MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 653c0f962f564b65191195197b7c23a6af4ab422a20af5040b6ae0fb56c43f02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 653c0f962f564b65191195197b7c23a6af4ab422a20af5040b6ae0fb56c43f02
SHA3-384 hash: e72cee5f0fb1a9b5bbf25073333e26929080d749bc0c9137ee6764a1a201b34f333f0a4bec765df11af2e3612cf23f0b
SHA1 hash: fd2673967ae6c3388f0ee4196461b56728dd3024
MD5 hash: d1560ecb532b2da2ade41371909896fb
humanhash: nebraska-apart-colorado-stream
File name:PCB 102021.iso
Download: download sample
Signature Formbook
Create hunting rule
File size:430'080 bytes
First seen:2021-11-03 18:07:28 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 6144:x5s1C+Fk8mhcQ2eGyV2FI9IvrEk4yHULLtkkNEhlTqG3N:x735PwC2F8IvADsOLt7k17
TLSH T1CA9401202BA82722DD3E67F91925162447B7F14A1176E3897E8E3ACF876BB510D40F63
Reporter cocaman
Tags:FormBook iso


Avatar
cocaman
Malicious email (T1566.001)
From: "herman <hvaldez@row-inc.com>" (likely spoofed)
Received: "from mail.mc.net (mail.mc.net [209.172.128.24]) "
Date: "Wed, 03 Nov 2021 12:13:18 -0500"
Subject: "Re: PCB for 10/2021"
Attachment: "PCB 102021.iso"

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.27936.23734.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6182d0059982ff7c3f7def10/reports/61e15f85-f215-4b1c-930f-b77af82d8f9b/overview
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/653c0f962f564b65191195197b7c23a6af4ab422a20af5040b6ae0fb56c43f02/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-11-03 15:28:12 UTC
AV detection:
6 of 44 (13.64%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mu6a7frpkzfwkgirsumxw7bdu2xuvnbcuifpkbalnlqpwvweh4ba._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n35q loader rat suricata
Link:
https://tria.ge/reports/211103-wqwn4sbecm/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.24hr.online/n35q/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/653c0f962f564b65191195197b7c23a6af4ab422a20af5040b6ae0fb56c43f02

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 653c0f962f564b65191195197b7c23a6af4ab422a20af5040b6ae0fb56c43f02

(this sample)

Formbook

Executable exe 624df197f011c71ac8afdaebfef7c1a6a598c5ad47c1bcbd70695ca858978de3

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 624df197f011c71ac8afdaebfef7c1a6a598c5ad47c1bcbd70695ca858978de3

Comments