MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 baa24d276686a4ad1e529254922692679899535943ac0993f5aaa6fff8e999eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	baa24d276686a4ad1e529254922692679899535943ac0993f5aaa6fff8e999eb
SHA3-384 hash:	cd43cee56d2d389caa87286ab649e8a1a3f1661de9c4c71ad1fe356bfefd7fe2b2bd071350d676de12afa36889c544de
SHA1 hash:	da7af5e13cc0700236c4bb78075b020b029a7df5
MD5 hash:	0dad048bdcca8bf6ed361c5451629174
humanhash:	nine-snake-low-ink
File name:	Purchase_Order.zip
Download:	download sample
Signature	Formbook Create hunting rule
File size:	667'697 bytes
First seen:	2021-06-21 12:55:35 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:6/NUjfLYo6q94v+smJkKe1Sbd5KMYGaOjFSddzrJhJA7a+86MYz7DlR:ljf5h4v2Zekbd5KMTaAezrTJARz7ZR
TLSH	99E42385492A194BC1A12081CE8FD69137D46FDA1C0A3899C6FD7ECF97D04E8B2B749E
Reporter	cocaman
Tags:	FormBook zip

cocaman

Malicious email (T1566.001)
From: "Nguyen Xuan Binh <info@thuanhiepthanh.com>" (likely spoofed)
Received: "from thuanhiepthanh.com (unknown [103.125.190.80]) "
Date: "21 Jun 2021 05:00:57 -0700"
Subject: "Ref. #20880 from THUAN HIEP THANH CO., LTD"
Attachment: "Purchase_Order.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fs245.UNOFFICIAL

Sanesecurity.Malware.20995.ZipHeur.UNOFFICIAL

Sanesecurity.Malware.22205.ZipHeur.UNOFFICIAL

Result

Verdict:

UNKNOWN

Link:

https://labs.inquest.net/dfi/sha256/baa24d276686a4ad1e529254922692679899535943ac0993f5aaa6fff8e999eb

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/baa24d276686a4ad1e529254922692679899535943ac0993f5aaa6fff8e999eb/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-06-21 12:56:17 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

14 of 46 (30.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xkre2j3gq2sk2hsssjkjejusm6mjsu2ziowate7vvktp76hjthvq._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210621-cdnafvg6fa/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.culturalinterface.net/uqf5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/baa24d276686a4ad1e529254922692679899535943ac0993f5aaa6fff8e999eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip baa24d276686a4ad1e529254922692679899535943ac0993f5aaa6fff8e999eb

(this sample)

Formbook

exe de5a91649e654f5273032c0e524491e7ac1c6260e1140472c72b031dfe4fba91

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 de5a91649e654f5273032c0e524491e7ac1c6260e1140472c72b031dfe4fba91

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample