MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71ddf6c36f5d392f8219595aff3cbaa98aac7e018b753ae82c665d1e6243f9fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	71ddf6c36f5d392f8219595aff3cbaa98aac7e018b753ae82c665d1e6243f9fc
SHA3-384 hash:	1cb121942805e65625c8d72287310bf72d04e07ec25d91f35e8040c2bfc62cdc19f1d2e84e58c45ca4f5628fb27b136f
SHA1 hash:	3e5f1e46b4fa97b412f76877b4be11983ca9fd6c
MD5 hash:	13c5269b2937526632effedac603e772
humanhash:	rugby-fix-lake-crazy
File name:	Quotation Sample_20222402-098-VP-882.xll
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'176'576 bytes
First seen:	2022-02-24 17:23:41 UTC
Last seen:	2022-04-20 10:23:59 UTC
File type:	xll
MIME type:	application/x-dosexec
imphash	95866651b7f95c626ef9a4c17f1bbf30 (2 x Formbook, 1 x AgentTesla)
ssdeep	24576:YPJnab4teR33QeSWA5J+mWhb5+eX1tA6qBsuRZbGz7shgvT:EJnab4eFhb51qFDG7shGT
Threatray	46 similar samples on MalwareBazaar
TLSH	T10A45C05677C426F1D2BFC27AC6A24A38E67374124360A78F639043991EE3352573BB1E
Reporter	abuse_ch
Tags:	FormBook xll

Intelligence

File Origin

# of uploads :

# of downloads :

222

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.MulDropNET.52.23554.8055.UNOFFICIAL

Result

Verdict:

Malicious

File Type:

Office Add-Ins - Suspicious

Link:

https://app.docguard.net/71ddf6c36f5d392f8219595aff3cbaa98aac7e018b753ae82c665d1e6243f9fc/results/dashboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6217bf39a6f52d32f1830c22/reports/8f5d7056-91df-4e65-960a-734017d22905/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/71ddf6c36f5d392f8219595aff3cbaa98aac7e018b753ae82c665d1e6243f9fc/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2022-02-24 17:24:14 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

2 of 43 (4.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oho7nq3plu4s7aqzlfnp6pf2vgfky7qbrn2tv2bmmzor4ysd7h6a._file

Verdict:

unknown

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:okup loader rat

Link:

https://tria.ge/reports/220224-vyp1vsddd2/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

NSIS installer

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Xloader Payload

Xloader

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/71ddf6c36f5d392f8219595aff3cbaa98aac7e018b753ae82c665d1e6243f9fc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

xll 71ddf6c36f5d392f8219595aff3cbaa98aac7e018b753ae82c665d1e6243f9fc

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample