MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5e2f0b102ec8b6097bbe3618a1a0421cc9006b81dd0964e0453c7c95d7e414d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5e2f0b102ec8b6097bbe3618a1a0421cc9006b81dd0964e0453c7c95d7e414d
SHA3-384 hash: 531595725e47656ae14d3df26d93e5c78ba26fba5cac2cf8441e5c9f6c5885fcd6712b264dfbcb5fbe5e5b52e97fa7dd
SHA1 hash: a1d49535dac59ca12a35baa93668298c58f67b18
MD5 hash: f1bf6cf80da74078a78786e1bee7c5d8
humanhash: beer-bulldog-winter-lamp
File name:Order confirmation.rar
Download: download sample
Signature Formbook
Create hunting rule
File size:591'169 bytes
First seen:2022-05-24 07:33:05 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:tNjQg7W7p0P6PLKrNFcZzZ3ij6eRoeErJqcz66OIUwat8ZmfAid:4Q6zKrnczBbeRv9cerIUvqcD
TLSH T141C4233137BFBD2911A3BCDB689E1A528B5FDE905B8E7478B45553C38C1AA182D2C0DC
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Info - Cater4You <info@cater4you.co.uk>" (likely spoofed)
Received: "from rdns0.hoyhting23.gq (915065-ct94401.tmweb.ru [94.228.122.122]) "
Date: "24 May 2022 07:19:48 +0200"
Subject: "URGENT ORDER CONFIRMATION"
Attachment: "Order confirmation.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
297
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/628c8aa765e338159937d7ac/reports/b5f34c4a-08fb-4295-ae0c-cd9d5e5d0f23/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5e2f0b102ec8b6097bbe3618a1a0421cc9006b81dd0964e0453c7c95d7e414d/
Threat name:
ByteCode-MSIL.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 07:34:09 UTC
File Type:
Binary (Archive)
Extracted files:
21
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxrpbmic5sfwbf534nqyugqeehgjabvydxijmtqekpd4sxl6ifgq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:qg2u loader rat suricata
Link:
https://tria.ge/reports/220524-jd367sfgg4/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/b5e2f0b102ec8b6097bbe3618a1a0421cc9006b81dd0964e0453c7c95d7e414d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar b5e2f0b102ec8b6097bbe3618a1a0421cc9006b81dd0964e0453c7c95d7e414d

(this sample)

Formbook

Executable exe 14e33c808b632f5e4e6e94dc332135dfd337b01eff777b20230790348b63754e

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 14e33c808b632f5e4e6e94dc332135dfd337b01eff777b20230790348b63754e
  
Dropping
MD5 34b6ddb3207ff54351d809460cb4e02a

Comments