MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb9e87b2006433c6f980b323396bbe97cfb4ff1d64f1f03308a0a610a566b628. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb9e87b2006433c6f980b323396bbe97cfb4ff1d64f1f03308a0a610a566b628
SHA3-384 hash: 81596d6b530c538456595a315cd55603ce7b8f94cefe14816e58ce0a44c0433015b3a6243162d1ae62971fa5c3fe34ad
SHA1 hash: 1a0cd2daa8a407ac38f130e629fd83f37f41c4cb
MD5 hash: 9ef41663fda8e15739cfe94a66fad59e
humanhash: maine-montana-south-fifteen
File name:STSGN5512604-pdf.gz
Download: download sample
Signature Formbook
Create hunting rule
File size:770'901 bytes
First seen:2021-07-26 06:52:58 UTC
Last seen:Never
File type: gz
MIME type:application/x-rar
ssdeep 12288:aVRedoiPjXROr+bPpJobM1hneVBfZlwm9zzfRdim6WmZbE7Q:4edfPjX8+bwbeejRlDhzbim/mlAQ
TLSH T120F423C6C95CFA136EF74817175F3B96308B0486EFDAFCABA1ADA9C0016C8D594F9064
Reporter cocaman
Tags:FormBook gz


Avatar
cocaman
Malicious email (T1566.001)
From: "Lan Hoang <Lan.Hoang@tollgroup.com>" (likely spoofed)
Received: "from tollgroup.com (unknown [185.222.57.90]) "
Date: "26 Jul 2021 08:04:13 +0200"
Subject: "Re: New shipment for Duif// 235101506649/ STSGN5512604"
Attachment: "STSGN5512604-pdf.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27121.RarHeur.NoDP.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-26 06:53:04 UTC
File Type:
Binary (Archive)
Extracted files:
27
AV detection:
9 of 46 (19.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xopipmqamqz4n6mawmrts256s7h3j7y5mty7amyiuctbbjlgwyua._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat suricata
Link:
https://tria.ge/reports/210726-nhk6v7w56s/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.desarrollosolucionesnavarro.com/ipa8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/bb9e87b2006433c6f980b323396bbe97cfb4ff1d64f1f03308a0a610a566b628

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz bb9e87b2006433c6f980b323396bbe97cfb4ff1d64f1f03308a0a610a566b628

(this sample)

Formbook

Executable exe cbe7c0318d2f88aff2f18fc19a824bfdebcf2f7137d85adac1a5799afbb6876b

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 cbe7c0318d2f88aff2f18fc19a824bfdebcf2f7137d85adac1a5799afbb6876b

Comments