MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b4af1ad9662321be7d1da77839ac8b527810d934f8b5c21594e71afcc1d5d63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b4af1ad9662321be7d1da77839ac8b527810d934f8b5c21594e71afcc1d5d63
SHA3-384 hash: 1b3dc2c13c87217b0bb6471125cd87ced7ca42072a83dd57b8da61dba5462a1a8a550c451727e75e553dfa1180436808
SHA1 hash: 30b549715736b5a6fef7b90162275063ef6e1462
MD5 hash: 44e721d6474e631e409f6060f4fb6d0a
humanhash: friend-zulu-maine-chicken
File name:RFQ_445556667887_ JPG IMAGE_.7z
Download: download sample
Signature Formbook
Create hunting rule
File size:394'280 bytes
First seen:2021-11-26 06:41:55 UTC
Last seen:2021-11-26 07:04:38 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:3sAw9izv7RZoYG201QZteYvFDOBiay6vC5N+Ia+xoVkV20ha:3s/4v78l5we+D0iay6K5N+Ia+93a
TLSH T1EC84235A160BFA49A24C397FF4118F933166D61B5EF29936B74C5B30F2D23A72C84670
Reporter cocaman
Tags:7z FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: ""Hashim Abdulla" <sales@mr-freshco.com>" (likely spoofed)
Received: "from mr-freshco.com (unknown [103.167.93.76]) "
Date: "25 Nov 2021 15:57:55 -0800"
Subject: "REQUEST FOR URGENT QUOTATION _{RFQ}"
Attachment: "RFQ_445556667887_ JPG IMAGE_.7z"

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fs1481.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61a081c0b71ceed415312f08/reports/fa38f190-6abc-4903-aba2-0a2e828fdd00/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/9b4af1ad9662321be7d1da77839ac8b527810d934f8b5c21594e71afcc1d5d63
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b4af1ad9662321be7d1da77839ac8b527810d934f8b5c21594e71afcc1d5d63/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 05:33:58 UTC
File Type:
Binary (Archive)
Extracted files:
9
AV detection:
27 of 45 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tnfpdlmwmizbxz6r3j3yhgwiwutycdmtj6fvyikzjzy27ta5lvrq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:xgmi loader rat
Link:
https://tria.ge/reports/211126-hgcyraebe8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.mxnorge.com/xgmi/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/9b4af1ad9662321be7d1da77839ac8b527810d934f8b5c21594e71afcc1d5d63

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 9b4af1ad9662321be7d1da77839ac8b527810d934f8b5c21594e71afcc1d5d63

(this sample)

Formbook

Executable exe 2d9cb324f1b2bd1917884e36d5b13b9e949807ae5caba015bff60e8ec7d483d3

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 2d9cb324f1b2bd1917884e36d5b13b9e949807ae5caba015bff60e8ec7d483d3
  
Dropping
Formbook

Comments