MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 664484dfb0bbbef8bf25f0174447112f7733896f24bde007cbf97ef2e7f3d14a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	664484dfb0bbbef8bf25f0174447112f7733896f24bde007cbf97ef2e7f3d14a
SHA3-384 hash:	378c86e365157f024b01f974b37cd9482cfb1756889ccd382751751ac393abce9d5cbb9e095e6fe160d5278c88589a05
SHA1 hash:	96a403b07b0839a8ddadb6ec00016c484eb70652
MD5 hash:	38a11d5ba2ed91631d443b0fad223ca2
humanhash:	don-equal-tennis-delaware
File name:	Manorama___RFQ.zip
Download:	download sample
Signature	Formbook Create hunting rule
File size:	595'783 bytes
First seen:	2021-07-06 10:01:07 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:6H9d7zXoVD3stsqyUUeeGox7eznsVTM8s9H/F:6vzXsD6sIA8nsVT4H/F
TLSH	5DC423CD6F1AB343EE0B14A5D61A40B887D06D94261D2E27D9EE823EE953D07733609F
Reporter	cocaman
Tags:	FormBook zip

cocaman

Malicious email (T1566.001)
From: "Vishwa Pratap Yadav <stores@manoramagroup.co.in>" (likely spoofed)
Received: "from manoramagroup.co.in (unknown [103.139.44.229]) "
Date: "06 Jul 2021 02:58:37 -0700"
Subject: "Request for quotation"
Attachment: "Manorama___RFQ.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

158

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Rogue.0hr.20210706-0603.UNOFFICIAL

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/664484dfb0bbbef8bf25f0174447112f7733896f24bde007cbf97ef2e7f3d14a

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/664484dfb0bbbef8bf25f0174447112f7733896f24bde007cbf97ef2e7f3d14a/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-07-06 01:13:27 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

2 of 46 (4.35%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mzcijx5qxo7prpzf6aluiryrf53thclpes66ab6l7f7pfz7t2ffa._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210706-4j1jp8hkex/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.bodymoisturizer.online/q4kr/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.71

Link:

https://yomi.yoroi.company/submissions/664484dfb0bbbef8bf25f0174447112f7733896f24bde007cbf97ef2e7f3d14a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 664484dfb0bbbef8bf25f0174447112f7733896f24bde007cbf97ef2e7f3d14a

(this sample)

Formbook

exe 3760fb75e6479b6ecf20f6d5a4ddda0b6a5c7c0e907c43b92a0e1712461c6b58

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 3760fb75e6479b6ecf20f6d5a4ddda0b6a5c7c0e907c43b92a0e1712461c6b58

Dropping

Formbook

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample