MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dacada6f63feabf79c83fb521deb881c687ddb4d3902f3b7e98762d746d993d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dacada6f63feabf79c83fb521deb881c687ddb4d3902f3b7e98762d746d993d7
SHA3-384 hash: 832ddd6a884a580b207583b808c97c0c870950ec1949949a25682cd6ca1cd21f963004a4471de07da87cbeae3f25e546
SHA1 hash: 4a4f11974a453dff1d8cc12fc41c1bd0230528ee
MD5 hash: 11144b7ff3e80b332b8aea3368f5d638
humanhash: indigo-steak-yankee-ack
File name:BANK DETAILS-26012022-971332pdf.gz
Download: download sample
Signature Formbook
Create hunting rule
File size:42'090 bytes
First seen:2022-01-28 07:32:33 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 768:+0KZmZSROreXXHcdDTQbXUI74XJ6iak3cIjjO0JvvN5hqBNgHRM6/nKcfIdGsWEF:1aXFUWsak3cGLJ3TkuxMGLqWdK
TLSH T11D13F1A2278AE0341444F59868FE2F913C267501765444E5C288B1C7796BF74EFBE7B3
Reporter cocaman
Tags:FormBook gz INVOICE


Avatar
cocaman
Malicious email (T1566.001)
From: ""Rusli Cadcam" <support@chhl.com>" (likely spoofed)
Received: "from gracious-khorana.185-176-220-51.plesk.page (unknown [185.176.220.51]) "
Date: "27 Jan 2022 07:27:13 -0800"
Subject: "OUTSTANDING PAYMENT// INVOICE REMITTANCE/BANK DETAILS 1/27/2022 7:27:12 a.m."
Attachment: "BANK DETAILS-26012022-971332pdf.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.292.26633.22956.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated replace.exe
Link:
https://www.filescan.io/uploads/61f39c3420a5f4d327d89fe8/reports/11dc5e64-25c5-4e3f-ad20-fd004390dc9d/overview
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dacada6f63feabf79c83fb521deb881c687ddb4d3902f3b7e98762d746d993d7/
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-01-27 04:33:21 UTC
File Type:
Binary (Archive)
Extracted files:
16
AV detection:
17 of 41 (41.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3lfnu33d72v7phed7njb324idruh3w2nhebphn7jq5rnorwzsplq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:be4o loader rat suricata
Link:
https://tria.ge/reports/220128-jdh62ahbdl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.73
Link:
https://yomi.yoroi.company/submissions/dacada6f63feabf79c83fb521deb881c687ddb4d3902f3b7e98762d746d993d7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz dacada6f63feabf79c83fb521deb881c687ddb4d3902f3b7e98762d746d993d7

(this sample)

Formbook

Executable exe 234d944f1c4d9dcb90a6797dc13bf50fa2290da2230d134ee70bc4b7c4143ab8

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 234d944f1c4d9dcb90a6797dc13bf50fa2290da2230d134ee70bc4b7c4143ab8

Comments