MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62d4b809036b03226c7b5c36b6126d97cc1ecf915200146391bf05e74c58e874. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	62d4b809036b03226c7b5c36b6126d97cc1ecf915200146391bf05e74c58e874
SHA3-384 hash:	23328a1a06a15afe443ac5afe4c0d54658009e9fd46e2b2a1554ba476b6c0b02ec9c0aed7b74fd51f996fec4fc808aa3
SHA1 hash:	4b180fbfa958909a9505e9b7f625c6127c18789a
MD5 hash:	c465d4c7469ae6b40cc77e8769fd4b27
humanhash:	foxtrot-cat-oven-fillet
File name:	INQNEW#PO24052022,qdf.iso
Download:	download sample
Signature	Formbook Create hunting rule
File size:	335'872 bytes
First seen:	2022-05-25 13:59:30 UTC
Last seen:	Never
File type:	iso
MIME type:	application/x-iso9660-image
ssdeep	6144:Ak7UBESgNSEizByInd1P+Uacnd1AsARhiP2z:Ak7Xc7BR3m0zA1US
TLSH	T1E164F10467CD4716F2EC1E7254E616BC12319876E9D7E34FAC8C90292D313D926E1FAB
TrID	99.4% (.NULL) null bytes (2048000/1) 0.2% (.ISO) ISO 9660 CD image (5100/59/2) 0.2% (.ATN) Photoshop Action (5007/6/1) 0.0% (.BIN/MACBIN) MacBinary 1 (1033/5) 0.0% (.ABR) Adobe PhotoShop Brush (1002/3)
Reporter	cocaman
Tags:	FormBook iso

cocaman

Malicious email (T1566.001)
From: ""Stephany Gavin StarGC" <stephany.gavin@domainsurportm.live>" (likely spoofed)
Received: "from box0.domainsurportm.live (box0.domainsurportm.live [37.0.8.73]) "
Date: "24 May 2022 07:59:38 -0700"
Subject: "INQUIRY_NEW PO 7187"
Attachment: "INQNEW#PO24052022,qdf.iso"

Intelligence

File Origin

# of uploads :

# of downloads :

333

Origin country :

n/a

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe obfuscated packed replace.exe strictor wacatac

Link:

https://www.filescan.io/uploads/628e36a36eb3ff32632c0b35/reports/54ecdc36-50eb-4d6d-bfcd-3ca5b1f87b4b/overview

Result

Verdict:

MALICIOUS

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/62d4b809036b03226c7b5c36b6126d97cc1ecf915200146391bf05e74c58e874/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-05-24 09:52:31 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

18 of 41 (43.90%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mlklqcidnmbse3d3lq3lmetns7gb5t4rkiabiy4rx4c6otcy5b2a._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:be4o loader persistence rat suricata

Link:

https://tria.ge/reports/220525-razcvaahe9/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Adds policy Run key to start application

Executes dropped EXE

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/62d4b809036b03226c7b5c36b6126d97cc1ecf915200146391bf05e74c58e874

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_EXE_in_ISO Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects ISO files that contains an Exe file. Does not need to be malicious
Reference:	Internal Research