MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 957c73e0b2de1d003edccb395392eebdb9d9e644fa24a92051e42b6ad050de03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 957c73e0b2de1d003edccb395392eebdb9d9e644fa24a92051e42b6ad050de03
SHA3-384 hash: 3840b38b2f749f0e343704614743ecc28219bf2619dd9f57eec08cf3de9aae2e088190550c0d63b5c7ad1788d04ab172
SHA1 hash: c9e2938dacb1bf061f52142382add9292c7a3819
MD5 hash: 6541b74581e139a19b8b7304740714a4
humanhash: asparagus-mango-muppet-oven
File name:SOA 58097213.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:198'022 bytes
First seen:2022-05-18 07:20:30 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 6144:2crPyCZ6ldH+17jB4s232C1kI3wayK5eYeR4SYS7s:lPwldH+B6s232CGpf4eYeTYYs
TLSH T1E1142320BE817EDF5DFBAED1E31CC1A15092DCC2EEE9CB42317A386D463E364251516A
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: "accounts@oocl.com" (likely spoofed)
Received: "from [212.192.241.61] (unknown [212.192.241.61]) "
Date: "18 May 2022 05:44:45 +0200"
Subject: "Re: SOA OF FEB+MAR ,pls check"
Attachment: "SOA 58097213.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.1.11799.23593.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe lokibot overlay packed shell32.dll winlock
Link:
https://www.filescan.io/uploads/62849e5e6b2a366ce41b0f88/reports/5fff4a90-4060-48bc-ae26-9df5ab8fb50e/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/957c73e0b2de1d003edccb395392eebdb9d9e644fa24a92051e42b6ad050de03
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/957c73e0b2de1d003edccb395392eebdb9d9e644fa24a92051e42b6ad050de03/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-05-18 02:19:35 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
21 of 41 (51.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sv6hhyfs3yoqapw4zm4vhexoxw45tzse7isksicr4qvwvucq3ybq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:he8c loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220518-h6m51seha4/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Adds policy Run key to start application
Executes dropped EXE
Xloader Payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/957c73e0b2de1d003edccb395392eebdb9d9e644fa24a92051e42b6ad050de03

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 957c73e0b2de1d003edccb395392eebdb9d9e644fa24a92051e42b6ad050de03

(this sample)

Formbook

Executable exe 599fdd54ded9239527033a4d51f408f92dcb23ced86c8885b47e1f74949397a4

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 599fdd54ded9239527033a4d51f408f92dcb23ced86c8885b47e1f74949397a4
  
Dropping
MD5 365e035efad143367e8b7dee7bf5f828

Comments