MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a4b85572967ee5f751ace61f95ff6b9668700cc888900173a71f44b796c4160. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a4b85572967ee5f751ace61f95ff6b9668700cc888900173a71f44b796c4160
SHA3-384 hash: ebf7efd3ed7661fafcc95d99ed8333a6bc83a5caa247680fdfa1f680482a44d506d6832a3f69e878aea1a65a78a65223
SHA1 hash: 4a3a22f7e8aedf1d1e2e36dbfa02edf5968eb866
MD5 hash: d7d4505c9c46ee384311a28cfeb283fa
humanhash: yankee-cold-eight-saturn
File name:Incorrect_Payment Details MT144_SWIFT.7Z
Download: download sample
Signature Formbook
Create hunting rule
File size:481'134 bytes
First seen:2021-11-23 09:47:47 UTC
Last seen:Never
File type: 7z
MIME type:application/x-rar
ssdeep 12288:Uqyhg8inuTYrDfi7BbdpRAD69VPGx5km1SI4:PoinHrDfgBbdpRAD+985kmS1
TLSH T11DA423B98674674C787D1F625FC63E13A05895DCDDE83D3DE3BA2AE0952B01943A2CE0
Reporter cocaman
Tags:7z FormBook INVOICE SWIFT


Avatar
cocaman
Malicious email (T1566.001)
From: "Gurban<info@firstkuwaiti.com>" (likely spoofed)
Received: "from firstkuwaiti.com (unknown [185.222.57.237]) "
Date: "23 Nov 2021 06:27:25 +0100"
Subject: "PAYMENT ERROR TEMPO Due Invoice"
Attachment: "Incorrect_Payment Details MT144_SWIFT.7Z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/619cb8d6f36138de3f36d0b6/reports/5a0286a0-9576-486b-bdf2-4266b35e86ff/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a4b85572967ee5f751ace61f95ff6b9668700cc888900173a71f44b796c4160/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 07:38:46 UTC
File Type:
Binary (Archive)
Extracted files:
52
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tjfykvzjm7xf65i2zzq7sx7wxftioagmrceqafz2oh2ew6lmifqa._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:46uq loader rat suricata
Link:
https://tria.ge/reports/211123-lss1wshgal/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.jixelbbk.com/46uq/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/9a4b85572967ee5f751ace61f95ff6b9668700cc888900173a71f44b796c4160

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z 9a4b85572967ee5f751ace61f95ff6b9668700cc888900173a71f44b796c4160

(this sample)

Formbook

Executable exe 503fc3a0db4f69416153b122ee36cc8bcf16738b1bc192f6d20462b28bb640f7

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 503fc3a0db4f69416153b122ee36cc8bcf16738b1bc192f6d20462b28bb640f7

Comments