MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65eb7e0cede38cb9d889d9193e674b6894db58ca258a32f89d20b1f2a856224a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	65eb7e0cede38cb9d889d9193e674b6894db58ca258a32f89d20b1f2a856224a
SHA3-384 hash:	0586dcda9baab5fff51ea098e7ea1bd3e1de88afdf5dbdd33bf1635c16df935d5aab4d63fe50fabdcdd8f8931b66d82b
SHA1 hash:	df8ca0e33a6a3bfc090e4b439120abe29ad6cfa8
MD5 hash:	cde5784e5ffdfe5568cb001e469063e6
humanhash:	sink-venus-red-item
File name:	SWIFT 00838303383 pdf.zip
Download:	download sample
Signature	Formbook Create hunting rule
File size:	366'904 bytes
First seen:	2021-07-05 05:18:23 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	6144:oE4TnQWsHS27aijZHcCh5jaF3ZrIHVErHvd7E9lAaprBDvPPpYUoNmMF3l:orES27aW9cCh8IHVEBIS0rlPPpYUoNBf
TLSH	1774238A1F2B4B0B4ADE71CD3D2ECE4C22C0ABCC97C96955251DBAB205FD69270F585C
Reporter	cocaman
Tags:	FormBook SWIFT zip

cocaman

Malicious email (T1566.001)
From: "=?UTF-8?Q?=C4=B0ntizam_Novruzov?= <ifinahegai@mail.ru>" (likely spoofed)
Received: "from ns3.uzinfocom.uz (ns3.uzinfocom.uz [91.212.89.66]) "
Date: "Sun, 04 Jul 2021 09:12:09 -1200"
Subject: "=?UTF-8?Q?RE=3A_=D0=9F=D1=80=D0=BE=D0=B5=D0=BA=D1=82_Basqal-?=
=?UTF-8?Q?=D0=9E=D1=82=D0=B2=D0=B5=D1=82=D1=8B_=D0=BD=D0=B0_=D0=B2=D0=BE?=
=?UTF-8?Q?=D0=BF=D1=80=D0=BE=D1=81=D1=8B?="
Attachment: "SWIFT 00838303383 pdf.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_pdf.UNOFFICIAL

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/65eb7e0cede38cb9d889d9193e674b6894db58ca258a32f89d20b1f2a856224a

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/65eb7e0cede38cb9d889d9193e674b6894db58ca258a32f89d20b1f2a856224a/

Threat name:

Win32.Exploit.Generic

Status:

Suspicious

First seen:

2021-07-04 20:02:42 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

8 of 46 (17.39%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mxvx4dhn4ogltwej3emt4z2lncknwwgkewfdf6e5ecy7fkcwejfa._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210705-nr6r3b3v62/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.kmresults.com/n7ak/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/65eb7e0cede38cb9d889d9193e674b6894db58ca258a32f89d20b1f2a856224a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 65eb7e0cede38cb9d889d9193e674b6894db58ca258a32f89d20b1f2a856224a

(this sample)

Formbook

exe 0726096c82c2c643c7de2ed48533e0a545e71f2294433cd7df473aebe9f17681

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 0726096c82c2c643c7de2ed48533e0a545e71f2294433cd7df473aebe9f17681

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample