MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da33bf8e15a2943bc79bcc1ac7624ddb3ead14be2c2d458b16973fbcaa625925. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	da33bf8e15a2943bc79bcc1ac7624ddb3ead14be2c2d458b16973fbcaa625925
SHA3-384 hash:	b56a73a2cc6ea2879d08a709344129ca0e18aa0a0a9a3aa41bab0f58ff5a77e78854f613446fbc299d2367f05ca543bf
SHA1 hash:	2007e1adbb4cf7c2f9275b43bb168b848337d891
MD5 hash:	65196231cc7bfdd9eb564050d2151b04
humanhash:	saturn-river-winner-queen
File name:	MITT_Order_pdf.zip
Download:	download sample
Signature	Formbook Create hunting rule
File size:	471'637 bytes
First seen:	2022-04-14 06:16:08 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	6144:4wHIJKpb2SGtyVoJ+ICBc7gWMQR0a+3vyfTJR/ApGfzSJUWKvxBYHhoh0lDcKs01:4wHIJFTgXI1R01afTJR/V2ABYH+h43QI
TLSH	T1D3A4239988DB4E9A389E454837626C48E63B884455637BD3234C66ACF35EFBDC039783
Reporter	cocaman
Tags:	FormBook zip

cocaman

Malicious email (T1566.001)
From: "Shady Mohamed <zoe@ecengcompany.com>" (likely spoofed)
Received: "from ecengcompany.com (vps-zap910087-1.zap-srv.com [88.214.59.51]) "
Date: "13 Apr 2022 07:46:58 +0200"
Subject: "Order Inquiry MITT"
Attachment: "MITT_Order_pdf.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

254

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_badexts14.UNOFFICIAL

Sanesecurity.Malware.25815.ZipHeur.BadExt.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook obfuscated packed replace.exe update.exe

Link:

https://www.filescan.io/uploads/6257bc60482f2f41caac1d61/reports/eca4eb6e-d543-493c-bb09-9411d3110b4b/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/da33bf8e15a2943bc79bcc1ac7624ddb3ead14be2c2d458b16973fbcaa625925

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/da33bf8e15a2943bc79bcc1ac7624ddb3ead14be2c2d458b16973fbcaa625925/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-13 04:17:02 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

21 of 42 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3iz37dqvukkdxr43zqnmoysn3m7k2ff6fqwulcyws473zktclesq._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:tumb loader rat suricata

Link:

https://tria.ge/reports/220414-g12ksahdel/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/da33bf8e15a2943bc79bcc1ac7624ddb3ead14be2c2d458b16973fbcaa625925

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip da33bf8e15a2943bc79bcc1ac7624ddb3ead14be2c2d458b16973fbcaa625925

(this sample)

Formbook

exe 4526c504931fd9f9f9c96af92f66e58dcc7be31a8be9309c8eb5b5acf2cb5c89

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 4526c504931fd9f9f9c96af92f66e58dcc7be31a8be9309c8eb5b5acf2cb5c89

Dropping

Formbook

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample