MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0b986ed5654b0bc08243773c2c57558c3d1e1158f6744eafd7c9357bf2d401c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0b986ed5654b0bc08243773c2c57558c3d1e1158f6744eafd7c9357bf2d401c
SHA3-384 hash: 5bbdf6ea7e897fcf2e7290c2223bd979e05e2e1649c0f142a3334072e0906b78e7b1f0ca88762f194dbff6f0a0695230
SHA1 hash: 3028727e5fdd62e3bed766c69367bf8543a99698
MD5 hash: 12a525327f00e22382fbecdf23cd536f
humanhash: juliet-fanta-nuts-minnesota
File name:Payment Advice.gz
Download: download sample
Signature Formbook
Create hunting rule
File size:96'600 bytes
First seen:2022-01-19 12:21:45 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 1536:E+WDRf23Ry/45kqnwPoBmqVYaHE/DtyxtxWIc91gL7pfUQBMXle3kxz1tGdDYwgj:PWe/dntm/s0OlcPgL7pfBBMXlQkrkdTk
TLSH T16893129E8534DDB7BA43B06D038E6783F0CF8F626FB196BC1C55BA519CAC8B23164611
Reporter cocaman
Tags:FormBook gz


Avatar
cocaman
Malicious email (T1566.001)
From: ""Redes - Account Dept." <sent@bhhl.com>" (likely spoofed)
Received: "from jolly-goldberg.185-176-220-149.plesk.page (unknown [185.176.220.149]) "
Date: "19 Jan 2022 03:49:19 -0800"
Subject: "=?UTF-8?B?UmU6IFJlIDog5Zue5aSN77yaIFByb29mIG9mIHBheW1lbnQgZm9yIG92ZXJkdWUgaW52b2ljZSA=?="
Attachment: "Payment Advice.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27281.GZipHeur.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated overlay packed
Link:
https://www.filescan.io/uploads/61e802700f8c757253cc548a/reports/faaa8899-27f7-44b9-ba04-9819530ba8e6/overview
Result
Verdict:
UNKNOWN
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0b986ed5654b0bc08243773c2c57558c3d1e1158f6744eafd7c9357bf2d401c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 11:21:55 UTC
File Type:
Binary (Archive)
Extracted files:
13
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wc4yn3kwksylycbeg5z4frlvldb5dyivr5tuj2x5psjvppzniaoa._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:be4o loader rat suricata
Link:
https://tria.ge/reports/220119-pjxjhahffn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b0b986ed5654b0bc08243773c2c57558c3d1e1158f6744eafd7c9357bf2d401c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz b0b986ed5654b0bc08243773c2c57558c3d1e1158f6744eafd7c9357bf2d401c

(this sample)

Formbook

Executable exe fa5511f4b07ca39be9b04bee49a2b103cf827a207d316d4d41bad9cede43c9bc

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 fa5511f4b07ca39be9b04bee49a2b103cf827a207d316d4d41bad9cede43c9bc

Comments