MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d8cf7ec30c5c05ce315c8fe411f83966840adf03047bc032d9f776740fbe742. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d8cf7ec30c5c05ce315c8fe411f83966840adf03047bc032d9f776740fbe742
SHA3-384 hash: 4041dff285008993ea0653a0ac76277668af2dab3a1a8cbcb06a52204afbf897e533dcb00866b68fe9bebc2c12664f6c
SHA1 hash: b46d6bdfedbe1adf0c32a0714e25e3db35e2e2fa
MD5 hash: 15f7f83b186e80f4bb0b86077f90b2f4
humanhash: kitten-minnesota-rugby-romeo
File name:UPS#SHIPMENT_CONFIRMATION_CBJ19051700013_11Z35Q6Q80446518864888.rar
Download: download sample
Signature Formbook
Create hunting rule
File size:210'955 bytes
First seen:2021-06-14 05:22:06 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 3072:UBGx2K7S21hpO0SgBZhWcYNPdOPphrxcFrQ+dT/7Y2Ta4T9n8I2utfK3HCx:UK2K7fsQhWcSsphrCNdTzYn4TL2qKyx
TLSH F72423D53E0B3362A340CD0D2496D3ABEE3AEE4F2F544C993238D96B5A11D76E54814F
Reporter cocaman
Tags:FormBook rar


Avatar
cocaman
Malicious email (T1566.001)
From: "UPS <pur1@binhnam.vn>" (likely spoofed)
Received: "from hwsrv-886506.hostwindsdns.com (ns1.biotechnologyinc.pw [104.168.214.251]) "
Date: "14 Jun 2021 06:06:22 +0200"
Subject: "UPS SHIPMENT CONFIRMATION"
Attachment: "UPS#SHIPMENT_CONFIRMATION_CBJ19051700013_11Z35Q6Q80446518864888.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d8cf7ec30c5c05ce315c8fe411f83966840adf03047bc032d9f776740fbe742/
Threat name:
Win32.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-06-13 23:52:01 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rwgpp3bqyxafzyyvzd7ech4dszueblpqgbd3yaznt53woqh345ba._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210614-d119jxheca/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.feng-shui.site/ssh4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/8d8cf7ec30c5c05ce315c8fe411f83966840adf03047bc032d9f776740fbe742

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 8d8cf7ec30c5c05ce315c8fe411f83966840adf03047bc032d9f776740fbe742

(this sample)

Formbook

Executable exe 44328ff389f8b9fb0679290b9848395d930dd57cf30eb76d16af61289e6ba2c7

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 44328ff389f8b9fb0679290b9848395d930dd57cf30eb76d16af61289e6ba2c7

Comments