MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6ed1143d4e48845c135afc103cefb1a8a54dc0671cd50014a46842a4f7ef842. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6ed1143d4e48845c135afc103cefb1a8a54dc0671cd50014a46842a4f7ef842
SHA3-384 hash: 05dabdd0575fae13d3d667ec8ad9d975f6be1ee2ee3f8d1d8983b0599ae50b7d44b5ca2660607618d7a70aa4f35b1108
SHA1 hash: b587768aca0fb44dcb22751eaec6884288fccc2e
MD5 hash: 6f376ceb23bf3cd21666a9682367c665
humanhash: mars-queen-utah-cold
File name:SOA.gz
Download: download sample
Signature Formbook
Create hunting rule
File size:597'303 bytes
First seen:2021-04-24 06:01:39 UTC
Last seen:2021-04-24 06:09:08 UTC
File type: gz
MIME type:application/x-rar
ssdeep 12288:fDeCXxz0NkgJodoLEsuJVqsf1g+g9l1jQB6AYvEvuU:fDFd0ZoG+Ff+x9l6gAqa7
TLSH B7C4236CD5B93D927C78F0E454DF8F11F51788ABB09BDA260BE35DE8496220BF42C05A
Reporter cocaman
Tags:FormBook gz


Avatar
cocaman
Malicious email (T1566.001)
From: "Ahmed Akram <ahmed.akram@mediaminds.biz>" (likely spoofed)
Received: "from mediaminds.biz (unknown [45.137.22.94]) "
Date: "23 Apr 2021 22:01:31 -0700"
Subject: "Re: Updated SOA"
Attachment: "SOA.gz"

Intelligence

File Origin
# of uploads :
2
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6ed1143d4e48845c135afc103cefb1a8a54dc0671cd50014a46842a4f7ef842/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-24 00:02:42 UTC
File Type:
Binary (Archive)
Extracted files:
7
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y3wrcq6u4seelqjvv7aqhtx3dkffjxagohgvaakki2ccut367bba._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210424-wxzt5r973j/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.consultinggroupwv.com/ple/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz c6ed1143d4e48845c135afc103cefb1a8a54dc0671cd50014a46842a4f7ef842

(this sample)

Formbook

Executable exe c1d7028900706dc1fa7c0e165b9209415b96628bb49f17779f86256851a0d3c1

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 c1d7028900706dc1fa7c0e165b9209415b96628bb49f17779f86256851a0d3c1

Comments