MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af44da4d5824fb003cfd2833c9552920c776b8bd4c486034ecc1127043145b12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af44da4d5824fb003cfd2833c9552920c776b8bd4c486034ecc1127043145b12
SHA3-384 hash: 311eb69236cab64d4a2e9d3e4836a2a69e37f7b90a54e72cf152f6fc43e54a93eee8551125cc6dc06f602a3ff0209eea
SHA1 hash: a03af6c42d9c4c05ac67b7780b930310bcc9114c
MD5 hash: 29b2f9160e8bf9c7de57bac3aff47760
humanhash: xray-freddie-two-fruit
File name:PRE-ALERT ==HTHC22031529.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:478'261 bytes
First seen:2022-06-03 06:45:20 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:few9xzfkCpcXjn4+4q5lVwZT8b6eLh41Nsv8cPk:frbkC5u7VQeLCvsq
TLSH T1ACA423096ACB15A4C09C0259BB9F8F7A01F2F544A106E93FC2A1CDCE5E43CB7931B5E9
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: "import@seamarco.com.cn" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [45.137.22.39]) "
Date: "3 Jun 2022 05:07:54 +0200"
Subject: "PRE-ALERT ==HTHC22031529"
Attachment: "PRE-ALERT ==HTHC22031529.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Heur.31598.17523.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6299ae2ce4ca2b59334dfe26/reports/0fa51eac-0acd-4862-8118-90b0aebe81be/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/af44da4d5824fb003cfd2833c9552920c776b8bd4c486034ecc1127043145b12
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af44da4d5824fb003cfd2833c9552920c776b8bd4c486034ecc1127043145b12/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-06-03 06:46:06 UTC
File Type:
Binary (Archive)
Extracted files:
5
AV detection:
8 of 41 (19.51%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v5cnutkyet5qaph5faz4svjjeddxnof5jreganhmyejhaqyulmja._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:he8c loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220603-hjmkzagcbk/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Executes dropped EXE
Xloader Payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/af44da4d5824fb003cfd2833c9552920c776b8bd4c486034ecc1127043145b12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip af44da4d5824fb003cfd2833c9552920c776b8bd4c486034ecc1127043145b12

(this sample)

Formbook

Executable exe e501033aa51872169d36301b995f068598c4d56dc651bcbf5efc1722bbd35e39

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 e501033aa51872169d36301b995f068598c4d56dc651bcbf5efc1722bbd35e39

Comments