MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40dbca0dc293feaf8428c8511e5ea96c9a5794520f96b7f9b718b34b2b640374. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40dbca0dc293feaf8428c8511e5ea96c9a5794520f96b7f9b718b34b2b640374
SHA3-384 hash: 9d67cc9fbee07b1a22174fa11cc166de5ad7ae99a05922a137226a3b04dcc3681714f13bfb69695db9682c88dd1a38af
SHA1 hash: e631061177df9131590d8bf06d833f8ba5619422
MD5 hash: a4039fcf77b45aacf5030d812bce0d1a
humanhash: helium-pizza-tennis-kansas
File name:quotation New Order I5117.r11
Download: download sample
Signature Formbook
Create hunting rule
File size:552'079 bytes
First seen:2022-01-10 07:52:07 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:GhIeKj7ulVz3hZdY/+CIcztm+vHzglQcTNq2pHDQQRz+:3eh1q/pmETQNbQQk
TLSH T1F6C4238A7D084A7781CB36D8728FC1345D8438AFF91261ADBDD5A8F75943A4C83A8333
Reporter cocaman
Tags:FormBook r11 rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Globalsupply <foodtrade@fresco.co.kr>" (likely spoofed)
Received: "from fresco.co.kr (unknown [185.222.58.123]) "
Date: "10 Jan 2022 05:58:59 +0100"
Subject: "=?UTF-8?B?UkU6IOugiDog66CIOiBbUmVdIHF1b3RhdGlvbi9OZXcgT3JkZXIgSS81MTE3?="
Attachment: "quotation New Order I5117.r11"

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe evasive obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/61dbe5e11c0d769df9ddefb1/reports/aac58735-d3ab-4b06-8aee-cff7ca29512a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40dbca0dc293feaf8428c8511e5ea96c9a5794520f96b7f9b718b34b2b640374/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-01-10 07:53:12 UTC
File Type:
Binary (Archive)
Extracted files:
10
AV detection:
9 of 43 (20.93%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=idn4udocsp7k7bbizbir4xvjnsnfpfcsb6llp6nxdczuwk3ean2a._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n8bs loader rat suricata
Link:
https://tria.ge/reports/220110-jqzpjsecfq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Blocklisted process makes network request
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/40dbca0dc293feaf8428c8511e5ea96c9a5794520f96b7f9b718b34b2b640374

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 40dbca0dc293feaf8428c8511e5ea96c9a5794520f96b7f9b718b34b2b640374

(this sample)

Formbook

Executable exe 9f5649294d8a9d4cc583e6bbcb11d8287e02f5221d3f7be4109048271f1112c2

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 9f5649294d8a9d4cc583e6bbcb11d8287e02f5221d3f7be4109048271f1112c2

Comments