MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b208a4a53f2622d6c62ecf258987a2038dad2255739f089e8994acc8f6ea0026. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b208a4a53f2622d6c62ecf258987a2038dad2255739f089e8994acc8f6ea0026
SHA3-384 hash: ac2c4fe61049042235f7bcf5176ab9be85d5166e3331d66e75ed1b2dfe024dd381c8197e05512669abc237251fe28b52
SHA1 hash: 511f01de6de6005e2a2e46cd8195b54f7587523b
MD5 hash: 312c90c5dd2f309e66f8886a79b0c972
humanhash: green-pasta-crazy-fifteen
File name:Purchase Order_VP-SYM102021 P21060008.xll
Download: download sample
Signature Formbook
Create hunting rule
File size:1'003'520 bytes
First seen:2022-02-24 17:23:45 UTC
Last seen:2022-02-24 18:53:32 UTC
File type:Excel file xll
MIME type:application/x-dosexec
imphash be710ba34b048ab0098050ccf62e369c (18 x Formbook, 14 x Dridex, 9 x AgentTesla)
ssdeep 12288:E0WwOIMiR4ye8bzbBSrex5A3FgGdgzmJGuDUFRrQpZiMAV4EevSwI4c40NsZdGVu:E03XX13A6qgzdOORkRAV+VT0+ZgAu
Threatray 54 similar samples on MalwareBazaar
TLSH T12B25BF56BECA6EA1EFBF47B78360D6290126736E03A197CF7603049D3951EC2443EA07
Reporter abuse_ch
Tags:FormBook xll

Intelligence

File Origin
# of uploads :
2
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.52.30333.13533.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/b208a4a53f2622d6c62ecf258987a2038dad2255739f089e8994acc8f6ea0026/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/6217bf3b3b743d74eee6fd4f/reports/be08ef0a-d26c-4f34-96d5-61648eea979a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b208a4a53f2622d6c62ecf258987a2038dad2255739f089e8994acc8f6ea0026/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-02-24 09:34:41 UTC
File Type:
PE (Dll)
Extracted files:
2
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wiekjjj7eyrnnrroz4sytb5caog22isvoopqrhujsswmr5xkaata._file
Verdict:
unknown
Similar samples:
1c7e66126306537a453d7a792978464aa8ad5ac2f34bd1fccfffe7e0b9c6d85c
Formbook
30980176792fc176767dfd338ef7fd0b73f04b66cd63e1e3b0bbf485bc064ed4
Formbook
882312787d62f8bbebd46a7ce54207ec7eced13335de9ce6ae75a0a1e52dcb09
Formbook
97e21c7a37cbdb5cff93a18cce5b5495574be821d999e0e876c8be48ab56ca6e
Formbook
bac03f9b60b043b72ae8548b8915dd6058c71b6beae23652389b0cb9310af91d
Formbook
ce5c54ac577153e15fb793c022b54fb473752b876525111d6aac97369e72e85e
Formbook
e01271da5d003c2c0c47314e9bf83fc66e2329c27e7febd768db1a4ecc45aedb
Formbook
e0a8a096299e8b28d1166af3321045635294e03227d45515f5c48f4fd38e943b
Formbook
fbfaa1c4f9d13a4c6043bc66e71df3304be8bf8eec0277680c65c2bef402513b
Formbook
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882
Formbook
+ 44 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:okup loader rat suricata
Link:
https://tria.ge/reports/220224-vyp1vsefgq/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b208a4a53f2622d6c62ecf258987a2038dad2255739f089e8994acc8f6ea0026

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xll b208a4a53f2622d6c62ecf258987a2038dad2255739f089e8994acc8f6ea0026

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments