MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a0e26086494a46e09c1ed630a51998f05dc8ea0ec1584d2d1775f0e40ef5869. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	6a0e26086494a46e09c1ed630a51998f05dc8ea0ec1584d2d1775f0e40ef5869
SHA3-384 hash:	4b4be8531b50440d64e80204b0b0f4b0d36ee2eb7b929d91d503df4571d10bbab158ba265c23703cef7404ffd63c1a72
SHA1 hash:	65c60986fa9b6fbe946acf6132d9a7bbaabe4fc2
MD5 hash:	69364aeb8d0d7494b2c57b15468d80da
humanhash:	kentucky-asparagus-hamper-jersey
File name:	Quotation for Urgent PO 110921.zip
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'001'334 bytes
First seen:	2021-12-14 18:47:31 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	24576:HxvE9pyPLIQl/5BU+V44MKH+fwGkX52ADRuWxg/J:0OXl/3X1+ZkX/R0
TLSH	T13B2533F72BC906E7792992E29A6680500FBD1AB05D5A5030BDD7AD1E0DC6CB4DFF0B24
Reporter	cocaman
Tags:	FormBook zip

cocaman

Malicious email (T1566.001)
From: "West Legend Trading <sales@westlegend.com>" (likely spoofed)
Received: "from westlegend.com (unknown [185.222.58.146]) "
Date: "14 Dec 2021 19:46:49 +0100"
Subject: "=?UTF-8?B?UmU6IFNvbGljaXRhcmUgZGUgb2ZlcnTEgyBwZW50cnUgY29tYW5kYSB1cmdlbnTEgyBQTyAxMTA5MjFfMTEwOTIx?="
Attachment: "Quotation for Urgent PO 110921.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

234

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1128.13224.27658.UNOFFICIAL

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

hacktool obfuscated packed

Link:

https://www.filescan.io/uploads/61b8e6e8db84542d41bee788/reports/7d145035-0eaf-4f87-bb3d-e3b08fe6626b/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/6a0e26086494a46e09c1ed630a51998f05dc8ea0ec1584d2d1775f0e40ef5869

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6a0e26086494a46e09c1ed630a51998f05dc8ea0ec1584d2d1775f0e40ef5869/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2021-12-14 15:10:41 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

29 of 45 (64.44%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nihcmcdesssg4cob5vrquumzr4c5zdva5qkyjuwro5pq4qhplbuq._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:posg loader rat

Link:

https://tria.ge/reports/211214-xfr4lsgcb4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.bennshop.com/posg/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/6a0e26086494a46e09c1ed630a51998f05dc8ea0ec1584d2d1775f0e40ef5869

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 6a0e26086494a46e09c1ed630a51998f05dc8ea0ec1584d2d1775f0e40ef5869

(this sample)

Formbook

exe 2b79a539c923a5ed65891331804be81fcd6c85c0a63bd6e89180e7f0e9eb3239

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 2b79a539c923a5ed65891331804be81fcd6c85c0a63bd6e89180e7f0e9eb3239

Dropping

Formbook

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample