MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab12ca2a034e07fbdd6c9d6c31270f52173cd8559e12aad0aea593cc460867cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	ab12ca2a034e07fbdd6c9d6c31270f52173cd8559e12aad0aea593cc460867cd
SHA3-384 hash:	2dfea8f0d5b51205437150750af300a7c4ccf8b9c9943346844cf090dd932f76e9467bdb5c7dcf48d24bda5f9a71a266
SHA1 hash:	2119989b539ebe1cfcdac7a1d20672e7bf8f4415
MD5 hash:	448027ac61130d2e4d6db71e3bfbc888
humanhash:	uranus-asparagus-friend-pizza
File name:	ARCO Purchase Requisition NO. REQ-05426.xll
Download:	download sample
Signature	Formbook Create hunting rule
File size:	4'608 bytes
First seen:	2022-02-22 08:07:35 UTC
Last seen:	Never
File type:	xll
MIME type:	application/x-dosexec
ssdeep	48:Zvt1FVUT7IzKFG35odeKWd2zPmCY458tpj9/vey+WreTdm0lgKoJgUQ2:Z1FQ7eoeKZz+sopjhve6rvEBoJ7Z
Threatray	13'701 similar samples on MalwareBazaar
TLSH	T10C912907E2FCB0A3C0AA9A74118D0191EEC2D8707B7B5FC70EC596177AA69626D20FC5
Reporter	abuse_ch
Tags:	FormBook xll

Intelligence

File Origin

# of uploads :

1

# of downloads :

131

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malicious

File Type:

Office Add-Ins - Suspicious

Link:

https://app.docguard.net/ab12ca2a034e07fbdd6c9d6c31270f52173cd8559e12aad0aea593cc460867cd/results/dashboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/621499eaa2660f3bb9233d37/reports/d2450f1f-c874-4cfb-a50d-7ca67ebc6239/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ab12ca2a034e07fbdd6c9d6c31270f52173cd8559e12aad0aea593cc460867cd/

Threat name:

Win64.Trojan.Tnega

Status:

Malicious

First seen:

2022-02-21 15:30:37 UTC

File Type:

PE+ (Dll)

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vmjmukqdjyd7xxlmtvwdcjypkiltzwcvtyjkvufouwj4yrqim7gq._file

Verdict:

malicious

Label(s):

formbook

Similar samples:

0f46e1c5fdbd54458ef74a762dcdf4e9a9c6caabc843025422ba903236348dfb

280a181eae2d790e6992653b19b216b9407a948f42d32db3ad78e81660ff1f8c

5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8

73b461809cd7295bd5b96d49742acee5ab83f55e774fdc426e7e184bb1fcf097

779f51468b459d7e4fa2fb6dafabd1771416f00bdd0ad587b1f3119da41edd5e

b744ce05ac972c78665248d8ddc39cc6779639233531957d7e93d1970fe42126

e649ef1ecf0e0daefe140fa78271435271c8d55607f8365ddef4d94b66bfdfdd

e6cde5c1b614549613d30761b34c899f4ff69d7e6e3147c21d68bedd64f8fe25

fa3b721595b9e5571bcfd42767aa563f6e363a3fff9e9cdbfb525d0f28e62eb7

fd137acb0bda1d576079078b74fe610d16031da47a801440c7ba955f4504a6e5

+ 13'691 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:g5ef loader rat

Link:

https://tria.ge/reports/220222-j1kndaedf4/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Drops file in Windows directory

Suspicious use of SetThreadContext

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

Xloader Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Xloader

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/ab12ca2a034e07fbdd6c9d6c31270f52173cd8559e12aad0aea593cc460867cd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample