MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8eac1ee2c601de814b716a91238a115f7294ed39fa0c0bf69eeb318ac9792284. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8eac1ee2c601de814b716a91238a115f7294ed39fa0c0bf69eeb318ac9792284
SHA3-384 hash: 600c32f840371269e2274e5fafb45f2b236374d53b46f7ff522a6fcb02aaf00df652b39ede6ebc4aa564addb5adcd5c5
SHA1 hash: 815b96a425f107a2a064424cedbce5e4023df989
MD5 hash: 01b2a64fff1fe10a32ec06541181f48f
humanhash: fish-chicken-echo-table
File name:NEW ORDER RE PO88224.PDF.iso
Download: download sample
Signature Formbook
Create hunting rule
File size:538'624 bytes
First seen:2021-09-24 08:12:51 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 12288:LZrYGEVYoe9w7blnIuYMoGcMI5H9MXJ3dGMMLVbGJKJewYkVf:V8YH9wXlnIu4GcM2oBURGJeBV
TLSH T13CB4E050A7DCEA9FE3192975A9546C004267E3DD21A2DE4AFC6E40753FE3208FB11EC6
Reporter cocaman
Tags:FormBook iso


Avatar
cocaman
Malicious email (T1566.001)
From: ""Kit Leung" <muzammil@polestarshipping.com>" (likely spoofed)
Received: "from polestarshipping.com (unknown [103.156.91.251]) "
Date: "23 Sep 2021 17:22:45 -0700"
Subject: "RE: PO88224 || NEW ORDER"
Attachment: "NEW ORDER RE PO88224.PDF.iso"

Intelligence

File Origin
# of uploads :
1
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Iso_fs921.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8eac1ee2c601de814b716a91238a115f7294ed39fa0c0bf69eeb318ac9792284/
Threat name:
Win32.Trojan.Zmutzy
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 21:24:32 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r2wb5ywgahpics3rnkishcqrl5zjj3jz7igax5u65myyvslzekca._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ny9y loader rat suricata
Link:
https://tria.ge/reports/210924-j4earsgcgm/
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.caddomain.com/ny9y/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8eac1ee2c601de814b716a91238a115f7294ed39fa0c0bf69eeb318ac9792284

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 8eac1ee2c601de814b716a91238a115f7294ed39fa0c0bf69eeb318ac9792284

(this sample)

Formbook

Executable exe 4dfab25d3ccff9a33396c252590c27c57f23f9a94b11ebd9834b23981b0908e6

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4dfab25d3ccff9a33396c252590c27c57f23f9a94b11ebd9834b23981b0908e6

Comments