MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d3fe48363d732ff5bc7b3896eaf36caf342c8c7825ef31cf05d2ae356f64163. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d3fe48363d732ff5bc7b3896eaf36caf342c8c7825ef31cf05d2ae356f64163
SHA3-384 hash: f2829eafb3568bd8c927c21afc3aa73259c56e1d97be8467f3203d08fc350433c6b144a7b17b8d16292e067ad2272cc9
SHA1 hash: 578642555e5d89088296594d329dae2d06b5479d
MD5 hash: 3509ef8f17c12c7deeb497514350f7bf
humanhash: four-nine-mississippi-undress
File name:PO00112Invoices.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:359'178 bytes
First seen:2021-11-04 11:58:08 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 6144:btFf0uh/noJJk4kSOFt+P2Rrvrgb5ZhuDzGoqhWaIjz90NCrcvtwgGyZBw7aZNI:b0uVozvOFtFvrgb5ruG9UjzeCrcvtFGn
TLSH T1047423668C1F5B33C689712274033DB31A0BCD68126529FEDC6B0570FD6EB9A739B01A
Reporter cocaman
Tags:FormBook INVOICE zip


Avatar
cocaman
Malicious email (T1566.001)
From: ""PV Germany GmbH & Co. KG" <postmaster@tzonn.xyz>" (likely spoofed)
Received: "from hosted-4-client-dedicated-live-server2.devllar.com (hosted-4-client-dedicated-live-server2.devllar.com [103.102.238.138]) "
Date: "Thu, 04 Nov 2021 04:25:32 -0700"
Subject: "Hello Dear"
Attachment: "PO00112Invoices.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Artemis05404BB4C3BD.11018.20173.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6183cb08c03a81a5023f824e/reports/e5e9d669-8bf5-4dc4-a045-03fb9570ea12/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/6d3fe48363d732ff5bc7b3896eaf36caf342c8c7825ef31cf05d2ae356f64163
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d3fe48363d732ff5bc7b3896eaf36caf342c8c7825ef31cf05d2ae356f64163/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-04 11:59:04 UTC
AV detection:
12 of 27 (44.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nu76ja3d24zp6w6hwoew5lzwzlzufsghqjppghhqluvogvxwifrq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:fidd loader rat suricata
Link:
https://tria.ge/reports/211104-n5qseadfgl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.holidayhomebliss.com/fidd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d3fe48363d732ff5bc7b3896eaf36caf342c8c7825ef31cf05d2ae356f64163

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 6d3fe48363d732ff5bc7b3896eaf36caf342c8c7825ef31cf05d2ae356f64163

(this sample)

Formbook

Executable exe 4bd61ebdde5aa96681173c42a9a296a8cf444dbee2c2d16aed1d76736038b65a

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4bd61ebdde5aa96681173c42a9a296a8cf444dbee2c2d16aed1d76736038b65a
  
Dropping
Formbook

Comments