MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a704e23e94a60b587af2ecb134b1c6e8d46501a4b0e7a5ab5fdb4f726be37baf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	a704e23e94a60b587af2ecb134b1c6e8d46501a4b0e7a5ab5fdb4f726be37baf
SHA3-384 hash:	523c60655107e9faf992d1762b671f9e7fc35d356ce1683bb1b7609d7a5be34c32f12ed3290bbb1ad7a9e37f9127f75d
SHA1 hash:	b7d1b10e09979408f62fedc9028bc9b456597d04
MD5 hash:	b6369e7ea17516536af86280becd0691
humanhash:	california-low-fourteen-uncle
File name:	PURCHASE_ORDER_00987_PDF.rar
Download:	download sample
Signature	Formbook Create hunting rule
File size:	304'219 bytes
First seen:	2021-08-13 08:52:24 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	6144:eLA2shjRWXUS+Bf3KatK9P2Va20SFfva0lzp0KDsmvFmPG62ryY4v3:B7j/3KafVaqFfva0lzpJOPP2eYg
TLSH	T1585412ECA2EDE08EDAC7E97A4693D5C9C5C130D8794383C95A211F342F8D448A9DD4EB
Reporter	cocaman
Tags:	FormBook rar

cocaman

Malicious email (T1566.001)
From: ""Regis Efremova" <regis@mua.ac.th>" (likely spoofed)
Received: "from mua.ac.th (unknown [185.222.57.184]) "
Date: "13 Aug 2021 10:47:36 +0200"
Subject: "PURCHASE ORDER"
Attachment: "PURCHASE_ORDER_00987_PDF.rar"

Intelligence

File Origin

# of uploads :

# of downloads :

282

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27271.Rar5Heur.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a704e23e94a60b587af2ecb134b1c6e8d46501a4b0e7a5ab5fdb4f726be37baf/

Threat name:

Win32.Trojan.ZmutzyPong

Status:

Malicious

First seen:

2021-08-13 08:53:04 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

13 of 46 (28.26%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=u4coepuuuyfvq6xs5sytjmog5dkgkanewdt2lk273nhxe27dpoxq._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:snaa loader rat suricata

Link:

https://tria.ge/reports/210813-jvh9t1y1he/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Blocklisted process makes network request

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Malware Config

C2 Extraction:

http://www.xeotochevrolet.com/snaa/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a704e23e94a60b587af2ecb134b1c6e8d46501a4b0e7a5ab5fdb4f726be37baf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar a704e23e94a60b587af2ecb134b1c6e8d46501a4b0e7a5ab5fdb4f726be37baf

(this sample)

Formbook

exe 70e7c5966ac86d48e0519f9b2b34703d2915b603836f4de0be2a2badddd258e7

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 70e7c5966ac86d48e0519f9b2b34703d2915b603836f4de0be2a2badddd258e7

Dropping

Formbook

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample