MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de12c9134fcde73ecd31ab3feceb690c5444c713c81ff16948d748df282348c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de12c9134fcde73ecd31ab3feceb690c5444c713c81ff16948d748df282348c8
SHA3-384 hash: 8aadf7054784efb50e38d24a8ffa8a85fa2c55f8da8cedfa768b61e2c004cda437f3a726537ab6edd03e03075b1ec1dc
SHA1 hash: 78c562ef8dd4249f54ce7d3969319fc846e4932d
MD5 hash: bd10cfbc74df5f93922b858d615dd5f1
humanhash: fourteen-artist-minnesota-march
File name:Updated SOA 210920.PDF.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:484'571 bytes
First seen:2021-09-22 12:14:19 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:Hbq1tUWfPgKmyF2rE+k8xNmc5FAiR+PGlmLSYcfG2kW6vff7:vWA4yrzmc0iRBmNcfG2kjfz
TLSH T1D6A42386E8865570A720ADE5617D9FFD8BCEC0628073F5060BEE73485A21BDBDC4178E
Reporter cocaman
Tags:FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: ""Stella - Cargotrans" <Nick@pml-ltd.com>" (likely spoofed)
Received: "from pml-ltd.com (unknown [103.156.91.251]) "
Date: "22 Sep 2021 04:33:15 -0700"
Subject: "=?UTF-8?B?UkU6IFVwZGF0ZWQgU09BIDIxMDkyMC8v562U5aSNOiBTdGF0ZW1lbnQgMjEwOTIw?="
Attachment: "Updated SOA 210920.PDF.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_pdf.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.25510.ZipHeur.Ext.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/de12c9134fcde73ecd31ab3feceb690c5444c713c81ff16948d748df282348c8
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de12c9134fcde73ecd31ab3feceb690c5444c713c81ff16948d748df282348c8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 10:21:05 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3yjmse2pzxtt5tjrvm76z23jbrkejrytzap7c2ki25en6kbdjdea._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ny9y loader rat
Link:
https://tria.ge/reports/210922-pexnpsced7/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.caddomain.com/ny9y/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/de12c9134fcde73ecd31ab3feceb690c5444c713c81ff16948d748df282348c8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip de12c9134fcde73ecd31ab3feceb690c5444c713c81ff16948d748df282348c8

(this sample)

Formbook

Executable exe 81d263a31fc8b6fe2e2db250efd4314912eb09a11027a6cfc67257d7fa5e071a

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 81d263a31fc8b6fe2e2db250efd4314912eb09a11027a6cfc67257d7fa5e071a
  
Dropping
Formbook

Comments