MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e3cddeab591a0b2bfa55387654e26e96609fb5a4af15a9ab032612a26ed6a88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e3cddeab591a0b2bfa55387654e26e96609fb5a4af15a9ab032612a26ed6a88
SHA3-384 hash: e1159968c8277d054d1af705b88601cc671ceb112c2f03e0485999d99f12545f3a0c469fe89083283e8cd3bb2803f2b3
SHA1 hash: 8a28883abe4d0a4d119acb9a38013377bbcb6a63
MD5 hash: 896936ef0544db8a76e439b4618848cc
humanhash: kitten-colorado-quebec-timing
File name:QUOTATION.iso
Download: download sample
Signature Formbook
Create hunting rule
File size:516'096 bytes
First seen:2022-02-02 14:19:54 UTC
Last seen:2022-02-02 14:31:06 UTC
File type: iso
MIME type:application/x-iso9660-image
ssdeep 6144:SVO7JpyTa8QJ+4McLgQWtOjh8Kiab2U2jnPVwOVCC3rr143W962Ya:SVO7JCQJrMcL5aOVfiabXYPWu7WW9X
TLSH T10BB49DA4A1AB8591F00BC974257CF96502B331E3E8C60D39276D3645CFEEF983E8564E
Reporter cocaman
Tags:FormBook iso


Avatar
cocaman
Malicious email (T1566.001)
From: "Anamaria Procurement <sraza@butlerme.com>" (likely spoofed)
Received: "from butlerme.com (unknown [185.222.57.233]) "
Date: "2 Feb 2022 15:18:22 +0100"
Subject: "QUOTATION"
Attachment: "QUOTATION.iso"

Intelligence

File Origin
# of uploads :
2
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Iso_fs911.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/61fa93196d25ac9e79fc81f8/reports/6ee0e8c2-9610-41e8-9d6e-e68555c6fc8b/overview
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e3cddeab591a0b2bfa55387654e26e96609fb5a4af15a9ab032612a26ed6a88/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-02 14:20:12 UTC
File Type:
Binary (Archive)
Extracted files:
7
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jy6n32vvsgqlfp5fkodwktrg5ftat622jlyvvgvqgjqsujxnnkea._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ihg0 loader rat suricata
Link:
https://tria.ge/reports/220202-rne65aaccr/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4e3cddeab591a0b2bfa55387654e26e96609fb5a4af15a9ab032612a26ed6a88

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 4e3cddeab591a0b2bfa55387654e26e96609fb5a4af15a9ab032612a26ed6a88

(this sample)

Formbook

Executable exe d750b5eb0bd3c9b24c2505c127c2a1ab78fd3385a2157083fcabdbba45bef7ba

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 d750b5eb0bd3c9b24c2505c127c2a1ab78fd3385a2157083fcabdbba45bef7ba
  
Dropping
Formbook

Comments