MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a19f9f6d88cd86681edee1bbcb3f5ade2237d38ccac3e401eeb820918130823. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a19f9f6d88cd86681edee1bbcb3f5ade2237d38ccac3e401eeb820918130823
SHA3-384 hash: ee6c83e2c07cc0e63008c938a58512ce7dd750649647e27e6e99df562ed0e0de46ccc2964fab6d4a737d14ed908d9806
SHA1 hash: 769bddbab8e6e3d65ee6999d13b6bedd54ae383c
MD5 hash: 18ddca4387fe50fafa86c18a2ab67be6
humanhash: oranges-solar-nevada-hot
File name:Jayaswal Neco Industries - Products List & document.rar
Download: download sample
Signature Formbook
Create hunting rule
File size:1'065'541 bytes
First seen:2021-12-08 10:15:29 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 24576:MkbikjtCj9QAWCac2CxDa+q/tgTjbh0BQULMOZyny2cIWbgk4Gne7suwGA1P9UFL:Mk3CGAWCwCxIFgjV0GyIny2chbgk4Ger
TLSH T1953533A7AC33D548C9C8B65F27FB13B465D24F5DB6012A0D906BBC3851214AFAC5B8F8
Reporter cocaman
Tags:FormBook rar


Avatar
cocaman
Malicious email (T1566.001)
From: ""Jayaswal Neco Industries Ltd" <webmaster@matsuura.co.jp>" (likely spoofed)
Received: "from matsuura.co.jp (unknown [185.222.57.237]) "
Date: "8 Dec 2021 08:06:52 +0100"
Subject: "JAYASWAL NECO - PURCHASE INQUIRY"
Attachment: "Jayaswal Neco Industries - Products List & document.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61b085e5fa72c81b5b117d4f/reports/4bff4124-9a56-4f0f-ba97-58ccbaf29386/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a19f9f6d88cd86681edee1bbcb3f5ade2237d38ccac3e401eeb820918130823/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-08 07:39:09 UTC
File Type:
Binary (Archive)
Extracted files:
24
AV detection:
25 of 45 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lim7t5wyrtmgnapn5yn3zm7vvxrcg7jyzswd4qa65obasgatbarq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:46uq loader rat suricata
Link:
https://tria.ge/reports/211208-mas4lshegn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.liberia-infos.net/46uq/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a19f9f6d88cd86681edee1bbcb3f5ade2237d38ccac3e401eeb820918130823

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 5a19f9f6d88cd86681edee1bbcb3f5ade2237d38ccac3e401eeb820918130823

(this sample)

Formbook

Executable exe d176de3884899e94f7c82f1ad0b21e9f305d3d5d7d753cc701a880e01d692cad

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 d176de3884899e94f7c82f1ad0b21e9f305d3d5d7d753cc701a880e01d692cad

Comments