MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7049b87105bf668fa5eb1eaaa0000b7957fd939752841504aed80ce9ab1a4324. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7049b87105bf668fa5eb1eaaa0000b7957fd939752841504aed80ce9ab1a4324
SHA3-384 hash: b23834f58634bacb25a24717ad198ec0c21859c6be8c8a36739baf5b4156ba4005c3719e63930cf5e5c0ae674dec18e8
SHA1 hash: 68c28201a38c580fff712a8eddc1defae3466a63
MD5 hash: 59581ee9a2cb18982b8513df1669b049
humanhash: oklahoma-cola-jersey-finch
File name:FORM C-06192021.ISO
Download: download sample
Signature Formbook
Create hunting rule
File size:1'376'256 bytes
First seen:2021-06-20 05:11:10 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 12288:lcVkw/b2Fdhlm4S4F3M9yh+E2VQrO3/vkEYFGtuVgJCyfB0GsyUG:lcaK2FTW0uVQrO3EXGtJ5Xv
TLSH 94559F203AD95729F17BAF7956D0308587FAF623A312D95E3CA902CB0752F81CED2536
Reporter cocaman
Tags:FormBook iso


Avatar
cocaman
Malicious email (T1566.001)
From: "Cellule de Communication Institutionnelle et des Relations Publiques
<ccirp@camtel.cm>" (likely spoofed)
Received: "from postfix-inbound-3.inbound.mailchannels.net (inbound-egress-6.mailchannels.net [199.10.31.238]) "
Date: "Sat, 19 Jun 2021 13:32:59 +0000"
Subject: "FORM C-06192021 JUN19 2021"
Attachment: "FORM C-06192021.ISO"

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen13.59835.19653.19283.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7049b87105bf668fa5eb1eaaa0000b7957fd939752841504aed80ce9ab1a4324/
Threat name:
ByteCode-MSIL.PUA.Wacapew
Create hunting rule
Status:
Malicious
First seen:
2021-06-19 13:17:09 UTC
File Type:
Binary (Archive)
Extracted files:
23
AV detection:
5 of 46 (10.87%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=obe3q4ifx5ti7jpld2vkaaalpfl73e4xkkcbkbfo3agotky2imsa._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210620-xps14zp3dn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.adultpeace.com/p2io/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7049b87105bf668fa5eb1eaaa0000b7957fd939752841504aed80ce9ab1a4324

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 7049b87105bf668fa5eb1eaaa0000b7957fd939752841504aed80ce9ab1a4324

(this sample)

Formbook

Executable exe 627a04d8c996dd089b215283dcbca862df324f676d143ffc64dba5cd9754bedf

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 627a04d8c996dd089b215283dcbca862df324f676d143ffc64dba5cd9754bedf

Comments