MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c76e376abdeb8103dc00f7c3b68cdf6a685cc5578269b83edc249fa0693cb973. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c76e376abdeb8103dc00f7c3b68cdf6a685cc5578269b83edc249fa0693cb973
SHA3-384 hash: c414843601f52e2bccfbc1ac44e1743f28ab65a0d513851deba453c172f0bba34b5bfd0ddd26ef69f2476d31aaf960e9
SHA1 hash: 77919ef68e5247483816a1b1a1a030f537ce54f1
MD5 hash: 7d9224e610eab56f6a2276a8f31f8cc7
humanhash: cardinal-island-snake-hamper
File name:pending orders0308 D2101002610 pdf.7z
Download: download sample
Signature FormBook
Create hunting rule
File size:702'707 bytes
First seen:2021-04-21 16:06:38 UTC
Last seen:2021-04-23 13:56:53 UTC
File type: 7z
MIME type:application/x-rar
ssdeep 12288:IXMyBmRllrJ1KN1nN+pgR7/a0OMtf+0rYqer+AJKWcp18QvMvC0WMmz0RAEh21X:MMAmR7rJ0DR7/GwRYqeqfbJvM68haX
TLSH 79E4230BF6DFE80EC46CFF4B131F65313253368A9D06252B5662DEB0799A127A212FD4
Reporter cocaman
Tags:7z FormBook


Avatar
cocaman
Malicious email (T1566.001)
From: ""Rahmatullah khan"<sales@smoresteel.com>" (likely spoofed)
Received: "from [62.113.202.77] (unknown [62.113.202.77]) "
Date: "21 Apr 2021 17:27:13 +0200"
Subject: "Update of PI AAAQ pending orders0308 D2101002610 air shipment"
Attachment: "pending orders0308 D2101002610 pdf.7z"

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c76e376abdeb8103dc00f7c3b68cdf6a685cc5578269b83edc249fa0693cb973/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-21 14:52:48 UTC
File Type:
Binary (Archive)
Extracted files:
10
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y5xdo2v55oaqhxaa67b3ndg7njufzrkxqju3qpw4esp2a2j4xfzq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210421-mq6nv98lvs/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.gloomyca.com/chue/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/c76e376abdeb8103dc00f7c3b68cdf6a685cc5578269b83edc249fa0693cb973

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

7z c76e376abdeb8103dc00f7c3b68cdf6a685cc5578269b83edc249fa0693cb973

(this sample)

FormBook

Executable exe 6a900970eda971ac9e4cc4263b78b6145ef6c5a94783c572805fdf3c85a8503a

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 6a900970eda971ac9e4cc4263b78b6145ef6c5a94783c572805fdf3c85a8503a
  
Dropping
FormBook

Comments