MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91bdcb24a207b35ecc2fda29096e77f8718b7e71c001c07c3510f905976c293d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91bdcb24a207b35ecc2fda29096e77f8718b7e71c001c07c3510f905976c293d
SHA3-384 hash: e409214de35b1a3362afa323ac578b63b930167aced0782b332ff9dcca8d0dd29179c474d1ac9c2b3f0203178f9f1346
SHA1 hash: 007e7dd239e9acea16c20f49611347ecd7325042
MD5 hash: 89be02df83401574fc8fa881f290f3a1
humanhash: minnesota-wisconsin-mexico-early
File name:005432567455.TAR
Download: download sample
Signature Formbook
Create hunting rule
File size:418'307 bytes
First seen:2022-03-16 11:05:57 UTC
Last seen:2022-04-20 09:41:44 UTC
File type: rar
MIME type:application/x-rar
ssdeep 6144:dEvYvaKC4XKXsNUhwaDkJtsuCq9vdK+F6EirNsWhkCB6a7w3tlF:SvMKXyULDkvsDqJdK+F6EaakxE3F
TLSH T1A494231443B02E35C0B98B27CBBE4A5AC5433952C8FBC712964B6E7C96636F0DDA06D7
Reporter cocaman
Tags:FormBook rar tar


Avatar
cocaman
Malicious email (T1566.001)
From: ""Malandkar, Ajay (Mumbai - IN)" <Ajay.Malandkar@viterra.com>" (likely spoofed)
Received: "from viterra.com (unknown [185.222.58.240]) "
Date: "16 Mar 2022 08:00:05 +0100"
Subject: "FULL SET OF DOCS REQD - PURCHASE CONTRAC TVI/IMP/21-22/103 -V0020- MYANMAR BLACK MATPE SQ- 250MTS- AT USD 860 PMT FOR CHENNAI SELLERS - P.L. GLOBAL IMPEX PTE. LTD: BUYER- VITERRA INDIA PRIVATE LIMITED - BROKER SHARAD ENTERPRISES MARCH,2022 SHIPMENT"
Attachment: "005432567455.TAR"

Intelligence

File Origin
# of uploads :
7
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed wacatac
Link:
https://www.filescan.io/uploads/6231c4bdb94fb38cb48dcf7a/reports/5447f2c2-f40e-44b0-95b6-98fdf982974a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91bdcb24a207b35ecc2fda29096e77f8718b7e71c001c07c3510f905976c293d/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-16 07:04:07 UTC
File Type:
Binary (Archive)
Extracted files:
15
AV detection:
25 of 42 (59.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sg64wjfca6zv5tbp3iuqs3tx7byyw7tryaa4a7bvcd4qlf3mfe6q._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:p9iu loader rat
Link:
https://tria.ge/reports/220316-m7fvjscgh8/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/91bdcb24a207b35ecc2fda29096e77f8718b7e71c001c07c3510f905976c293d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 91bdcb24a207b35ecc2fda29096e77f8718b7e71c001c07c3510f905976c293d

(this sample)

Formbook

Executable exe 7b7a79d27d21d89be6a1faae7b389f924b5a8a5e016924c3ec6f792c9b65defa

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 7b7a79d27d21d89be6a1faae7b389f924b5a8a5e016924c3ec6f792c9b65defa

Comments