MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0b8f5b7841cfd9709c725f97edd025e8d1d4b4f319e6030b054ff510abe45d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0b8f5b7841cfd9709c725f97edd025e8d1d4b4f319e6030b054ff510abe45d5
SHA3-384 hash: 4417d0af98ed67df9386513853a0b824889ef4261749a14dfcacf1d09d5daa09beb005962ffac98251ed5cdb80f835d7
SHA1 hash: 599cd398d977f9dfd1b0b90c181fe93fd0596818
MD5 hash: c181ba6cb1c91cb6f025992900b7ca40
humanhash: table-victor-johnny-jupiter
File name:PI for the order 20210407DTR001.pdf.gz
Download: download sample
Signature Formbook
Create hunting rule
File size:585'957 bytes
First seen:2021-07-08 08:40:22 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 12288:AMFDAyfSG8v/kHFzw9qrO788NTuTGQME2M9cUcd3NsEavPd3yNm:/pV6v/kHFSqyo8ITOE2MCUcleE2FyNm
TLSH T138C4239D573F92B99302F125704DC4A01AD7CA53ADDC62EA9D3192783D18EBBB08CB4D
Reporter cocaman
Tags:FormBook gz


Avatar
cocaman
Malicious email (T1566.001)
From: "=?UTF-8?B?ICJOYWtpYiBSw7x5YSI=?= <info@taca.com.tr>" (likely spoofed)
Received: "from taca.com.tr (unknown [2.57.238.16]) "
Date: "08 Jul 2021 01:12:20 -0700"
Subject: "urs.lustenberger@lgpartner.ch RE:Provide a P/I for the order 20210407DTR001"
Attachment: "PI for the order 20210407DTR001.pdf.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.908-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0b8f5b7841cfd9709c725f97edd025e8d1d4b4f319e6030b054ff510abe45d5/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 08:41:05 UTC
File Type:
Binary (Archive)
Extracted files:
20
AV detection:
9 of 46 (19.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2c4pln4edt6zocohex4x5xicl2gr2s2pggpgamfqkt7vccv6ixkq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210708-msb7hc6dy2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.c4poc.com/3b4e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/d0b8f5b7841cfd9709c725f97edd025e8d1d4b4f319e6030b054ff510abe45d5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz d0b8f5b7841cfd9709c725f97edd025e8d1d4b4f319e6030b054ff510abe45d5

(this sample)

Formbook

Executable exe 930ff364210f0d0e18cf5ead705f1b8724512ebf556cf4c64dc69783d7a66197

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 930ff364210f0d0e18cf5ead705f1b8724512ebf556cf4c64dc69783d7a66197

Comments