MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bcbcd1a0ff4f8c5f81c5172ae88f670e1e3b97687572ada4a2163204f8fae8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	9bcbcd1a0ff4f8c5f81c5172ae88f670e1e3b97687572ada4a2163204f8fae8c
SHA3-384 hash:	ab40268f3bb218f923938ef5e96e781328e785b189e77215bc0313f21d9d9b8247e35550382ad9a86b94cd5697bab007
SHA1 hash:	a45581299cc50b734145e6554289ded6942c1c1f
MD5 hash:	881b344339dd9a0a1213e0c74750e562
humanhash:	failed-island-victor-skylark
File name:	Invoice & Packing list.zip
Download:	download sample
Signature	Formbook Create hunting rule
File size:	479'454 bytes
First seen:	2021-07-27 06:05:32 UTC
Last seen:	2021-07-27 06:07:19 UTC
File type:	zip
MIME type:	application/zip
ssdeep	12288:9G6LQh9lgQKylFOn1mVhBpyNCZ4C/Lqaci:9GJVxO0Bmt8Lx
TLSH	T169A423FC76A9D9AC6CD460F092E84744DC3FFBF1B09997C46D8B464798090AFE0A5E12
Reporter	cocaman
Tags:	FormBook INVOICE zip

cocaman

Malicious email (T1566.001)
From: "m.askari@tiamtejarat.com" (likely spoofed)
Received: "from tiamtejarat.com (unknown [45.137.22.139]) "
Date: "27 Jul 2021 03:38:51 +0200"
Subject: "RE: Invoice & Packing list For Sea Shipment,"
Attachment: "Invoice & Packing list.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fs1999.UNOFFICIAL

SecuriteInfo.com.Variant.Bulz.576431.2586.16580.UNOFFICIAL

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/9bcbcd1a0ff4f8c5f81c5172ae88f670e1e3b97687572ada4a2163204f8fae8c

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-27 01:16:22 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

8 of 46 (17.39%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tpf42gqp6t4ml6a4kfzk5chwodq6holwq5lsvwskefrsat4pv2ga._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat suricata

Link:

https://tria.ge/reports/210727-3x7el4mp62/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

CustAttr .NET packer

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Malware Config

C2 Extraction:

http://www.panyu-qqbaby.com/weni/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/9bcbcd1a0ff4f8c5f81c5172ae88f670e1e3b97687572ada4a2163204f8fae8c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 9bcbcd1a0ff4f8c5f81c5172ae88f670e1e3b97687572ada4a2163204f8fae8c

(this sample)

Formbook

exe 3a4677dc6f14f38983af15458b11d5f92e71dea8d5cd0e5b263c50d211a72621

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 3a4677dc6f14f38983af15458b11d5f92e71dea8d5cd0e5b263c50d211a72621

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample