MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b2d58fc166483d629c34ce43755517784fd00eb691aec1037e333f3759fcf49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b2d58fc166483d629c34ce43755517784fd00eb691aec1037e333f3759fcf49
SHA3-384 hash: ad139d9853778dd15a615be609b68424a2beb9362450bd9e4d39391f174ef8e5c55e2ce5be670a8948929a17518f6f66
SHA1 hash: 0774a83d385d18253d0f6e7b02a3699af20c443b
MD5 hash: 8b2f379ffe86b4ad0ef434942b512d8e
humanhash: stream-apart-butter-leopard
File name:001100202021.lzh
Download: download sample
Signature Formbook
Create hunting rule
File size:393'506 bytes
First seen:2021-11-02 12:38:13 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:n5G+o+Y/t6fvcBl8woyi2Jec4PXq2sWDjz:n5G+PYWvc8efJecSXX
TLSH T17A84231B0403BBC6E0FD7F9876A33C681334F6D1016AC28E39385E9B86D76525AB5C99
Reporter cocaman
Tags:FormBook lzh rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Account <cam.ros@soshoping.com>" (likely spoofed)
Received: "from slot0.soshoping.com (slot0.soshoping.com [2.56.59.133]) "
Date: "2 Nov 2021 05:37:13 -0700"
Subject: "REMITTANCE ADVICE"
Attachment: "001100202021.lzh"

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61813167bf51178dbe48bb6c/reports/8d908a28-d00d-418f-8e61-5ee3501a76d7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b2d58fc166483d629c34ce43755517784fd00eb691aec1037e333f3759fcf49/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-11-02 12:39:05 UTC
AV detection:
7 of 45 (15.56%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmwvr7awmsb5mkodjtsdovkro6cp2ahlnenoyebx4mz7g5m7z5eq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:u1bs rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/211102-pvmhnshedn/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.vgmpradio.com/u1bs/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b2d58fc166483d629c34ce43755517784fd00eb691aec1037e333f3759fcf49

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 7b2d58fc166483d629c34ce43755517784fd00eb691aec1037e333f3759fcf49

(this sample)

Formbook

Executable exe 62678459c076b6993bbe9cc617bde236afe8a87906f5de98adc375665ba0a84f

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 62678459c076b6993bbe9cc617bde236afe8a87906f5de98adc375665ba0a84f
  
Dropping
Formbook

Comments