MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d76ef633fc30a0fa009064ec2dc22a7d204be5c7e910622cb741cb01d434f1d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d76ef633fc30a0fa009064ec2dc22a7d204be5c7e910622cb741cb01d434f1d7
SHA3-384 hash: 57ad317ef7ed9f46b7a8138a380851ce9f791ff6043fe0cc49c0339e8770d58aa522dc82512e1e6e9dfa2e554edb2557
SHA1 hash: 8cf9a4bfe5f277427fc551ac8df8b190b4bd2b60
MD5 hash: bf5029e55445e550dcd79bbed68f6499
humanhash: vegan-nuts-zebra-wyoming
File name:AVR JULY 2021.xz
Download: download sample
Signature Formbook
Create hunting rule
File size:536'159 bytes
First seen:2021-07-07 05:02:09 UTC
Last seen:2021-07-07 18:16:14 UTC
File type: xz
MIME type:application/x-rar
ssdeep 12288:Ioc0xEZOcetpWn/n4Z81AjgGMqbfW+/L7v2zdeuY:DZEUcetzOfs3L70eF
TLSH 4EB4234F64B4B1798D6B0EC822337121BBE908D1AD65DB8C3B9567340F97E4C28772AD
Reporter cocaman
Tags:FormBook xz


Avatar
cocaman
Malicious email (T1566.001)
From: "AVR <traveloka@avisthailand.com>" (likely spoofed)
Received: "from avisthailand.com (mail.avisthailand.com [202.6.17.96]) "
Date: "Wed, 07 Jul 2021 01:50:10 +0100"
Subject: "AVR Signing JULY 07 2021"
Attachment: "AVR JULY 2021.xz"

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d76ef633fc30a0fa009064ec2dc22a7d204be5c7e910622cb741cb01d434f1d7/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 05:02:20 UTC
File Type:
Binary (Archive)
Extracted files:
22
AV detection:
4 of 46 (8.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=25xpmm74gcqpuaeqmtwc3qrkpuqexzoh5eigelfxihfqdvbu6hlq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210707-f2rwljamhe/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Blocklisted process makes network request
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.adultpeace.com/p2io/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/d76ef633fc30a0fa009064ec2dc22a7d204be5c7e910622cb741cb01d434f1d7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

xz d76ef633fc30a0fa009064ec2dc22a7d204be5c7e910622cb741cb01d434f1d7

(this sample)

Formbook

Executable exe 4d15d10d62977acbf98b94bf2d836c116b5410939809e5a961a1d9dea165c3fb

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4d15d10d62977acbf98b94bf2d836c116b5410939809e5a961a1d9dea165c3fb

Comments