MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 819c1a979f3b6fd7b9972353cedff7e2ac6ae0a800320871027fd699d9d54202. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 819c1a979f3b6fd7b9972353cedff7e2ac6ae0a800320871027fd699d9d54202
SHA3-384 hash: eb48f0aa88827083e3615f427d920bfe077860a841264f41056ca6a4cc43af876c39002b3644089b4da7e94e7b48d715
SHA1 hash: f82699dca9034b6a9a48755880e1600227e0b40c
MD5 hash: e3336ba158e0f714612cef2a36297f85
humanhash: mirror-harry-sierra-low
File name:BlJPBpcxQ6OnmNz.iso
Download: download sample
Signature Formbook
Create hunting rule
File size:1'441'792 bytes
First seen:2022-04-14 14:19:55 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 24576:uF37VG2MxjusozRJKr6NHAolQvPpIYyQ3Wf5EZ:KRYxh+DK8AIYzq5E
TLSH T1CE65F154F2996EE2D03A4FF45864E80413F67716653ECA693CFEF0CA0A717C16226E4B
TrID 99.6% (.NULL) null bytes (2048000/1)
0.2% (.ATN) Photoshop Action (5007/6/1)
0.0% (.BIN/MACBIN) MacBinary 1 (1033/5)
0.0% (.ABR) Adobe PhotoShop Brush (1002/3)
0.0% (.SMT) Memo File Apollo Database Engine (88/84)
Reporter cocaman
Tags:FormBook iso


Avatar
cocaman
Malicious email (T1566.001)
From: "Finance<finance@svsmart.com.pg>" (likely spoofed)
Received: "from svsmart.com.pg (unknown [180.214.239.224]) "
Date: "14 Apr 2022 07:09:58 -0700"
Subject: "BANK CONFIRMATION"
Attachment: "BlJPBpcxQ6OnmNz.iso"

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.21924.27010.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/62582dc9482f2f41caae8b18/reports/38aa1b20-5f7e-4890-b34c-d409a440d0cc/overview
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/819c1a979f3b6fd7b9972353cedff7e2ac6ae0a800320871027fd699d9d54202/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-04-14 14:20:59 UTC
File Type:
Binary (Archive)
Extracted files:
24
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qgobvf47hnx5pomxenj45x7x4kwgvyfiaazaq4icp7ljtwoviiba._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ee3s loader rat
Link:
https://tria.ge/reports/220414-rnwtwafef5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Xloader Payload
Xloader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/819c1a979f3b6fd7b9972353cedff7e2ac6ae0a800320871027fd699d9d54202

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 819c1a979f3b6fd7b9972353cedff7e2ac6ae0a800320871027fd699d9d54202

(this sample)

Formbook

Executable exe 61ee0cca6d45766ecfedcfafba7f2e57d8fc2f4ee9b42bce3e7ffe5848c071f9

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 61ee0cca6d45766ecfedcfafba7f2e57d8fc2f4ee9b42bce3e7ffe5848c071f9
  
Dropping
Formbook

Comments