MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71e3486d117a94cd96f40208c6f38981d1403d1374aca9c0449e2f0a9f20f534. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71e3486d117a94cd96f40208c6f38981d1403d1374aca9c0449e2f0a9f20f534
SHA3-384 hash: 7e4f94bf1f7f4a3fa57b34df1cafdaffa56ea5e7ddce2ca65dd236cddf120d0df1d28b4f6770840fe774ff87a92a1e8b
SHA1 hash: c9e776780277620523b5c2b9b4ee2ac2285a2d82
MD5 hash: 4a216619538529cc3b54e8e55fcdcbad
humanhash: maryland-golf-autumn-maine
File name:Bank Payment Details.lzh
Download: download sample
Signature Formbook
Create hunting rule
File size:224'229 bytes
First seen:2021-06-04 05:25:15 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 6144:4hMkla4rRanBM5Dtu1Rz0LBYB/7PwppCOQ:yMkla4dayD0z0LB27wpQOQ
TLSH A324239432C4577D7A7206C8CFA31FFE784D9264B78D55290DCA132CA46FB822092F1A
Reporter cocaman
Tags:lzh rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Saleem<sales@digitaleyechart.com>" (likely spoofed)
Received: "from digitaleyechart.com (unknown [45.137.22.37]) "
Date: "3 Jun 2021 14:42:45 -0700"
Subject: "Bank Payment Details"
Attachment: "Bank Payment Details.lzh"

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71e3486d117a94cd96f40208c6f38981d1403d1374aca9c0449e2f0a9f20f534/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-06-04 03:19:00 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
9 of 29 (31.03%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ohruq3irpkkm3fxuaiemn44jqhiuapitoswktqcetyxqvhza6u2a._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210604-4bkdwh9nge/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.moneyhuntercom.info/ngvm/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/71e3486d117a94cd96f40208c6f38981d1403d1374aca9c0449e2f0a9f20f534

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 71e3486d117a94cd96f40208c6f38981d1403d1374aca9c0449e2f0a9f20f534

(this sample)

Formbook

Executable exe b008d45c311869fdc53a64fe06a8f2e9d0fa4bb4c5d01eaf4369052d31e1eeb8

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 b008d45c311869fdc53a64fe06a8f2e9d0fa4bb4c5d01eaf4369052d31e1eeb8

Comments