MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 599cda43bb4a5ea8c717986ed7219661314ab7dba0d6a946d40742790aaf5688. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 599cda43bb4a5ea8c717986ed7219661314ab7dba0d6a946d40742790aaf5688
SHA3-384 hash: 77aa031eba39f6d7125fb78f1e22ee33b1cfa4dc6d4e78e9e03c530a53f7ca81c49967dae281a3cc690766fc2f42843e
SHA1 hash: 36d251a088de972003dcdebebad7928efc81024b
MD5 hash: b559f1ecb21ab9ce5eb9244d754649b2
humanhash: hawaii-coffee-missouri-moon
File name:statement of account.rar
Download: download sample
Signature Formbook
Create hunting rule
File size:378'277 bytes
First seen:2022-03-17 11:18:52 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 6144:/jaJZj738zuBFtwURx5Beud3s48upahW09B9kcBekwsk3CWnBlr/w8yTdTllP7Lt:/jY0Kis5Beud3SupKW09twsyBp/LyNTR
TLSH T17984239AEA4158C907FCED3600257766F523088E072C7AC9BEE42E7673946DCEFD1056
Reporter cocaman
Tags:FormBook rar


Avatar
cocaman
Malicious email (T1566.001)
From: ""Jana Kunstmann" <info@isarpatent.com>" (likely spoofed)
Received: "from isarpatent.com (unknown [103.151.122.244]) "
Date: "17 Mar 2022 03:07:15 -0700"
Subject: "52364_WE Patent_Statement of Account_February 22, 2022"
Attachment: "statement of account.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/623319290cd58dbd92adec22/reports/290f0bd5-29f9-454f-891a-b024217eba65/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/599cda43bb4a5ea8c717986ed7219661314ab7dba0d6a946d40742790aaf5688/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-17 11:19:10 UTC
File Type:
Binary (Archive)
Extracted files:
10
AV detection:
13 of 42 (30.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lgonuq53jjpkrryxtbxnoimwmeyuvn63udlksrwua5bhscvpk2ea._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:pc20 loader rat
Link:
https://tria.ge/reports/220317-nexg9sdbd4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Xloader Payload
Xloader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/599cda43bb4a5ea8c717986ed7219661314ab7dba0d6a946d40742790aaf5688

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 599cda43bb4a5ea8c717986ed7219661314ab7dba0d6a946d40742790aaf5688

(this sample)

Formbook

Executable exe 40fa9ba8113198bf73af0101d0c0275ed1ef014a15fd83457dbdbd29e80f99a8

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 40fa9ba8113198bf73af0101d0c0275ed1ef014a15fd83457dbdbd29e80f99a8

Comments