0be19f4d56b5e568894ffa457ebe035
humanhash:	nineteen-rugby-bulldog-oregon
File name:	IMG_9785.zip
Download:	download sample
Signature	Formbook Create hunting rule
File size:	361'487 bytes
First seen:	2022-01-16 08:07:30 UTC
Last seen:	2022-01-16 08:08:06 UTC
File type:	zip
MIME type:	application/zip
ssdeep	6144:COV11La+0eXs+/G3rgTl84ozKRp78+ignJ/NwW16kCJob3bXOsdy13fRb8:CO/Rp0cj/G3rj4KKD7DNcrEjb+sdUy
TLSH	T1A17423D09BC542422F8E31B2EA134064A6F37E9B757197FDBE850BC07898988DD9BC1D
Reporter	cocaman
Tags:	FormBook zip

cocaman

Malicious email (T1566.001)
From: "info@alrabeealakhder.com" (likely spoofed)
Received: "from krvn.com.tr (unknown [212.193.30.66]) "
Date: "15 Jan 2022 07:36:38 -0800"
Subject: "RE: Quote"
Attachment: "IMG_9785.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

421

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fs1702.UNOFFICIAL

Sanesecurity.Malware.25676.ZipHeur.UNOFFICIAL

Sanesecurity.Malware.22989.ZipHeur.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fareit obfuscated packed print.exe wacatac

Link:

https://www.filescan.io/uploads/61e3d264f2e8ec86fe05d82d/reports/b7b4cc99-6848-4f2e-8888-0443257307ef/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/39f9ad951a110966ab4905994f48498d3872e0a1ce5756df37fb68dd6681566f

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-15 17:13:35 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hh423fi2ceewnk2jawmu6scjru4hfyfbzzlvnxzx7nun2zubkzxq._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:eqhv loader rat

Link:

https://tria.ge/reports/220116-j1j2vafcg5/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Xloader Payload

Xloader

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/39f9ad951a110966ab4905994f48498d3872e0a1ce5756df37fb68dd6681566f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 39f9ad951a110966ab4905994f48498d3872e0a1ce5756df37fb68dd6681566f

(this sample)

Formbook

exe 31fcaa22e49398fe59bfdbd11e8b341c700c8dab0165b67caf3982f7e7164643

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 31fcaa22e49398fe59bfdbd11e8b341c700c8dab0165b67caf3982f7e7164643

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample