MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c20358e89b0e1c53b16cc6ee449c6202554488ecbab62ec89489fed5ea7b2ac0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c20358e89b0e1c53b16cc6ee449c6202554488ecbab62ec89489fed5ea7b2ac0
SHA3-384 hash: f1c31a3cec51dee5455291b790b2c920838746232cdf66e7629b60a82b9de3cc8b9abad132f0ae4bf7eaff3f976a9f73
SHA1 hash: c1f24896deb5213cefa3f1aa2381beb1b661ba5e
MD5 hash: 91563a68457129371ff0016769520698
humanhash: papa-fourteen-november-fourteen
File name:DOCUMENTS.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:460'496 bytes
First seen:2022-06-10 01:20:31 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:iwomXszWxqfISUCxBP+RWoLLVj7FCJQR6sZEAMv:XomkflUCqfVjJR64ENv
TLSH T11CA42393B99F2339C578FEE279D31102FDA480427DC1B655098DFD1986E088582BA7BF
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Kathy Donald<Estancgentradingou@outlook.com>" (likely spoofed)
Received: "from outlook.com (unknown [180.214.236.254]) "
Date: "9 Jun 2022 18:11:09 -0700"
Subject: "RE:SHIPMENT DOCUMENT"
Attachment: "DOCUMENTS.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
354
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Tedy.116939.7636.29034.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed wacatac
Link:
https://www.filescan.io/uploads/62a29c7f0a73c1b800cdf1ea/reports/01b6bd35-e223-4494-a0d3-058d7de7dc52/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c20358e89b0e1c53b16cc6ee449c6202554488ecbab62ec89489fed5ea7b2ac0
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c20358e89b0e1c53b16cc6ee449c6202554488ecbab62ec89489fed5ea7b2ac0/
Threat name:
ByteCode-MSIL.Trojan.XLoader
Create hunting rule
Status:
Malicious
First seen:
2022-06-09 18:01:58 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
20 of 40 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yibvr2e3byofhmlmy3xejhdcajkujchmxk3c5seurh7nl2t3flaa._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:sdzp loader persistence rat spyware stealer suricata
Link:
https://tria.ge/reports/220610-bqnchseaen/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Adds policy Run key to start application
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/c20358e89b0e1c53b16cc6ee449c6202554488ecbab62ec89489fed5ea7b2ac0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip c20358e89b0e1c53b16cc6ee449c6202554488ecbab62ec89489fed5ea7b2ac0

(this sample)

Formbook

Executable exe b4941d8f5e456102b2283c02590294a1896348e32dc78074d9bbf96990896e7c

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 b4941d8f5e456102b2283c02590294a1896348e32dc78074d9bbf96990896e7c
  
Dropping
Formbook

Comments