MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 8b516901a17ec32794de8c3577cba8cdcc9e85577a5d2e8a244cd202b5b01cc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 6
| SHA256 hash: | 8b516901a17ec32794de8c3577cba8cdcc9e85577a5d2e8a244cd202b5b01cc7 |
|---|---|
| SHA3-384 hash: | 10c408811a447c9ab4f46b10e71cd2b80fe2f1d4bc64b4f3a2de130c06b75e403764fdea4c2253e729b7eaf097daf6bc |
| SHA1 hash: | 3ab15ef44de0c235ab06d1811eadd4bd43fcd08c |
| MD5 hash: | bfdd0051da9ab1d475b8624f861881d3 |
| humanhash: | michigan-colorado-alaska-iowa |
| File name: | Yeni Satin Alma Siparisi ektedir.zip |
| Download: | download sample |
| Signature | Formbook |
| File size: | 375'022 bytes |
| First seen: | 2021-09-11 15:54:54 UTC |
| Last seen: | Never |
| File type: | zip |
| MIME type: | application/zip |
| ssdeep | 6144:aOTh+83BBwzUfJmko2ufIXKtgCPy/7f46xKGvEKdanHm6ZPGkleXBR2DrXKa1AeB:hh++waJW2uEKDPyDf46sKdUv9GkleXzq |
| TLSH | T12884234D319C6C88E0797D41EABB8C838531B1DE5AB89957FAF1CEF6B409E11D838360 |
| Reporter |  AndreGironda |
| Tags: | FormBook zip |
AndreGironda
MITRE T1566.001Date: Thu, 09 Sep 2021 04:00-04:40 +0100
From: Gülseren KETENCİ <gulseren@pointlojistik.com>
Subject: Yeni Satın Alma Siparişi
To: undisclosed-recipients:;
Message-ID: <a662b358b05b94be423d03087fb941a0@pointlojistik.com>
User-Agent: Roundcube Webmail/1.4.11
X-Sender: gulseren@pointlojistik.com
Return-Path: gulseren@pointlojistik.com
Attachment Name: Yeni Satin Alma Siparisi ektedir.zip
Attachment SHA256: 8b516901a17ec32794de8c3577cba8cdcc9e85577a5d2e8a244cd202b5b01cc7
Zipped Executable Name: Bdcuhmcgbsvmxhmuasrulqqnfbjdnogomk.exe
Executable SHA256: 4d80ab79360b092bb5d8fa41d14388dffe5ef42839b6dbbf741f0ce5c3424d1e
Stage URL: hXXps://cdn.discordapp[.]com/attachments/862558875870036001/885238916712628224/Bdcuhmcgbsvmxhmuasrulqqnfbjdnog
Intelligence
File Origin
# of uploads :
1
# of downloads :
359
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
MALICIOUS
Link:
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
Win32.Infostealer.Fareit
Status:
Malicious
First seen:
2021-09-11 13:55:49 UTC
AV detection:
23 of 45 (51.11%)
Threat level:
5/5
Detection(s):
Malicious file
Result
Malware family:
formbook
Score:
10/10
Tags:
family:formbook campaign:3nop rat spyware stealer suricata trojan
Behaviour
Gathers network information
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.jakesplacebarbers.com/3nop/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
exe Dropping
Formbook
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.