MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 635de53ab09e4d3adbc5c2b134456e21e94941265db321f792f823b3e749a355. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 635de53ab09e4d3adbc5c2b134456e21e94941265db321f792f823b3e749a355
SHA3-384 hash: 8216fe7e2389045dee9c57dbb17742eda060280304bb413503409aefdcf4a3e9c300be768001a6ffcb6aab95ebcf7da1
SHA1 hash: 94406bb8762154b6e26be89e00a6bed69268e44f
MD5 hash: 6cec38f880405c6b20b5f957dc0f3e19
humanhash: red-georgia-zulu-ohio
File name:Emailing Swift.r11
Download: download sample
Signature Formbook
Create hunting rule
File size:357'135 bytes
First seen:2022-01-15 07:22:19 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 6144:r3qi5UxeYrzimpq28nhjt4xWWxAb1/EOGqCj+3IE/ERi9UWolVxVyvK44L:racqBj0hjt4oWM1/gqCqIE/ER3llUO
TLSH T1A67423D8C483EB61F62065DA972DC1AF4E789281557DE87AE33076B26CAFF451C0A343
Reporter cocaman
Tags:FormBook INVOICE r11 rar SWIFT


Avatar
cocaman
Malicious email (T1566.001)
From: "Fast e-Invoice <einvoice@fastsoftware.com.vn>" (likely spoofed)
Received: "from fastsoftware.com.vn (unknown [45.137.22.35]) "
Date: "14 Jan 2022 16:46:33 +0100"
Subject: "=?UTF-8?B?UmU6IENvbmZpcm1hY2nDs24gZGUgdHJhbnNmZXJlbmNpYQ==?="
Attachment: "Emailing Swift.r11"

Intelligence

File Origin
# of uploads :
1
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed print.exe
Link:
https://www.filescan.io/uploads/61e2765bf2e8ec86fe00a158/reports/d76c78d2-07aa-4128-9dda-d5d233fd147c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/635de53ab09e4d3adbc5c2b134456e21e94941265db321f792f823b3e749a355/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-01-15 07:23:12 UTC
File Type:
Binary (Archive)
Extracted files:
24
AV detection:
17 of 28 (60.71%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mno6kovqtzgtvw6fykytirloehuusqjglwzsd54s7ar3hz2junkq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n8bs loader rat
Link:
https://tria.ge/reports/220115-h7tn7adbg3/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/635de53ab09e4d3adbc5c2b134456e21e94941265db321f792f823b3e749a355

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 635de53ab09e4d3adbc5c2b134456e21e94941265db321f792f823b3e749a355

(this sample)

Formbook

Executable exe 3802c17da19f4b86af70916d72948d6a73d6c388efdbae0598fdefc0ea0a5741

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 3802c17da19f4b86af70916d72948d6a73d6c388efdbae0598fdefc0ea0a5741

Comments