MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce715d068d666cd222ff3b6ce636c43258445bbeb7c593a09bce9f2530b3600c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce715d068d666cd222ff3b6ce636c43258445bbeb7c593a09bce9f2530b3600c
SHA3-384 hash: 05a054409a914bf23dc8fe5d500ad0510a865790d8de648f0984284fe51944fae0c6210e883251a7baa604857dbf64fe
SHA1 hash: a38e77d02d5b363ea197d878552a410c5e7197f7
MD5 hash: 2bcce50cf9bdff4ff1f4e6e5d1930860
humanhash: pluto-paris-red-ack
File name:RAUSCH URGENT quote NOV21_87553,pdf.iso
Download: download sample
Signature Formbook
Create hunting rule
File size:397'312 bytes
First seen:2021-11-23 10:58:54 UTC
Last seen:2021-11-23 11:06:14 UTC
File type: iso
MIME type:application/x-iso9660-image
ssdeep 6144:3Gi4zy1/L+ggGuzb0KryonDxvkRO312rQ7po/H+VmqqshEoOKhybM8Sf++p5:Ky1DzgGNKrrnFvkROczeVmChOVPSB
TLSH T172841243A94049AAECD65A72047A8B6083772F8949B0975F338EBD777FF36830845B47
Reporter cocaman
Tags:FormBook iso


Avatar
cocaman
Malicious email (T1566.001)
From: ""Anita Zecic" <info@turb03.com>" (likely spoofed)
Received: "from mail0.turb03.com (unknown [144.126.220.125]) "
Date: "23 Nov 2021 11:05:58 +0000"
Subject: "RAUSCH URGENT quote NOV21_87553"
Attachment: "RAUSCH URGENT quote NOV21_87553,pdf.iso"

Intelligence

File Origin
# of uploads :
3
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Iso_badexts72.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/619cc979b71ceed4152cda31/reports/d9a83bda-8b0a-40b9-aeec-68215ccf0c41/overview
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce715d068d666cd222ff3b6ce636c43258445bbeb7c593a09bce9f2530b3600c/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 10:59:10 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
18 of 45 (40.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zzyv2bunmzwneix7hnwomnwegjmeiw56w7czhie3z2pskmftmaga._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:c1h5 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/211123-m3efxshghm/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.coralxlix.com/c1h5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ce715d068d666cd222ff3b6ce636c43258445bbeb7c593a09bce9f2530b3600c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso ce715d068d666cd222ff3b6ce636c43258445bbeb7c593a09bce9f2530b3600c

(this sample)

Formbook

Executable exe c54011773bed423243ea28917f4ee89a825cf2886dbb4b0939bac3e955284c0b

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 c54011773bed423243ea28917f4ee89a825cf2886dbb4b0939bac3e955284c0b
  
Dropping
Formbook

Comments