MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc8fcf51279b2c357d1c648eededf4ac24c1d79bd9a88728adfe9b74b2f596c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc8fcf51279b2c357d1c648eededf4ac24c1d79bd9a88728adfe9b74b2f596c3
SHA3-384 hash: cf057c448b2bf1ef2dfd8b03f504aad9adf8765df1c519a6ace22e4b4916721f4830c33519567762026abe7dde1132ab
SHA1 hash: 65d01a3d2e697e4aa4653e938f4e9ee32d8b722f
MD5 hash: 3685ad918d432e326f198ece5281448e
humanhash: leopard-stairway-lemon-pennsylvania
File name:Swift Copy#0002.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:849'071 bytes
First seen:2021-04-14 06:26:14 UTC
Last seen:2021-04-14 13:05:26 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:If+5DqHXYb7ke2J/XqJ9ktjDkLotdyl32vNwq27pG8zwi4XCf6GBRQGvF0rBYs1q:IfuiKK/XqJqjDucW7pG88gfJJOhu
TLSH 2705233CD81D718CDC47D1989153AE92D34FAE2B82DAC2D102DE7AADE3949BF453B184
Reporter cocaman
Tags:FormBook SWIFT zip


Avatar
cocaman
Malicious email (T1566.001)
From: ""Anna H" <anna@motomarine-it.com>" (likely spoofed)
Received: "from api.motomarine-it.com (unknown [167.71.37.27]) "
Date: "Wed, 14 Apr 2021 03:55:46 +0000"
Subject: "Payment Copy"
Attachment: "Swift Copy#0002.zip"

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fn112.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.646-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/cc8fcf51279b2c357d1c648eededf4ac24c1d79bd9a88728adfe9b74b2f596c3
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc8fcf51279b2c357d1c648eededf4ac24c1d79bd9a88728adfe9b74b2f596c3/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-14 06:27:05 UTC
File Type:
Binary (Archive)
Extracted files:
28
AV detection:
9 of 47 (19.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zsh46ujhtmwdk7i4msho33puvqsmdv433guiokfn72nxjmxvs3bq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210414-kpjlwpvk32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.ngungontrondoi.com/ve9m/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc8fcf51279b2c357d1c648eededf4ac24c1d79bd9a88728adfe9b74b2f596c3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip cc8fcf51279b2c357d1c648eededf4ac24c1d79bd9a88728adfe9b74b2f596c3

(this sample)

Formbook

Executable exe 3173946149373004e811a6c7ed1df43dda5cfdfaa4986c047560304eee748bcd

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 3173946149373004e811a6c7ed1df43dda5cfdfaa4986c047560304eee748bcd
  
Dropping
Formbook

Comments