MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c155cdabe1d15050db0dd49057e832816ad5376a5ef744cad846230df27d527e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	c155cdabe1d15050db0dd49057e832816ad5376a5ef744cad846230df27d527e
SHA3-384 hash:	2057ca52b2f82498cffd5c565a7a9ad6fbcb7f80c2372f30fef48401f906595cd5188774e27a3c29016311d6d7ce8598
SHA1 hash:	c559626cd02cd55f43c62df52b3e953d2121dae2
MD5 hash:	44f90859deeaddb27086f3b264484f14
humanhash:	seven-north-sierra-beer
File name:	Require your Sales Ledger from 01-April-2020.rar
Download:	download sample
Signature	Formbook Create hunting rule
File size:	530'958 bytes
First seen:	2021-04-12 12:23:31 UTC
Last seen:	2021-04-13 11:48:51 UTC
File type:	rar
MIME type:	application/x-rar
ssdeep	12288:umWt1egtDF/uIxon2NRIv73USPAIQ/PZXv0+HAdYhpJcjpBq2EK0+:7WtogtVm6Y3PoPZs+fhpWjn/b
TLSH	6BB423D9676B27964374A740C455009F28AEAA03E3FA9413127FFEED5C4CFB1A2454B3
Reporter	abuse_ch
Tags:	rar

abuse_ch

Malspam distributing unidentified malware:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.57.152
From: Suresh<suresh.washivale@channelpackaging.in>
Subject: Require your Sales Ledger from 01-April-2020 to 31-March-2021 - Closing Balance.
Attachment: Require your Sales Ledger from 01-April-2020.rar (contains "Require your Sales Ledger from 01-April-2020.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Heur.26851.19979.UNOFFICIAL

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c155cdabe1d15050db0dd49057e832816ad5376a5ef744cad846230df27d527e/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-04-12 12:24:09 UTC

AV detection:

9 of 48 (18.75%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yfk43k7b2fifbwyn2sifp2bsqfvnkn3kl33ujswyiyrq34t5kj7a._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210412-ahh2zd2t9a/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Formbook Payload

Nirsoft

Formbook

Malware Config

C2 Extraction:

http://www.consultoramulticars.com/suod/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c155cdabe1d15050db0dd49057e832816ad5376a5ef744cad846230df27d527e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar c155cdabe1d15050db0dd49057e832816ad5376a5ef744cad846230df27d527e

(this sample)

Formbook

exe d7e71646c9427067e810e1b278beb6ad1f07e6b0c5003d9be2611178e4f5470c

Dropping

MD5 c7c27e1859f1593aedb1eebf0a15175e

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 d7e71646c9427067e810e1b278beb6ad1f07e6b0c5003d9be2611178e4f5470c

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample