MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae027ce7ae2fe9beae54dd28cc762c3be6a7652918490c9cc30f8498937d50b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae027ce7ae2fe9beae54dd28cc762c3be6a7652918490c9cc30f8498937d50b8
SHA3-384 hash: c0428576a4187d9a8f7fbbdc53fe7e7455c8081911b5545aded19f8fe080761b44325b78ca89671fcdf77fc6ef7b0493
SHA1 hash: 7b77e0a5959bad76d514f5a055c055ef3fcd1053
MD5 hash: d232c424641bd7c98da1e72b340c9960
humanhash: triple-ohio-social-summer
File name:pounds Payment.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:951'563 bytes
First seen:2022-02-14 16:08:14 UTC
Last seen:2022-02-14 18:25:52 UTC
File type: zip
MIME type:application/zip
ssdeep 24576:cAh8/GckcaGG8lYyCiVgDTQ0b2PutvXe7xQH51:o/GBGG58VEzvXYQH51
TLSH T1E21533147639F6CAD1E5E7A6A4B0B4F01F1D4879862AF8FC0812B360F7387D79969C09
Reporter cocaman
Tags:FormBook INVOICE zip


Avatar
cocaman
Malicious email (T1566.001)
From: "KCTC International Ltd.<accounts@kctcintl.co.kr>" (likely spoofed)
Received: "from kctcintl.co.kr (unknown [185.222.58.58]) "
Date: "14 Feb 2022 17:06:50 +0100"
Subject: "pounds Payment Only//Revise Invoice to pounds Currency//Provide pounds Bank Details"
Attachment: "pounds Payment.zip"

Intelligence

File Origin
# of uploads :
2
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.6941.3660.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/620a7ea245ddfa2e18cf86da/reports/a6dfe8df-e4f6-4c34-b8f2-1ccd50de103a/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ae027ce7ae2fe9beae54dd28cc762c3be6a7652918490c9cc30f8498937d50b8
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae027ce7ae2fe9beae54dd28cc762c3be6a7652918490c9cc30f8498937d50b8/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-02-14 16:09:12 UTC
File Type:
Binary (Archive)
Extracted files:
21
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vybhzz5of7u35lsu3uumy5rmhptkozjjdbeqzhgdb6cjre35kc4a._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:8gce loader rat
Link:
https://tria.ge/reports/220214-tlsesaaab5/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae027ce7ae2fe9beae54dd28cc762c3be6a7652918490c9cc30f8498937d50b8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip ae027ce7ae2fe9beae54dd28cc762c3be6a7652918490c9cc30f8498937d50b8

(this sample)

Formbook

Executable exe 2fd3db9eb65d7a120e24e7245a73e4e88d4b2a7998d82986e8b2e2f20af1d932

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 2fd3db9eb65d7a120e24e7245a73e4e88d4b2a7998d82986e8b2e2f20af1d932
  
Dropping
Formbook

Comments