MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49c65c3ac340bc3cf7d356c5d9ab4dcad04de64908df63908cd29eaea002869b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49c65c3ac340bc3cf7d356c5d9ab4dcad04de64908df63908cd29eaea002869b
SHA3-384 hash: 7ef142b99c330b59a2a1160095aac49207eb240c7d6502002039ec37cc031bb3d384f14dc54ffbe6c97a7d50dc7e6ce7
SHA1 hash: a98c212d850d43ee554ef63dee98d9ecb900b0eb
MD5 hash: 60557b8fe8456a142ab65e6306ad8f7e
humanhash: vegan-fanta-black-speaker
File name:Closing Balance.cab
Download: download sample
Signature Formbook
Create hunting rule
File size:510'194 bytes
First seen:2021-04-13 10:47:12 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:I9Q0hrsvBHv4APoAGzYJ0Hq5iR4HAkJ/5wJhMhi:LICRgXWkRwAq5Kmi
TLSH 73B42367F43291FF9B4D4E4660A3642C35542346FB8C8CEADD4DD8B2FDA8B900198E9D
Reporter cocaman
Tags:cab Pfizer


Avatar
cocaman
Malicious email (T1566.001)
From: "<ibnoul.ly@pfizer.com>" (likely spoofed)
Received: "from ip116.ip-147-135-107.us (ip116.ip-147-135-107.us [147.135.107.116]) "
Date: "13 Apr 2021 02:32:22 -0700"
Subject: "RE: Closing Balance"
Attachment: "Closing Balance.cab"

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49c65c3ac340bc3cf7d356c5d9ab4dcad04de64908df63908cd29eaea002869b/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-04-13 10:48:07 UTC
File Type:
Binary (Archive)
Extracted files:
17
AV detection:
3 of 47 (6.38%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jhdfyowdic6dz56tk3c5tk2nzlie3zsjbdpwheem2kpk5iacq2nq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210413-8h6ezmfsss/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.the-techs.info/chue/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49c65c3ac340bc3cf7d356c5d9ab4dcad04de64908df63908cd29eaea002869b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 49c65c3ac340bc3cf7d356c5d9ab4dcad04de64908df63908cd29eaea002869b

(this sample)

Formbook

Executable exe 78e458ae8ef10267738b8b1b1591fc5ace8bbb126d415124b1f067ad98a4801e

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 78e458ae8ef10267738b8b1b1591fc5ace8bbb126d415124b1f067ad98a4801e

Comments