MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43d253235a7ea6fd9ddad78fa30da21f66201df047be1c5d0900dc3cff957c75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43d253235a7ea6fd9ddad78fa30da21f66201df047be1c5d0900dc3cff957c75
SHA3-384 hash: 6047e9bf7e64f946f0280ec48d2169768f1816955c37d6aee41d5f75bc66521e36c5fd28c4b828bfb3911de9da6f5f9e
SHA1 hash: 597990e78d07f90da30cb5790421defe5d561e39
MD5 hash: 5d46eccdae2a5dd4c6f9f48a06d70499
humanhash: north-aspen-beer-mike
File name:VM Accord, ORDER TKHA-A88160011B.pdf.exe.7z
Download: download sample
Signature Formbook
Create hunting rule
File size:422'656 bytes
First seen:2021-09-06 11:55:55 UTC
Last seen:2021-09-06 11:59:01 UTC
File type: 7z
MIME type:application/x-7z-compressed
ssdeep 12288:U0o/B/in95DYtUowgqjyXoc39YjqMeKp+yzyK5a:U0o/M9uyowgcyz3WjqSFzyya
TLSH T1C494237F91EC342BFA36F0E3517E7A48F824A07974542E9B6262C730E35A6D40F4D826
Reporter cocaman
Tags:7z FormBook


Avatar
cocaman
Malicious email (T1566.001)
From: "Clark Groeneweg <sales@greenwayassoc.com>" (likely spoofed)
Received: "from greenwayassoc.com (unknown [180.214.239.121]) "
Date: "06 Sep 2021 03:29:55 -0700"
Subject: "VSL: VM Accord, ORDER: TKHA-A88160011B"
Attachment: "VM Accord, ORDER TKHA-A88160011B.pdf.exe.7z"

Intelligence

File Origin
# of uploads :
9
# of downloads :
319
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.7z_pdf.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43d253235a7ea6fd9ddad78fa30da21f66201df047be1c5d0900dc3cff957c75/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-06 09:08:37 UTC
File Type:
Binary (Archive)
Extracted files:
15
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ipjfgi22p2tp3ho226h2gdncd5tcahpqi67byxijadodz74vpr2q._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ntem loader rat
Link:
https://tria.ge/reports/210906-n323nabad2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.ransoneransone.com/ntem/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/43d253235a7ea6fd9ddad78fa30da21f66201df047be1c5d0900dc3cff957c75

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z 43d253235a7ea6fd9ddad78fa30da21f66201df047be1c5d0900dc3cff957c75

(this sample)

Formbook

Executable exe 5825aeeb434941442b66d2184494dddd1c500545e32e4a19ceaaba0cbbd8adc0

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 5825aeeb434941442b66d2184494dddd1c500545e32e4a19ceaaba0cbbd8adc0

Comments