MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca1e8896fedd1f7e22799e7c5ccf9f1a7898e4602890efc47285cf0cfead7b46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca1e8896fedd1f7e22799e7c5ccf9f1a7898e4602890efc47285cf0cfead7b46
SHA3-384 hash: ef54096d73e9a27cd2eabc7a5c31fa5cd6fe22c58fcf4b22c6e5ebc65f662932f1833480602145dab2b87fb9859a6a88
SHA1 hash: 8c2182e3bf35d578294bbb09b09a08812459a56f
MD5 hash: 48c35de47d4446a5d76ab21e96b1d58f
humanhash: mexico-pip-winter-harry
File name:Payment.rar
Download: download sample
Signature Formbook
Create hunting rule
File size:498'472 bytes
First seen:2021-09-15 06:25:23 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:SkGFFsFbLaoynPE5bQyUCVRPZMpuGJmyPkyjXNLsbgHt:SkGFFybec50yUEZQAyPkq9Ls2t
TLSH T1D0B423B473A7F71887A10AF74994E583A6C9970279EFA5E649FB9113B32F20D99F0004
Reporter cocaman
Tags:FormBook rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Kaushik Gandhi <lorena.greaves@shenzhenliyiecheng.com>" (likely spoofed)
Received: "from slot0.consultragroup.com (slot0.consultragroup.com [92.52.218.241]) "
Date: "14 Sep 2021 05:30:25 +0200"
Subject: "QTNF-Offer-FSER000065"
Attachment: "Payment.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/617513ee9a5a1e91c5d2024d/reports/6f9ba449-3a70-437b-9727-5a85429eca4b/overview
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca1e8896fedd1f7e22799e7c5ccf9f1a7898e4602890efc47285cf0cfead7b46/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 03:53:04 UTC
File Type:
Binary (Archive)
Extracted files:
34
AV detection:
14 of 45 (31.11%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zipirfx63upx4itztz6fzt47dj4jrzdafcio7rdsqxhqz7vnpnda._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:pm7s rat spyware stealer trojan
Link:
https://tria.ge/reports/210915-g67zrahhh4/
Behaviour
Gathers network information
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.rafaelcristino.com/pm7s/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/ca1e8896fedd1f7e22799e7c5ccf9f1a7898e4602890efc47285cf0cfead7b46

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar ca1e8896fedd1f7e22799e7c5ccf9f1a7898e4602890efc47285cf0cfead7b46

(this sample)

Formbook

Executable exe a57534ac7570e5be7e25f1c0d9745dc549d56b193ed7b1547e61ae79485edc1c

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 a57534ac7570e5be7e25f1c0d9745dc549d56b193ed7b1547e61ae79485edc1c
  
Dropping
Formbook

Comments