MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d919327d6cd9ea0111387bcd134c46659850956c914fac63dbea781188f04a70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d919327d6cd9ea0111387bcd134c46659850956c914fac63dbea781188f04a70
SHA3-384 hash: 6a7bb5e17b1a80d9208719eb4f22d8a797db302bdfa2166116b83e4114c602d11f440533a9c925d9f98962593d1f8f3a
SHA1 hash: f0bd46d938ac5335f2726c4b82778976df4bcdde
MD5 hash: b6103d5b685ed7510979c4504bdb6d3e
humanhash: speaker-twenty-cardinal-bravo
File name:Payment_Advice.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:434'579 bytes
First seen:2021-07-28 06:21:20 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:U91472iJ17mflyAPdKjnGjHwl5zxATiqWywVjz7R9:U9I1PmfrwnB5dATiawVPd9
TLSH T1CA94237CD29FF87DE8C0468514A5EA9C30CF0E11BC5FA5922ABAF2C1A9488EDD151D93
Reporter cocaman
Tags:FormBook HSBC zip


Avatar
cocaman
Malicious email (T1566.001)
From: "HSBC Advising Service <advising.service@mail.hsbcnet.hsbc.com>" (likely spoofed)
Received: "from mail.hsbcnet.hsbc.com (unknown [103.139.45.212]) "
Date: "27 Jul 2021 23:20:50 -0700"
Subject: "Payment Advice - Advice Ref:[GLV410796721] / Priority payment / Customer Ref:[2000000559]"
Attachment: "Payment_Advice.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fn55.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.20794.ZipHeur.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/d919327d6cd9ea0111387bcd134c46659850956c914fac63dbea781188f04a70
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 06:22:04 UTC
File Type:
Binary (Archive)
Extracted files:
10
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3emte7lm3hvacejyppgrgtcgmwmfbflmsfh2yy635j4bdchqjjya._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat suricata
Link:
https://tria.ge/reports/210728-293tarsvss/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.illoftapartments.com/uecu/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/d919327d6cd9ea0111387bcd134c46659850956c914fac63dbea781188f04a70

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip d919327d6cd9ea0111387bcd134c46659850956c914fac63dbea781188f04a70

(this sample)

Formbook

Executable exe afc581586580ee675ab9b0cfef4e508b9decebe330dc6a7334534d34fb7d6a2e

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 afc581586580ee675ab9b0cfef4e508b9decebe330dc6a7334534d34fb7d6a2e

Comments