MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2d70cc060417df5286e4f2ea07d60e925b79dfaac91dd03651ce6639b0309a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2d70cc060417df5286e4f2ea07d60e925b79dfaac91dd03651ce6639b0309a4
SHA3-384 hash: ce052f85a35f93fff67a6e4bf638d7dafef31196183a465a6e6b84fc69ff89ca0040f1669ca0b316ba3b205b5de30433
SHA1 hash: 45f2c9c7f84d7c9b29c8967abfaa32eb537b4a7b
MD5 hash: 8cb50079161ea060a5c8560b9716fa43
humanhash: ack-kitten-black-sixteen
File name:PROPOSED ORDER.rar
Download: download sample
Signature Formbook
Create hunting rule
File size:221'894 bytes
First seen:2021-08-06 06:28:04 UTC
Last seen:2021-08-07 10:20:57 UTC
File type: rar
MIME type:application/x-rar
ssdeep 6144:XAp+z3MGB/rQmFiOrs55NmmVFPm2JY+dV7An26Z2L+cDM+XQxL:Xtp/UmkOrs5zPNY+b7AnZ2L+cQ+e
TLSH T1E124237A46E507CBD682ABFF250994C32ABD545A371EF4098F7CCEE278C27683542E44
Reporter cocaman
Tags:FormBook rar


Avatar
cocaman
Malicious email (T1566.001)
From: "info@chasahlogisticsltd.com" (likely spoofed)
Received: "from chasahlogisticsltd.com (unknown [185.222.57.184]) "
Date: "07 Aug 2021 12:17:14 +0200"
Subject: "PROPOSED ORDER"
Attachment: "PROPOSED ORDER.rar"

Intelligence

File Origin
# of uploads :
2
# of downloads :
334
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2d70cc060417df5286e4f2ea07d60e925b79dfaac91dd03651ce6639b0309a4/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 02:38:19 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wllqzqdaif67kkdoj4xka7la5es3php2vsi52a3fdttghgydbgsa._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:usvr loader rat suricata
Link:
https://tria.ge/reports/210806-5fvlj6h7be/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Blocklisted process makes network request
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.microprojects.net/usvr/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.13
Link:
https://yomi.yoroi.company/submissions/b2d70cc060417df5286e4f2ea07d60e925b79dfaac91dd03651ce6639b0309a4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar b2d70cc060417df5286e4f2ea07d60e925b79dfaac91dd03651ce6639b0309a4

(this sample)

Formbook

Executable exe d4b50f02cca2034a0feebf0145206aac100f816fba4dc91f8e8138819f46abb9

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 d4b50f02cca2034a0feebf0145206aac100f816fba4dc91f8e8138819f46abb9
  
Dropping
Formbook

Comments