MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cca3833ff60ab33185994fa34218085d7e9a4c929ad3c4d4644aac1065897c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cca3833ff60ab33185994fa34218085d7e9a4c929ad3c4d4644aac1065897c1
SHA3-384 hash: ca148bad84312aeda593e4ca71770fe7c3492f2dfc713be9d0de9bf151fad5e572dcaa0f5eb847c8f72bc4bd7b780c31
SHA1 hash: 50c5a6ccb798350487e36a8a2fd2f2607b433f6c
MD5 hash: 4650b42356b30d009eeda4de1367b8df
humanhash: harry-enemy-oranges-idaho
File name:SOW & Drawings pdf.tar
Download: download sample
Signature Formbook
Create hunting rule
File size:555'480 bytes
First seen:2021-07-20 18:38:48 UTC
Last seen:Never
File type: tar
MIME type:application/x-rar
ssdeep 12288:NIFefqT12lychgqALm9dVSSxrYyyjDNXPBi49fVEc:N01ZcGox85FPBdfVv
TLSH T173C4331AEDA229D47C35815B41B2BA742B32C8BE47FF3519C27A5A31DAC4C58E7C9123
Reporter cocaman
Tags:FormBook tar


Avatar
cocaman
Malicious email (T1566.001)
From: "Mauz Aslam <tpdept@pacost.com>" (likely spoofed)
Received: "from dedi.safetycircleindia.com (dedi.safetycircleindia.com [103.120.177.212]) "
Date: "Wed, 21 Jul 2021 01:19:13 +0800"
Subject: "RFx-6000165763-NEW TANAJIB-SA Project"
Attachment: "SOW & Drawings pdf.tar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9cca3833ff60ab33185994fa34218085d7e9a4c929ad3c4d4644aac1065897c1/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 18:39:03 UTC
File Type:
Binary (Archive)
Extracted files:
13
AV detection:
6 of 46 (13.04%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ttfdqm77mcvtggczst5diimaqxl6tjgjfgwtytkgisvmcbsys7aq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210720-2kfc1ykhvj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.coffeyklatch.com/iuem/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9cca3833ff60ab33185994fa34218085d7e9a4c929ad3c4d4644aac1065897c1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

tar 9cca3833ff60ab33185994fa34218085d7e9a4c929ad3c4d4644aac1065897c1

(this sample)

Formbook

Executable exe 503f83e4dea1cb3a70d4c309471ea87756a2465c64533d2ea7103b37bd787788

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 503f83e4dea1cb3a70d4c309471ea87756a2465c64533d2ea7103b37bd787788

Comments