MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51cfb97e6e1e19e8a0c068bd0d3ef9710777718cb9048944cccdebdc4bd3f951. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51cfb97e6e1e19e8a0c068bd0d3ef9710777718cb9048944cccdebdc4bd3f951
SHA3-384 hash: 69de2b371c92da0dc00c38b715e237e3440475445fd37cd1daa200f96dc3f9e51c33a8e5b9921b556920c2aaf254240d
SHA1 hash: 9865ac66e1ffab8324394b030b107f9e863c3fb1
MD5 hash: de0448c16540c8ec55e6af25078fbac8
humanhash: table-autumn-yellow-apart
File name:Order confirmation 49506.PDF.iso
Download: download sample
Signature Formbook
Create hunting rule
File size:538'624 bytes
First seen:2021-09-24 08:13:17 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 12288:GZrYGEVYoe9w7blnIuYMoGcMI5H9MXJ3dGMMLVbGJKJewYkVf:a8YH9wXlnIu4GcM2oBURGJeBV
TLSH T1CBB4E050A7DCEA9FE319297569546C004267E3DD21A2DE4AFC6E40793FE3208FB11EC6
Reporter cocaman
Tags:iso


Avatar
cocaman
Malicious email (T1566.001)
From: ""Arshad" <btoma@link-us-online.com>" (likely spoofed)
Received: "from link-us-online.com (unknown [103.156.91.251]) "
Date: "23 Sep 2021 17:29:51 -0700"
Subject: "RE: REF:-1260 REQUIRED & Requesting for PI - 2021"
Attachment: "Order confirmation 49506.PDF.iso"

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Iso_badexts64.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51cfb97e6e1e19e8a0c068bd0d3ef9710777718cb9048944cccdebdc4bd3f951/
Threat name:
Win32.Trojan.Zmutzy
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 22:04:09 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=khh3s7todym6riganc6q2pxzoedxo4mmxecisrgmzxv5ys6t7fiq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ny9y loader rat suricata
Link:
https://tria.ge/reports/210924-j4z78sgcgp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.caddomain.com/ny9y/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/51cfb97e6e1e19e8a0c068bd0d3ef9710777718cb9048944cccdebdc4bd3f951

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 51cfb97e6e1e19e8a0c068bd0d3ef9710777718cb9048944cccdebdc4bd3f951

(this sample)

Formbook

Executable exe 4dfab25d3ccff9a33396c252590c27c57f23f9a94b11ebd9834b23981b0908e6

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4dfab25d3ccff9a33396c252590c27c57f23f9a94b11ebd9834b23981b0908e6

Comments