MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be155a657b48e52176e37c9623e466cfb6fe5dcf3786bbe488e84761b95514e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be155a657b48e52176e37c9623e466cfb6fe5dcf3786bbe488e84761b95514e0
SHA3-384 hash: 41fdb71642407477a2db6ac3ef012390ff35b48fa413525d5fe701750b726a1498bca1e2ed4b0311ab7bf90bf357b4f1
SHA1 hash: 23c3057c1293424fab48898a8d7ce8073055aeb8
MD5 hash: 8d4353431974f4aa98f1607e18e2ef05
humanhash: india-bakerloo-don-hot
File name:00098765123POIIU.rar
Download: download sample
Signature Formbook
Create hunting rule
File size:707'319 bytes
First seen:2021-05-12 05:57:12 UTC
Last seen:2021-05-12 07:02:12 UTC
File type: rar
MIME type:application/x-rar
ssdeep 12288:T21LHdwGYFsUL2Hv+vfMG8V0FYL5OG8hG8SoJNNkb7MvBmkouoNjIb9ifaC3vsIE:T2h9wG+svMkvV0aL5r8h1N0b4pm1sMXm
TLSH E9E42324B8294FB4D2963F7DCB0F5E195993C1DBA8F6A426D3A81D30004AF671968F2D
Reporter cocaman
Tags:rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Serene Tan <Sato-M@marubeni.com>" (likely spoofed)
Received: "from sky2.thehostingxperts.com (sky2.thehostingxperts.com [72.18.155.2]) "
Date: "Wed, 12 May 2021 07:25:28 +0530"
Subject: "RE: New Order INV_#43/202 USD 980,950.25"
Attachment: "00098765123POIIU.rar"

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be155a657b48e52176e37c9623e466cfb6fe5dcf3786bbe488e84761b95514e0/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-12 05:57:15 UTC
File Type:
Binary (Archive)
Extracted files:
26
AV detection:
9 of 47 (19.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xykvuzl3jdssc5xdpslchzdgz63p4xopg6dlxzei5bdwdokvctqa._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210512-vz6d11stkj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.hysjs168.com/uv34/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/be155a657b48e52176e37c9623e466cfb6fe5dcf3786bbe488e84761b95514e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar be155a657b48e52176e37c9623e466cfb6fe5dcf3786bbe488e84761b95514e0

(this sample)

Formbook

Executable exe 5e2255d59560c85c4a6c30ffa54e00b2805b584292de464befaf01a614539229

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 5e2255d59560c85c4a6c30ffa54e00b2805b584292de464befaf01a614539229

Comments