MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a66b21667a04908ecafa8ac112c66588101c5e314cf32ca3b628891129635eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a66b21667a04908ecafa8ac112c66588101c5e314cf32ca3b628891129635eb
SHA3-384 hash: 40bb36bda61ea77520df357460fe8ef39ed0abfad0811bbcc6322f98391a5c044c5015a730a7c20ef7788fdffae0eadf
SHA1 hash: 902438d24a2ebe6ec8f82df17ff0a1184d5c41ba
MD5 hash: 843aa22495480166aff7bd3795f00b7c
humanhash: solar-fillet-maryland-bravo
File name:Drawings.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:715'232 bytes
First seen:2021-02-22 07:01:34 UTC
Last seen:2021-02-22 07:25:12 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:RxVpqknBl0bC0x5m7eBN/Fi7U/f7f5LxCHlYs4ulNnQm2dJI8pMWHAV11EdkR9:RvnBl0bPxoWzfRxelC61Qm2dJdpM4APJ
TLSH 47E433D646339D983E7249E56A0B40342E098F12F160E0DBC6378C2F67D6DC793BE5A6
Reporter abuse_ch
Tags:FormBook zip


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: Averett.edu
Sending IP: 205.167.138.208
From: Trim Poker <abuse@averett.edu>
Reply-To: Trim Poker <smtpfox-zxy5e@dgpl.by>
Subject: New Order Confirmation
Attachment: Drawings.zip (contains "Drawings.xlsm")

Formbook payload URL:
http://cheatsheet2weightloss.com/Designs.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Obfus-108.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.StopCryingYourHeartOut.20210216.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Document With No Content
Document contains little or no semantic information.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a66b21667a04908ecafa8ac112c66588101c5e314cf32ca3b628891129635eb/
Threat name:
Document-Excel.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 07:02:10 UTC
AV detection:
20 of 47 (42.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rjtlefthubeqr3fpvcwbcldglcaqdrpdcthtfsr3mkejceuwgxvq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 8a66b21667a04908ecafa8ac112c66588101c5e314cf32ca3b628891129635eb

(this sample)

Formbook

Excel file xlsm a2e56ee7abc330ee99d988aee0c118f06003cd7062c3a68bedec7faa59f41f55

  
URLhaus
https://urlhaus.abuse.ch/url/1023452/
  
Dropping
MD5 78a966dd22bc2e85d2f807e2575ea471
  
Dropping
Formbook
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 a2e56ee7abc330ee99d988aee0c118f06003cd7062c3a68bedec7faa59f41f55
  
Dropping
SHA256 f0898da54ae0f11c2769f71e20969563bc58e74bb1594869108b8242a9c2419b
  
Dropping
MD5 e8fa281769eebdc238ff7996041239a8

Comments