MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cbcddaa8a22835c3c728de1e3ed9326f980a16af6e6cc32757dc04ee48d86eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cbcddaa8a22835c3c728de1e3ed9326f980a16af6e6cc32757dc04ee48d86eb
SHA3-384 hash: 55cc062c9859e037ddf828dc24c9c70baf14aa7cbcf4c2ceef93ec59ec1d9367aabbdf82fb6a4c07b79bb29707d78bb2
SHA1 hash: 154bb1111fdb569c4a3a978c8726baafe93f5634
MD5 hash: 0c1c3d800568b496753b459c7b48ae3b
humanhash: virginia-network-helium-mango
File name:RFQ_R4100131210.pdf.gz
Download: download sample
Signature Formbook
Create hunting rule
File size:556'471 bytes
First seen:2021-04-20 14:38:11 UTC
Last seen:Never
File type: gz
MIME type:application/x-rar
ssdeep 12288:BhzGnZKArkdStacbhZYk4ZUafUCAiYvNiezNRZvZ+Xm:vza0EhZTeUa8sezbZsW
TLSH 19C42365193C317205F144A9D2FE41FB66E692B29422ED4CE7B902E6E742C33BD7B803
Reporter cocaman
Tags:FormBook gz


Avatar
cocaman
Malicious email (T1566.001)
From: "Gavin Zhou <sales@trustlab-china.com>" (likely spoofed)
Received: "from trustlab-china.com (unknown [103.133.105.111]) "
Date: "20 Apr 2021 06:45:15 -0700"
Subject: "REQUEST FOR QUOTATION (RFQ REF : R4100131210)"
Attachment: "RFQ_R4100131210.pdf.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4cbcddaa8a22835c3c728de1e3ed9326f980a16af6e6cc32757dc04ee48d86eb/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=js6n3kukekbvypdsrxq6h3mte34ybilk63tmymtvpxae5zenq3vq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210420-hdt75yxy5n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.huamxvcyq.icu/aepn/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/4cbcddaa8a22835c3c728de1e3ed9326f980a16af6e6cc32757dc04ee48d86eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz 4cbcddaa8a22835c3c728de1e3ed9326f980a16af6e6cc32757dc04ee48d86eb

(this sample)

Formbook

Executable exe 414d26c286eeeda12cc3705aa3ed2ae06e901dc09795434e6abe4389f31c1e8e

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 414d26c286eeeda12cc3705aa3ed2ae06e901dc09795434e6abe4389f31c1e8e
  
Dropping
Formbook

Comments