MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 baab27475406e896cf4ee9bb81edef9026a3080366d75b5035b0341607cd84d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: baab27475406e896cf4ee9bb81edef9026a3080366d75b5035b0341607cd84d2
SHA3-384 hash: 4a366d5ad3dd351fbdbd8e269f76145961b24638f2637ef68a271843c368e44bd9f8386c07825270ede83ce8cf9f39b2
SHA1 hash: 98f24ea3d518861af7b84f1c439ed4b8c66cc67f
MD5 hash: 5429336e843b50dc3b968f0e29e41774
humanhash: high-saturn-don-eight
File name:INVOICE.gz
Download: download sample
Signature Formbook
Create hunting rule
File size:227'934 bytes
First seen:2021-06-04 05:41:32 UTC
Last seen:Never
File type: gz
MIME type:application/x-rar
ssdeep 6144:ka2hg+F6v6ACrqQghIYEqSRqfKdUjQOMxGln:k9eODLqRhlEq9QOMEN
TLSH 4B2423BA7FA6CD2452340B242EFF7947DBA08D5C9411E3CD6A085361473A3BE4F1A6C9
Reporter cocaman
Tags:FormBook gz INVOICE


Avatar
cocaman
Malicious email (T1566.001)
From: "Terence So <terence.so@otlsystems.com>" (likely spoofed)
Received: "from otlsystems.com (unknown [185.222.57.135]) "
Date: "3 Jun 2021 22:19:20 -0700"
Subject: "Re: PO 2020208"
Attachment: "INVOICE.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/baab27475406e896cf4ee9bb81edef9026a3080366d75b5035b0341607cd84d2/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-06-04 05:42:09 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
14 of 46 (30.43%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xkvsor2ua3ujnt2o5g5yd3ppsatkgcadm3lvwubvwa2bmb6nqtja._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210604-m727blxjt6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.gicc-fx.com/uer0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/baab27475406e896cf4ee9bb81edef9026a3080366d75b5035b0341607cd84d2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz baab27475406e896cf4ee9bb81edef9026a3080366d75b5035b0341607cd84d2

(this sample)

Formbook

Executable exe c59f3d09668674cc602a759071c5972b8f78b2b829afd3fb8d5e6f9ecd820280

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 c59f3d09668674cc602a759071c5972b8f78b2b829afd3fb8d5e6f9ecd820280
  
Dropping
Formbook

Comments