MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9f4442b30dac48efda431f9c0d5b4ddd058283b3dbbfd8abe6c7428eaf09ca2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	a9f4442b30dac48efda431f9c0d5b4ddd058283b3dbbfd8abe6c7428eaf09ca2
SHA3-384 hash:	55a89a449c1dfd1a4db485a9c9c9ef4acab762d6687b90c91b6a0e81f5dd9891f2aaf7f97aa37aa02c7461b199e1757d
SHA1 hash:	668bb3c7c651090c736459f46fae25666e2978fb
MD5 hash:	727cd476f4edc0d44275d1d8ca89b165
humanhash:	montana-victor-jig-oxygen
File name:	P Order pdf.7z
Download:	download sample
Signature	Formbook Create hunting rule
File size:	598'115 bytes
First seen:	2021-04-24 09:54:22 UTC
Last seen:	Never
File type:	7z
MIME type:	application/x-rar
ssdeep	12288:TW3rR1BBPjBSTgI8MR7Z69i5xCDjmqc6jFISuSW96LiDW0K0bR:T8ZITlE0SDjppjFXu6m/NbR
TLSH	08D423D7D8B8535239F77ED3239ECA189B6204D4E263E162C75B14768E3F6862E00ED1
Reporter	cocaman
Tags:	7z

cocaman

Malicious email (T1566.001)
From: "Sales Engineer<Preeda.Maikaew@alkuhaimi.com>" (likely spoofed)
Received: "from alkuhaimi.com (unknown [45.137.22.56]) "
Date: "24 Apr 2021 01:41:10 -0700"
Subject: "Please Reconfirm,"
Attachment: "P Order pdf.7z"

Intelligence

File Origin

# of uploads :

# of downloads :

308

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27342.RarHeur.v5.HideExt.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a9f4442b30dac48efda431f9c0d5b4ddd058283b3dbbfd8abe6c7428eaf09ca2/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-04-24 08:51:01 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

10 of 47 (21.28%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vh2eikzq3lci57negh44bvnu3xifqkb3hw573cv6nr2cr2xqtsra._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210424-gpgjpbtevx/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://w��5 �@q[*��S=��m

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z a9f4442b30dac48efda431f9c0d5b4ddd058283b3dbbfd8abe6c7428eaf09ca2

(this sample)

Formbook

exe 625140ec60caaae03895c18ad400c65f5d5b15f55c7a01eb419a4215d295a6ee

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 625140ec60caaae03895c18ad400c65f5d5b15f55c7a01eb419a4215d295a6ee

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample