MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d12c264102a42c65f256f4b4387031c6444c6958934acbb13b335567bc3735a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d12c264102a42c65f256f4b4387031c6444c6958934acbb13b335567bc3735a0
SHA3-384 hash: 9e43584d60c40a69ea9727e143a4372e907cad6760a86d02c38577922d697954c20ff4875eae4af310fb32afa9e7700b
SHA1 hash: 16aede0762fb5feeba39ee04316d410297c8d3ae
MD5 hash: d59b10675f34c9725bad740d861d83c5
humanhash: lake-hawaii-nevada-ceiling
File name:Courtesy Request Letter on 12DEC.cab
Download: download sample
Signature Formbook
Create hunting rule
File size:916'334 bytes
First seen:2021-12-13 09:00:39 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 24576:+/+ABQv78drHbOsoHQPR+rYyMqLHFCdUmwJD74YCJ:+/3BQvIdr7OsoH6+sylLHFCA3M
TLSH T10215339E38257928C6C55E2311F26738EB4A4A1F073C5F7DA81822AD5257F3C8F61BC9
Reporter cocaman
Tags:cab FormBook rar


Avatar
cocaman
Malicious email (T1566.001)
From: "CCE <janis@focuscareer.com>" (likely spoofed)
Received: "from spamfiltera.infotechsys.com (spamfiltera.infotechsys.com [216.116.192.130]) "
Date: "12 Dec 2021 16:04:11 +0000"
Subject: "REQUEST FOR COURTESY CALL - URGENT DEC2021"
Attachment: "Courtesy Request Letter on 12DEC.cab"

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61b70bd02a069372661054ba/reports/7dbccc71-c2c0-459d-a078-61ede0e97490/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d12c264102a42c65f256f4b4387031c6444c6958934acbb13b335567bc3735a0/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-12-13 09:01:11 UTC
File Type:
Binary (Archive)
Extracted files:
7
AV detection:
15 of 45 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ewcmqicuqwgl4sw6s2dq4bryzcey2kysnfmxmj3gnkwppbxgwqa._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ef6c loader rat suricata
Link:
https://tria.ge/reports/211213-kywhjaeedp/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.fis.photos/ef6c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/d12c264102a42c65f256f4b4387031c6444c6958934acbb13b335567bc3735a0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar d12c264102a42c65f256f4b4387031c6444c6958934acbb13b335567bc3735a0

(this sample)

Formbook

Executable exe 993e2502c86bc87766ee853a75c89ffe6a635383c685b1aea785364b7c101b59

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 993e2502c86bc87766ee853a75c89ffe6a635383c685b1aea785364b7c101b59
  
Dropping
Formbook

Comments