MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1d7e73c9806d26edc69675429f9379cc6ed69a7b529fbaab5a4e07899649780. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1d7e73c9806d26edc69675429f9379cc6ed69a7b529fbaab5a4e07899649780
SHA3-384 hash: ff9c4d5618586ee333490c3188277bbcf34844837f5bf60a258f0fc2b7b46e32cef08571ae9dfbf59e8d514dbfacd7fb
SHA1 hash: 0ac00448d1e4dada3ca4e05a8e9588e3f7aa9659
MD5 hash: 68c3288282a55946c3da4b9e8a010a4d
humanhash: november-yellow-cola-india
File name:swift_copy#0987678_xls.rar
Download: download sample
Signature Formbook
Create hunting rule
File size:246'101 bytes
First seen:2022-02-02 06:21:48 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 6144:mVyVfyszHNezzcmLEGNBGCn+sjrK2SxA1lHMMNFk12mrcS/n4m:Qtsz8zpEGNtPnKLiLMMfRmrcS/4m
TLSH T17D342314DB85DD089EAFCFC849C5D9068AE7513DD2DD4FB8F417A2A93B4C3026B94E88
Reporter cocaman
Tags:FormBook rar SWIFT


Avatar
cocaman
Malicious email (T1566.001)
From: "Chief Financial Officer <postmaster@upd-reg.live>" (likely spoofed)
Received: "from srv3.upd-reg.live (srv3.upd-reg.live [192.227.170.198]) "
Date: "1 Feb 2022 22:21:23 -0800"
Subject: "Re: Outstanding Payment #Swift-Copy"
Attachment: "swift_copy#0987678_xls.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61fa230da0f6a794b332b3d2/reports/511ef060-f3a4-472b-875a-2b76416d6d3f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1d7e73c9806d26edc69675429f9379cc6ed69a7b529fbaab5a4e07899649780/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-02-02 06:22:08 UTC
File Type:
Binary (Archive)
Extracted files:
5
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=whl6opeya3jg5xdjm5kct6jxttdo22nhwuu7xkvvutqhrgles6aa._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:3a4h loader rat suricata
Link:
https://tria.ge/reports/220202-g4xq1ahbfj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.43
Link:
https://yomi.yoroi.company/submissions/b1d7e73c9806d26edc69675429f9379cc6ed69a7b529fbaab5a4e07899649780

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar b1d7e73c9806d26edc69675429f9379cc6ed69a7b529fbaab5a4e07899649780

(this sample)

Formbook

Executable exe 58f65684890c1ec3e63d010defd5f3c48f963865d2fa1d468d5a5f44b7026164

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 58f65684890c1ec3e63d010defd5f3c48f963865d2fa1d468d5a5f44b7026164

Comments