MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2bbc56134cddeaf21cb8096e28022253ac62814c52d94d9779c2411cde12d30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2bbc56134cddeaf21cb8096e28022253ac62814c52d94d9779c2411cde12d30
SHA3-384 hash: 487de2ed6cea3248f1d327ab0eb44818efd41da825601136da226d0ff8d6a01a312e40111ffab95cf544057c0aa414a2
SHA1 hash: 8f44f19ffc0017c0afb676c05255f26afdbc297e
MD5 hash: 48eb4526550983c17d1dc7fb639e1f13
humanhash: charlie-network-ink-violet
File name:PESO 23.360,40 KGS HBL LUA22030011.7z
Download: download sample
Signature Formbook
Create hunting rule
File size:182'571 bytes
First seen:2022-05-06 05:59:42 UTC
Last seen:Never
File type: 7z
MIME type:application/x-rar
ssdeep 3072:cbtHFWILXDF9PI5LQOm1ribWjW1S69TC1m7y0KLPF/H4Tqw0AwuOplRv:cbXVLXnQ5xm4xCouR/H4Tqw6xpX
TLSH T1060413012CC36EB748A334764D62ED06F3DEC73BF595C3701BDBE216E9206AA696C590
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:7z FormBook


Avatar
cocaman
Malicious email (T1566.001)
From: "Dacotrans Nicaragua Nic <daconic@gmail.com>" (likely spoofed)
Received: "from gmail.com (unknown [45.137.22.135]) "
Date: "6 May 2022 01:48:13 +0200"
Subject: "EMBARQUE || 01x40HQ CTC 1350 BTS "CRUCIBLE" PESO 23.360,40 KGS || HBL LUA22030011"
Attachment: "PESO 23.360,40 KGS HBL LUA22030011.7z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6274b964b119a5f609a774e1/reports/65862d50-eee3-4fa1-a8ed-4bf14b4f4f54/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2bbc56134cddeaf21cb8096e28022253ac62814c52d94d9779c2411cde12d30/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-05-06 06:00:08 UTC
File Type:
Binary (Archive)
Extracted files:
5
AV detection:
16 of 42 (38.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wk54kyjuzxpk6iolqclofabceu5mmkauyuwzjwlxtqsbdtpbfuya._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:g5so loader rat suricata
Link:
https://tria.ge/reports/220506-gqbllshce4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2bbc56134cddeaf21cb8096e28022253ac62814c52d94d9779c2411cde12d30

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z b2bbc56134cddeaf21cb8096e28022253ac62814c52d94d9779c2411cde12d30

(this sample)

Formbook

Executable exe 304602b81a7a20873c7e72eec0d2c97b5994890910db8f7f0e05025d468bed86

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 304602b81a7a20873c7e72eec0d2c97b5994890910db8f7f0e05025d468bed86
  
Dropping
MD5 4d3d5c3c5b3c85b2dd3d73b99b4c813f

Comments