MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cd33ed5de91c1ab22e920672837b4fd41cc0cf45ac0cec715d228512b0b57de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cd33ed5de91c1ab22e920672837b4fd41cc0cf45ac0cec715d228512b0b57de
SHA3-384 hash: 910e9e259a7eecc62da7b33a37146396b0a4c99d1eb0612929337f553757d130339607dff1b720e3862ec1ee61d6e5a3
SHA1 hash: 717e7a614fb0eba9e61a86087226c4c3991d0020
MD5 hash: 4f87da161eb8d520ab0577362c5c5be7
humanhash: fruit-ten-undress-blossom
File name:00110030.lzh
Download: download sample
Signature Formbook
Create hunting rule
File size:449'699 bytes
First seen:2021-11-30 18:55:31 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:GvBD10kvUqoVHJ23tOPkN698Oa8v8uSXQw6g+3S:GJ50ksBJjkdsGXQwr+C
TLSH T190A423AFFDCE036D70AA0D63A160E2EF5773A861A59B21DE874A2D8D05E347C7026185
Reporter cocaman
Tags:FormBook lzh rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Chan Lai Peng <uzm.bry@nvgolfer.com>" (likely spoofed)
Received: "from slot0.nvgolfer.com (slot0.nvgolfer.com [194.99.46.168]) "
Date: "30 Nov 2021 09:21:17 +0100"
Subject: "Fw: PO # 210669"
Attachment: "00110030.lzh"

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61a673c5c4c531414823c457/reports/8beb8db1-fcd2-4e46-a0e4-90f21027adce/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4cd33ed5de91c1ab22e920672837b4fd41cc0cf45ac0cec715d228512b0b57de/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-11-30 18:02:16 UTC
File Type:
Binary (Archive)
Extracted files:
20
AV detection:
10 of 45 (22.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jtjt5vo6sha2wixjebtsqn5u7va4ydhullam5ryv2iufckylk7pa._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n3cs loader rat
Link:
https://tria.ge/reports/211130-xlcwwabbf9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.safetyeats.online/n3cs/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/4cd33ed5de91c1ab22e920672837b4fd41cc0cf45ac0cec715d228512b0b57de

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 4cd33ed5de91c1ab22e920672837b4fd41cc0cf45ac0cec715d228512b0b57de

(this sample)

Formbook

Executable exe 9cbaac93f8d7814691953b27252b376665d0938ecaf9c1e0e375176aaa932ce6

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 9cbaac93f8d7814691953b27252b376665d0938ecaf9c1e0e375176aaa932ce6

Comments