MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d53def0461e8160d10039ad740e81a2548973261d0cfc874b9a5094bf818f3b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	d53def0461e8160d10039ad740e81a2548973261d0cfc874b9a5094bf818f3b2
SHA3-384 hash:	552929eb77c707a1ccd46d4833925770ac2c4b1d6ef542e37d3a3fe63fd2d0d5a5461f15a78611383f705c9af9b66bbc
SHA1 hash:	5a65660e0799139c987bf519f34b8dafd8a95675
MD5 hash:	4e86f31132121f187a8968e63ff25cd8
humanhash:	monkey-sixteen-dakota-zulu
File name:	5544682.ace
Download:	download sample
Signature	Formbook Create hunting rule
File size:	447'935 bytes
First seen:	2022-04-30 11:20:31 UTC
Last seen:	2022-04-30 11:22:42 UTC
File type:	ace
MIME type:	application/octet-stream
ssdeep	6144:WKRcxcwiQ8nX7JSYAHaE5NXHLKq4VRg1ULZcsIemPY1AQkdRrFJ9EKpPm1SihqJB:0cw58nX7YYAz/HLIZdnkQkrdKSihqBh
TLSH	T1DD94239C625483DC4F68EC822995B2F23D7B211457EB8E4106DAB135F41C0BBA97A3B5
Reporter	cocaman
Tags:	ace FormBook

cocaman

Malicious email (T1566.001)
From: ""Omar Faruk" <order@vardem-ks.com>" (likely spoofed)
Received: "from z1.hostniner.com (z1.hostniner.com [46.4.67.220]) "
Date: "Fri, 29 Apr 2022 00:38:26 -0700"
Subject: "Re: Additional contract amendment act"
Attachment: "5544682.ace"

Intelligence

File Origin

# of uploads :

# of downloads :

310

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.25738.AceHeur.Exe.UNOFFICIAL

Sanesecurity.Malware.25166.AceHeur.Exe.UNOFFICIAL

SecuriteInfo.com.Suspicious-ACE-exe.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fareit

Link:

https://www.filescan.io/uploads/626d1babbc7a59452670e7cc/reports/a2e22386-bec6-47be-bc97-70fc4af48505/overview

Result

Verdict:

MALICIOUS

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d53def0461e8160d10039ad740e81a2548973261d0cfc874b9a5094bf818f3b2/

Threat name:

ByteCode-MSIL.Infostealer.Fareit

Status:

Malicious

First seen:

2022-04-29 11:41:00 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

19 of 42 (45.24%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2u666bdb5ala2eadtllub2a2evejomtb2dh4q5fzuueux6ay6oza._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:6f3o loader rat suricata

Link:

https://tria.ge/reports/220430-nfzn1sdeek/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

CustAttr .NET packer

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/d53def0461e8160d10039ad740e81a2548973261d0cfc874b9a5094bf818f3b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ACE_Containing_EXE Create hunting rule
Author:	Florian Roth - based on Nick Hoffman' rule - Morphick Inc
Description:	Looks for ACE Archives containing an exe/scr file