MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3c7472fe288667a66899568ab65f4d28d89bc91a44bcacb19633425b32d1c6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3c7472fe288667a66899568ab65f4d28d89bc91a44bcacb19633425b32d1c6a
SHA3-384 hash: 78a432dbd354b4b58f5a6e43f0151a87c43d99fa9e067b9834d1338f7e41e8c5443c3d206e0a90b7960fca084cddc539
SHA1 hash: 50a97944178bba6c9187fdf2e5a078bee604f260
MD5 hash: 8206b4f35e55e82805e7ed7a2e2faef9
humanhash: artist-wyoming-sink-march
File name:PO JREL0036 202R2.lzh
Download: download sample
Signature Formbook
Create hunting rule
File size:611'949 bytes
First seen:2021-09-09 14:22:19 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:ImQLTixd87Mmrdjf4nwmnpn53/42UmUdJhiTwVrNfyGJ13Smn:C3IwdjgnVnpnZUQwVxz1imn
TLSH T1B4D42359FC03CF72025006570F926C4537A63B54B95B6A39332D9E6E382BBCDA8B7349
Reporter cocaman
Tags:FormBook lzh rar


Avatar
cocaman
Malicious email (T1566.001)
From: "hr <hr@mlmfurniture.com>" (likely spoofed)
Received: "from mlmfurniture.com (unknown [45.137.22.48]) "
Date: "9 Sep 2021 15:27:49 +0200"
Subject: "=?UTF-8?B?UE8gSlJFTDAwMzYg5piO5bedIOW+t+WbveWuouS6uuaWsOiuouWNlQ==?="
Attachment: "PO JREL0036 202R2.lzh"

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3c7472fe288667a66899568ab65f4d28d89bc91a44bcacb19633425b32d1c6a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 14:23:10 UTC
File Type:
Binary (Archive)
Extracted files:
11
AV detection:
10 of 45 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2pduol7crbthuzujsvukwzpu2kgytperurf4vsyzmm2clmzndrva._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ergs rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210909-rp5s6sbdgr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.barry-associates.com/ergs/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/d3c7472fe288667a66899568ab65f4d28d89bc91a44bcacb19633425b32d1c6a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar d3c7472fe288667a66899568ab65f4d28d89bc91a44bcacb19633425b32d1c6a

(this sample)

Formbook

Executable exe 0cdbab37f443dbdc7fb7aecc5e0b8dfb7b25b7d665397194bb8a137e9b01d44f

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 0cdbab37f443dbdc7fb7aecc5e0b8dfb7b25b7d665397194bb8a137e9b01d44f
  
Dropping
Formbook

Comments