MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7188da0280594e4277cfbdfab4ac468b49122e36d340502c871ad06954cd10df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7188da0280594e4277cfbdfab4ac468b49122e36d340502c871ad06954cd10df
SHA3-384 hash: 2aa5aebf64c882dbe73fe94dca7657f71181999916ffed8dbd95d3c33e36c2d7a99201081f7114807cd61bc95f3e58b8
SHA1 hash: 4fbbf4865f047dc5a29b311428e21761c73847cc
MD5 hash: 81a3b863adacf4c7737d6d6db94d0370
humanhash: white-colorado-paris-king
File name:PO#.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:523'895 bytes
First seen:2022-03-02 07:57:25 UTC
Last seen:2022-03-03 07:07:03 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:nczUAcRmM/DDq2tFLwTI388MjW1h3i3/H0xE2kQce:ncz2RmM/q2tFkz82sxE2P
TLSH T1C9B423326655FC97EF880397D1DE81ABCC600B7BD37D8F6823605A0BE8ECAA55C145D8
Reporter cocaman
Tags:FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Sohail Salahuddin <financepk@westernfreights.com>" (likely spoofed)
Received: "from westernfreights.com (unknown [103.156.93.66]) "
Date: "2 Mar 2022 07:54:02 -0800"
Subject: "advance TT remitted "
Attachment: "PO#.zip"

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fs292.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/621f238db94fb38cb436732f/reports/c82f9840-4148-4191-a195-02f0be98f305/overview
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/7188da0280594e4277cfbdfab4ac468b49122e36d340502c871ad06954cd10df
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7188da0280594e4277cfbdfab4ac468b49122e36d340502c871ad06954cd10df/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-02 07:58:12 UTC
File Type:
Binary (Archive)
Extracted files:
8
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ogenuaualfhee56pxx5ljlcgrnerelrw2nafalehdligsvgncdpq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:gire loader rat
Link:
https://tria.ge/reports/220302-jtvvrsdhh8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/7188da0280594e4277cfbdfab4ac468b49122e36d340502c871ad06954cd10df

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 7188da0280594e4277cfbdfab4ac468b49122e36d340502c871ad06954cd10df

(this sample)

Formbook

Executable exe 6b765d70d97e0b3d8da0d871555d9d284bd08e85034ad45447bde1aadd2b2878

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 6b765d70d97e0b3d8da0d871555d9d284bd08e85034ad45447bde1aadd2b2878
  
Dropping
Formbook

Comments