MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af03492db108628fc60b8f642ba3c5d1692ed7d4c94dba474c5b7f9e5c0ab121. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af03492db108628fc60b8f642ba3c5d1692ed7d4c94dba474c5b7f9e5c0ab121
SHA3-384 hash: e82eec472d8a279dc5fe752bc3b3a96d4b0ebb9f7d41b6c48b8f8717388c464e27cbb749835150951e2f7a2723a8b997
SHA1 hash: ba5d9ded61efcb841f6c2677ede95c5b8c27d0a5
MD5 hash: a0d902711f967c1d1129d0988891a5bf
humanhash: nineteen-robert-eleven-december
File name:Payment_Advice.lzh
Download: download sample
Signature Formbook
Create hunting rule
File size:704'038 bytes
First seen:2021-08-11 12:26:01 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:V6R5eCK2zd0W9pyeJ6qdwUShgHVEpdWFl1gCT+DR0NOUhnxRcN72SFo6DKmd3Qq1:ki2zd0W9pyegfUegHVE74l1PT+DR0QKw
TLSH T17CE433DDC9711BAC68D65B5A52B22CF9E7E2DAC707B186AEC09864C4E03E7D7320744C
Reporter cocaman
Tags:HSBC lzh rar


Avatar
cocaman
Malicious email (T1566.001)
From: "HSBC Advising Service <ventas@macpallet.com.ar>" (likely spoofed)
Received: "from smarthost1.gohsphere.com (smarthost1-out06.gohsphere.com [199.127.218.11]) "
Date: "Wed, 11 Aug 2021 18:28:45 +0800"
Subject: "Payment Advice - Advice Ref:[G6051587670] / Priority payment /
Customer Ref:[COT 41627]"
Attachment: "Payment_Advice.lzh"

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af03492db108628fc60b8f642ba3c5d1692ed7d4c94dba474c5b7f9e5c0ab121/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 09:05:38 UTC
File Type:
Binary (Archive)
Extracted files:
20
AV detection:
12 of 46 (26.09%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v4buslnrbbri7rqlr5scxi6f2fus5v6uzfg3ur2mln7z4xakweqq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:o4ms rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210811-5vq7d5zegs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.nocodehost.com/o4ms/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af03492db108628fc60b8f642ba3c5d1692ed7d4c94dba474c5b7f9e5c0ab121

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar af03492db108628fc60b8f642ba3c5d1692ed7d4c94dba474c5b7f9e5c0ab121

(this sample)

Formbook

Executable exe bd746ec7cac902a0b12f829efa801316f11b5ab6df024ff0f75c178134daad99

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 bd746ec7cac902a0b12f829efa801316f11b5ab6df024ff0f75c178134daad99

Comments