MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8a16cc5c07e620c5e6aab507f739d6d40a49aba162acec28f89139e253efe9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8a16cc5c07e620c5e6aab507f739d6d40a49aba162acec28f89139e253efe9e
SHA3-384 hash: 08809b07072830422fbad1a931919885e63c36ed9ac1d8fb15d41c2457c8f0d668c28cdef099ae15b40571c0e4b3e9a2
SHA1 hash: 2ad24bf35b1928198dbedb49e392b4b87fa8c716
MD5 hash: fb632b635ab26ff5d31ed1d691639bc7
humanhash: ack-diet-white-virginia
File name:ORDER REMINDER_0000200.gz
Download: download sample
Signature Formbook
Create hunting rule
File size:512'503 bytes
First seen:2021-10-06 06:16:52 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 12288:Kaebub6/tU6qNzsKYrvw6yCXp36jzpAmk/wE7+gRWhemw:KaebyIDqNzsvrvw6yCXh6nQ7+gR+o
TLSH T1A5B4232CFC8E6E828145394C92BE805B82F9B161136D8172449BE7EF5FBDED8436C358
Reporter cocaman
Tags:FormBook gz


Avatar
cocaman
Malicious email (T1566.001)
From: "Frank Gummer <testing@bhavnatutor.com>" (likely spoofed)
Received: "from ded5428.inmotionhosting.com (ded5428.inmotionhosting.com [173.231.203.67]) "
Date: "4 Oct 2021 20:29:17 -0700"
Subject: "GvA GmbH ORDER REMINDER N o . 60028489 iQXPRZ Power Inc."
Attachment: "ORDER REMINDER_0000200.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Porcupine.Unclassified.101912.UNOFFICIAL
Create hunting rule

Porcupine.Unclassified.101925.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615d3f66e3d213d202b831ca/reports/b1ef9931-ba3d-402b-9a2e-a3d7af087557/overview
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8a16cc5c07e620c5e6aab507f739d6d40a49aba162acec28f89139e253efe9e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 01:31:33 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3cqwzroapzrayxtkvnih6445nvakjgv2cyvm5quprejz4jj672pa._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:gnui loader rat
Link:
https://tria.ge/reports/211006-g14edaafb4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.hottorchlighter.com/gnui/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/d8a16cc5c07e620c5e6aab507f739d6d40a49aba162acec28f89139e253efe9e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz d8a16cc5c07e620c5e6aab507f739d6d40a49aba162acec28f89139e253efe9e

(this sample)

Formbook

Executable exe 5c6bb4be3e5abfc077f779645b07502ad3f9357fa3c486db79d0a2fb4f470527

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 5c6bb4be3e5abfc077f779645b07502ad3f9357fa3c486db79d0a2fb4f470527
  
Dropping
Formbook

Comments