MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf5ba51ee213d5950185415523f87403ecbd6b1715a3cb9dea04dbadce5eaf04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf5ba51ee213d5950185415523f87403ecbd6b1715a3cb9dea04dbadce5eaf04
SHA3-384 hash: c34cc95b9df7a9fffc0a72ac22efd63164a7b69bc5e713697dc854627b54a94922ccd39693c6371e48aa02644bba2340
SHA1 hash: 2a1dfbb3f35273749a82adbc340069c33994a0d6
MD5 hash: 0264c7dd5c382dde4039f80577a11aed
humanhash: north-eighteen-sodium-oklahoma
File name:attached booking %0D%0A%09price list.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:427'938 bytes
First seen:2022-05-07 06:14:10 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:273DCyVSTj8n0JDVJ+m/pFfJlOMNCJkMcuSQ:E3dUgnMf3/plOi1I
TLSH T116942302E29C5CE42D1B927249A572F5E7E1AE61937024C59D4336FD44CEA27B3E90CF
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Vasilis Vasileiadis <info@sivotatravel.gr>" (likely spoofed)
Received: "from hosting3.netsys.am (hosting3.netsys.am [80.86.231.190]) "
Date: "Fri, 06 May 2022 08:50:59 +0000"
Subject: "RE: [EXTERNAL] RE: RE: Booking confirmation"
Attachment: "attached booking
price list.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_Wordexe.1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Scr.MalPbsgen1.15470.8266.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed wacatac
Link:
https://www.filescan.io/uploads/62760e6ebe0219041a793d8d/reports/1e11f344-125f-4990-8c33-c0b0283a3ea8/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/cf5ba51ee213d5950185415523f87403ecbd6b1715a3cb9dea04dbadce5eaf04
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf5ba51ee213d5950185415523f87403ecbd6b1715a3cb9dea04dbadce5eaf04/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-05-06 12:58:01 UTC
File Type:
Binary (Archive)
Extracted files:
44
AV detection:
20 of 42 (47.62%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z5n2khxccpkzkamfifksh6duapwl22yxcwr4xhpkatn23ts6v4ca._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:euv4 loader persistence rat suricata trojan
Link:
https://tria.ge/reports/220507-gzxkfacaf7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
Xloader Payload
ModiLoader, DBatLoader
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/cf5ba51ee213d5950185415523f87403ecbd6b1715a3cb9dea04dbadce5eaf04

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip cf5ba51ee213d5950185415523f87403ecbd6b1715a3cb9dea04dbadce5eaf04

(this sample)

Formbook

Executable exe dcd5d7cfe84d0687294f0990eaba6b407d250877fe61c3a28dc9ff6a30638bce

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 dcd5d7cfe84d0687294f0990eaba6b407d250877fe61c3a28dc9ff6a30638bce
  
Dropping
Formbook

Comments