MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f30f6235ede3ca640a27c640c291228e74c1699b460147d5c18bddc3795bd8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	7f30f6235ede3ca640a27c640c291228e74c1699b460147d5c18bddc3795bd8b
SHA3-384 hash:	96908aeb175712ad3d9a7d16536b34c8cfcc78791049869c4efe3c241cf44aaf19d76688774a790afd8a7aae0a9e3fbf
SHA1 hash:	8ab4141f2c2b6b2387a2e42d5974585d1f09954f
MD5 hash:	63dcc61b0f612a3ca6e5b95aec34e0a3
humanhash:	magnesium-uncle-network-pluto
File name:	MV. CMA CGM Verdi V-250E AWB PACKING LIST ISO CERTIFICATE BILL OF LANDING DRAFT. COMMERCIAL INVOICE SHIPMENT 709447464231.pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	632'832 bytes
First seen:	2021-04-20 11:32:36 UTC
Last seen:	2021-04-20 13:01:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:yma9K/+SpfxeixXPzOF4/0JZDcuGN7xC7+LaosahyUukYrgzRRRRRy:dGSpJtLOq/0JCuGNNC7Ka9UyUukYIRRU
Threatray	4'795 similar samples on MalwareBazaar
TLSH	8ED4023133A8C758D8BF5FB91421518013FBB617EB16DB0D7DA801AD5EAB68383217A7
Reporter	cocaman
Tags:	exe FormBook INVOICE

Intelligence

File Origin

# of uploads :

2

# of downloads :

91

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

85696cc9-8921-4a4a-988b-5af4102bfcd4

Verdict:

Malicious activity

Analysis date:

2021-04-20 11:41:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/bbc2e6e3-bd98-4728-af7e-59fd765b4483

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/139560/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.672.20969.16094.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/7f30f6235ede3ca640a27c640c291228e74c1699b460147d5c18bddc3795bd8b/

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p4ypmi263y6kmqfcprsaykisfdtuyfuzwrqbi7k4dc65yn4vxwfq._file

Verdict:

malicious

Label(s):

formbook

Similar samples:

0a2e7c9ad53b5355f4f723912d07f9dae7d1e2d72ac62758cdc44196f124945e

0e1ec8c0b16042cc5f4e0c137f3939aa3e4a47096b32f1c2d41baf1a0d9aa177

18d465a5867ee069480bb9be8eb259be41cc008e487b7b6a3cad14e3559963a9

4d345d3e9341f12df8e933686d66efde41d0ba682e67b8a3d23064b35b400429

55f20748f621bf247877b71a3682640e5ec013d51c52363b5c51cca50b44c1bf

6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92

c58abe9cc2eda9f80841417a5e8dd7c75416cf0183a6fda6b616a2c312450ab5

d80f61a18e120cee699b859e4d84e518e5102357fcad156a000d439590750162

efd9f0190abb0ef640781591f117bbc5056e1d88cdb453634b8df0eada24badd

fd0cf58b93453778c312805f74673284da2548389ee866c37cc91431f0ba9cb1

+ 4'785 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210420-25dfvqa4je/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.designart-sh.com/q44r/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7f30f6235ede3ca640a27c640c291228e74c1699b460147d5c18bddc3795bd8b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar d3c9fd184e65239f38abca1316047b54c55eb67ff6cb3bc06d914e96f06848c1

exe 7f30f6235ede3ca640a27c640c291228e74c1699b460147d5c18bddc3795bd8b

(this sample)

Delivery method

Other

Dropped by

SHA256 d3c9fd184e65239f38abca1316047b54c55eb67ff6cb3bc06d914e96f06848c1

Cape

Cape

https://www.capesandbox.com/analysis/139560/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample