MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 406f7f23782af62f91c03f7f56447a27f88b6d808b271a259a113d8b4e56bb45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	406f7f23782af62f91c03f7f56447a27f88b6d808b271a259a113d8b4e56bb45
SHA3-384 hash:	ba530f989837232c138955e5f4612a2b78d25b71cac66112713cf837834419463aced387afd0e3d6dd999c3fc7ff4014
SHA1 hash:	8c0bc738a54291702bc6b74f830f2288f3492b5d
MD5 hash:	fe9cfc498ecfc9ccee053ece663fee0a
humanhash:	wisconsin-hot-august-tennessee
File name:	PO.NX-48940.Cab
Download:	download sample
Signature	Formbook Create hunting rule
File size:	806'550 bytes
First seen:	2021-11-25 13:27:05 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	12288:i+3V1iARDZ1Wv7GFdc6v8cnr3pB7PeDhxYjAnJtWcpEL36USv:i+FrZ1Wv74d9lTrbeDhmgJtWf36USv
TLSH	T174056BA16680693AC5B72579CCBF86948E387D14CDF9BC963EE179090FF5361700EB82
Reporter	cocaman
Tags:	cab FormBook rar

cocaman

Malicious email (T1566.001)
From: "Turan Abhilash <abhilash@alalninsurance.com>" (likely spoofed)
Received: "from mail0.alalninsurance.com (mail0.alalninsurance.com [192.241.145.200]) "
Date: "Thu, 25 Nov 2021 14:25:53 +0100"
Subject: "RE:URGENT NEW PO.NX-48940 (SHAFT)/ Ask for Quotation"
Attachment: "PO.NX-48940.Cab"

Intelligence

File Origin

# of uploads :

# of downloads :

164

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Porcupine.Win32.Injector.EQPY.102534.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

keylogger

Link:

https://www.filescan.io/uploads/619f8f6502c80febc2a93220/reports/b91b35bc-caf6-440d-83c7-aa659056815d/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/406f7f23782af62f91c03f7f56447a27f88b6d808b271a259a113d8b4e56bb45/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-11-25 07:47:48 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

4 of 28 (14.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ibxx6i3yfl3c7eoah57vmrd2e74iw3marmtrujm2ce6ywtswxncq._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:s9m3 loader persistence rat suricata

Link:

https://tria.ge/reports/211125-qqnevafcgp/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Malware Config

C2 Extraction:

http://www.zhhctax.com/s9m3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/406f7f23782af62f91c03f7f56447a27f88b6d808b271a259a113d8b4e56bb45

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 406f7f23782af62f91c03f7f56447a27f88b6d808b271a259a113d8b4e56bb45

(this sample)

Formbook

exe e50290f9b9cf781a2d64f7e3190de28d2b673cd24099675d3b65a80ab70cf9e1

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 e50290f9b9cf781a2d64f7e3190de28d2b673cd24099675d3b65a80ab70cf9e1

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample