MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c977407ce7f7662fb5914531ca9cce60acdeeeedced357c69f53bd1140fc0aa5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c977407ce7f7662fb5914531ca9cce60acdeeeedced357c69f53bd1140fc0aa5
SHA3-384 hash: 27cc8e316bab007be5aeb2107928b811124cef665e5e1eca9eea5a095951ca8e33775df081d855407ba561563fed8f03
SHA1 hash: 0a62f9a13931e6ec96edfda4de4306b1d61a06a7
MD5 hash: 55092a2675740b05a0a58597546a435c
humanhash: tennessee-oscar-yellow-kitten
File name:paking list PO no. 4600033008.lzh
Download: download sample
Signature Formbook
Create hunting rule
File size:825'753 bytes
First seen:2022-04-04 08:25:17 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 24576:/Sy+FT6RK4x+4sR79c389d1OrlONRe2L1aB0x:f+FOcb4sIgd1Ot2L1ai
TLSH T12105332EC3E50399707D5B9A15BD9C4569A7C7FDC3934032BBA6B433EB61A23306470A
Reporter cocaman
Tags:FormBook lzh rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Summary Jobin <jobin@dhofarcement.com>" (likely spoofed)
Received: "from dhofarcement.com (unknown [45.137.22.40]) "
Date: "4 Apr 2022 10:15:26 +0200"
Subject: "=?UTF-8?B?5Zue5aSNOiBVcmdlbnQtcmVxdWVzdCBwYWtpbmcgbGlzdA==?="
Attachment: "paking list PO no. 4600033008.lzh"

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/624aab9bdb9ca5cf8419ed8d/reports/e105e5de-bf3c-4f5b-ab64-9fde6b80274b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c977407ce7f7662fb5914531ca9cce60acdeeeedced357c69f53bd1140fc0aa5/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 08:26:08 UTC
File Type:
Binary (Archive)
Extracted files:
23
AV detection:
7 of 42 (16.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zf3ua7hh65tc7nmriuy4vhgomcwn53xnz3jvpru7ko6rcqh4bksq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n8bs loader rat
Link:
https://tria.ge/reports/220404-kbt17adbb7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Blocklisted process makes network request
Xloader Payload
Xloader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/c977407ce7f7662fb5914531ca9cce60acdeeeedced357c69f53bd1140fc0aa5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar c977407ce7f7662fb5914531ca9cce60acdeeeedced357c69f53bd1140fc0aa5

(this sample)

Formbook

Executable exe 08bb3c1e40fec4d0cec3b6cf4d0cc4363b5f3544358d77ba94611a812f1eac62

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 08bb3c1e40fec4d0cec3b6cf4d0cc4363b5f3544358d77ba94611a812f1eac62
  
Dropping
Formbook

Comments