MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9985c27f8e6fe55e2c63eac175bede457800eaaef91d7706d4f4c02f3dc67e5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9985c27f8e6fe55e2c63eac175bede457800eaaef91d7706d4f4c02f3dc67e5a
SHA3-384 hash: 2ab30c52d8e33b1831c1b933248f9b8b651026cca9055c41499a47716d3cbb98c54099b32ad9223ef8ed6c7f512e004e
SHA1 hash: d1343985bb28b1bbbdc2552fb76d5a5abd9073a9
MD5 hash: db93918a58b5a0f61af5e20e8052a8bb
humanhash: xray-don-oven-bacon
File name:Halkbank,doc 12082021.r11
Download: download sample
Signature Formbook
Create hunting rule
File size:960'136 bytes
First seen:2021-12-08 10:20:03 UTC
Last seen:2021-12-08 15:13:34 UTC
File type: rar
MIME type:application/x-rar
ssdeep 24576:IRbx1/iGKpUKlpepwF2Tah+3IHMjxrmylQsq91bF:IRbaxiOpeCFoah+Px/Qx9FF
TLSH T12E15332DC1834FE82C0ABCD2CD6D42183D97E369B78B8DD71015B51697B4248E3BE99B
Reporter cocaman
Tags:FormBook r11 rar


Avatar
cocaman
Malicious email (T1566.001)
From: "T. HALK BANKASI<EKSTRE@halkbank.com.tr>" (likely spoofed)
Received: "from halkbank.com.tr (unknown [185.222.58.155]) "
Date: "8 Dec 2021 12:44:10 +0100"
Subject: "FW: T.HALK BANKASI A.S.Hesap Ekstresi E-dekont "
Attachment: "Halkbank,doc 12082021.r11"

Intelligence

File Origin
# of uploads :
2
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61b086d747ed217c0135a281/reports/47b739d7-ca61-420e-a060-e12bd89ff5d0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9985c27f8e6fe55e2c63eac175bede457800eaaef91d7706d4f4c02f3dc67e5a/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-08 10:20:15 UTC
File Type:
Binary (Archive)
Extracted files:
7
AV detection:
6 of 44 (13.64%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tgc4e74on7sv4ldd5laxlpw6iv4ab2vo7eoxobwu6tac6pogpzna._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:posg loader rat suricata
Link:
https://tria.ge/reports/211208-mc49nahfan/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.bennshop.com/posg/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/9985c27f8e6fe55e2c63eac175bede457800eaaef91d7706d4f4c02f3dc67e5a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 9985c27f8e6fe55e2c63eac175bede457800eaaef91d7706d4f4c02f3dc67e5a

(this sample)

Formbook

Executable exe 6abf7f59336bf7fcaaf2825e7ae569441c21f9ba09bc53e8a4ff0489e50cdade

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 6abf7f59336bf7fcaaf2825e7ae569441c21f9ba09bc53e8a4ff0489e50cdade

Comments