MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa2959d2c85e38ff431701c308fdc8cd71f173bfa9aaa5f02a2fb89c1782d299. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa2959d2c85e38ff431701c308fdc8cd71f173bfa9aaa5f02a2fb89c1782d299
SHA3-384 hash: e0c13513451ba7e38633745281b8d9ba32973dc3c68d6e1d6bf3368427873cc80db296ba6b6b382dc68fdc1f2459ed61
SHA1 hash: 156f96119019650be093d7754c64628a5a77ad31
MD5 hash: 08ce80d4380f4145d01cf821d7fce034
humanhash: happy-iowa-bravo-zulu
File name:doc0490192021092110294.lzh
Download: download sample
Signature Formbook
Create hunting rule
File size:447'221 bytes
First seen:2021-09-24 07:51:59 UTC
Last seen:2021-09-24 08:03:17 UTC
File type: rar
MIME type:application/x-rar
ssdeep 12288:Wvs+cdvonHEhk47JpOF964P0/ZDeAmA0wL:Wvs7taYJpC64gDeA10y
TLSH T1ED9423A6DE83C1B07E4D16D818AE311F6D19654444687F3FE360D126B8CBF9D88CA86B
Reporter cocaman
Tags:FormBook INVOICE lzh rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Export <export@erentrefo.com>" (likely spoofed)
Received: "from erentrefo.com (unknown [185.222.58.155]) "
Date: "23 Sep 2021 23:58:51 +0200"
Subject: "TAX INVOICES & LPOs"
Attachment: "doc0490192021092110294.lzh"

Intelligence

File Origin
# of uploads :
2
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa2959d2c85e38ff431701c308fdc8cd71f173bfa9aaa5f02a2fb89c1782d299/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 23:46:52 UTC
AV detection:
8 of 27 (29.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=viuvtuwily4p6qyxahbqr7oizvy7c457vgvkl4bkf64jyf4c2kmq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ergs rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210924-jqepdagcer/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.iselotech.com/ergs/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/aa2959d2c85e38ff431701c308fdc8cd71f173bfa9aaa5f02a2fb89c1782d299

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar aa2959d2c85e38ff431701c308fdc8cd71f173bfa9aaa5f02a2fb89c1782d299

(this sample)

Formbook

Executable exe 6fd5dbec01eb7f767fc3b4046d9aa50f80e50f5ab9439480efb87620faef473c

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 6fd5dbec01eb7f767fc3b4046d9aa50f80e50f5ab9439480efb87620faef473c
  
Dropping
Formbook

Comments