MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48e4cd9a5052a73be03c2c9079af0227d2241fb689073fdbcd6a8cd2fb186e2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48e4cd9a5052a73be03c2c9079af0227d2241fb689073fdbcd6a8cd2fb186e2b
SHA3-384 hash: 04e3f2550329e8337081e48d6a6fc5619686eeb0f0f9173a80138fac06e735e6d40a4b5b970c0394e8f84634cd2d6448
SHA1 hash: dbf3293434f1b739c13f5172b6b3760b550446a6
MD5 hash: 9566edf7503c50e566a6d32a4ad5a712
humanhash: ink-moon-double-hotel
File name:Shipping invoice2320214010.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:406'021 bytes
First seen:2021-12-23 07:49:20 UTC
Last seen:2021-12-23 12:59:24 UTC
File type: zip
MIME type:application/zip
ssdeep 6144:QbVs7wNEvFzeLqEgvJFOqThng0YkaVH+0kirgK6KpXleHCKuU5Rqw:QbWtUzgvhThgBL+urtnV/27qw
TLSH T181842389BC4B3424DB5FC9795E325E58BBB4A28D3B71447E6E3D063244481BF580EB27
Reporter cocaman
Tags:FormBook INVOICE zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Sarath <sarath.t@jinasena.com.lk>" (likely spoofed)
Received: "from jinasena.com.lk (unknown [185.222.58.146]) "
Date: "23 Dec 2021 11:51:13 +0100"
Subject: "invoice For shipment"
Attachment: "Shipping invoice2320214010.zip"

Intelligence

File Origin
# of uploads :
2
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.2981.10400.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
60%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61c42a2eec6c6c14a9ebfc28/reports/bd13158b-11b8-4198-8e70-1c1f55f91830/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/48e4cd9a5052a73be03c2c9079af0227d2241fb689073fdbcd6a8cd2fb186e2b
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48e4cd9a5052a73be03c2c9079af0227d2241fb689073fdbcd6a8cd2fb186e2b/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-12-23 04:34:14 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
22 of 43 (51.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jdsm3gsqkkttxyb4fsihtlyce7jcih5wredt7w6nnkgnf6yynyvq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:posg loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/211223-jn93hahcd4/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Adds policy Run key to start application
Executes dropped EXE
Xloader Payload
Formbook
Xloader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/48e4cd9a5052a73be03c2c9079af0227d2241fb689073fdbcd6a8cd2fb186e2b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 48e4cd9a5052a73be03c2c9079af0227d2241fb689073fdbcd6a8cd2fb186e2b

(this sample)

Formbook

Executable exe e5382c0f749dd238b9e8ae94cd3703bf06c01ec6c4314597e3c0e1aec8fa7419

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 e5382c0f749dd238b9e8ae94cd3703bf06c01ec6c4314597e3c0e1aec8fa7419
  
Dropping
Formbook

Comments