MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3c9fd184e65239f38abca1316047b54c55eb67ff6cb3bc06d914e96f06848c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3c9fd184e65239f38abca1316047b54c55eb67ff6cb3bc06d914e96f06848c1
SHA3-384 hash: eb77010ceb9585e62c68d9eaa10cdbc5041a1db9a9c2dec99d89279111db488f756540f045815e9ff1bfdb091a8b7cdf
SHA1 hash: a1c899d80567bcf97f2d9b6934f50f4919562c14
MD5 hash: 96dc3bc4d385d8c92df4fbf6d34e5859
humanhash: item-lemon-mountain-double
File name:MV. CMA CGM Verdi V-250E AWB PACKING LIST ISO CERTIFICATE BILL OF LANDING DRAFT. COMMERCIAL INVOICE SHIPMENT 709447464231.pdf.r27
Download: download sample
Signature Formbook
Create hunting rule
File size:550'625 bytes
First seen:2021-04-20 11:32:27 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:z/7jz0SPyslaxYvxd6NjgSmplrGoB29/ykXjtMUA4NN3j0VyFEBc:/v0SFsK5du0pbr/BY/5hV93F6c
TLSH 4AC433C43E5905B99AF411A8248184BF61035F38CB6A354CC72E69104FB97FFEBB2978
Reporter cocaman
Tags:INVOICE r27


Avatar
cocaman
Malicious email (T1566.001)
From: ""Ms.Julie Tsukahara-LOGISTICS MATES CORP."<info@esanat.com>" (likely spoofed)
Received: "from esanat.com (unknown [45.133.1.235]) "
Date: "20 Apr 2021 11:07:25 +0200"
Subject: "FW: MV. CMA CGM Verdi V-250E DT:04/20/2021."
Attachment: "MV. CMA CGM Verdi V-250E AWB PACKING LIST ISO CERTIFICATE BILL OF LANDING DRAFT. COMMERCIAL INVOICE SHIPMENT 709447464231.pdf.r27"

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3c9fd184e65239f38abca1316047b54c55eb67ff6cb3bc06d914e96f06848c1/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2pe72gcomurz6oflzijrmbd3ktcv5nt763ftxqdnsfhjn4dijdaq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210420-25sk2867w6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.designart-sh.com/q44r/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3c9fd184e65239f38abca1316047b54c55eb67ff6cb3bc06d914e96f06848c1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar d3c9fd184e65239f38abca1316047b54c55eb67ff6cb3bc06d914e96f06848c1

(this sample)

Formbook

Executable exe 7f30f6235ede3ca640a27c640c291228e74c1699b460147d5c18bddc3795bd8b

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 7f30f6235ede3ca640a27c640c291228e74c1699b460147d5c18bddc3795bd8b

Comments