MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de463868a03e77e9dcd4679051ff3e4efd5910d3c15e0228027772ca3ed87f04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de463868a03e77e9dcd4679051ff3e4efd5910d3c15e0228027772ca3ed87f04
SHA3-384 hash: 90ebd612848e6452c7874bfaffca3d49b2e13f3e0d52c3d5c5606ce3c646f9a88eb13b7573f78ab4197302acb132485f
SHA1 hash: a1324d656824172bec3b07bfddf041804dab9dcc
MD5 hash: 0529615e2f1ab87a7d709156050f3aa8
humanhash: six-carolina-spring-friend
File name:PAYMENT SLIP.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:410'078 bytes
First seen:2022-05-16 10:54:26 UTC
Last seen:2022-05-16 10:56:33 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:gkq6PETzTe2OBUptK6+sRyGg1kdDMmaJxk:mtL7oUptKbsRNg1iDvAxk
TLSH T1D794232ED2DF8142FE44013AD2A5BC536A7A998C526A9434094159F5E27FF503B8CBFC
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook payment zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Teh Lee Kuan <jeff.davis@thefa.com>" (likely spoofed)
Received: "from thefa.com (unknown [104.223.33.145]) "
Date: "16 May 2022 10:51:35 +0200"
Subject: "PAYMENT SLIP"
Attachment: "PAYMENT SLIP.zip"

Intelligence

File Origin
# of uploads :
3
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62822dc3fd71ca8b2ee4c9ef/reports/d991c7d1-53a4-4ba1-95ae-79bc4885cfde/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/de463868a03e77e9dcd4679051ff3e4efd5910d3c15e0228027772ca3ed87f04
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de463868a03e77e9dcd4679051ff3e4efd5910d3c15e0228027772ca3ed87f04/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-05-15 22:52:38 UTC
File Type:
Binary (Archive)
Extracted files:
11
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3zddq2fahz36txgum6ifd7z6j36vsegtyfpaekaco5zmupwyp4ca._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:64pf loader rat
Link:
https://tria.ge/reports/220516-mz4lmsbdbl/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Xloader Payload
Xloader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/de463868a03e77e9dcd4679051ff3e4efd5910d3c15e0228027772ca3ed87f04

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip de463868a03e77e9dcd4679051ff3e4efd5910d3c15e0228027772ca3ed87f04

(this sample)

Formbook

Executable exe de169c8e113efa4b4899ce2031442d81b243354cab40e8175dbefa7166c371d1

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 de169c8e113efa4b4899ce2031442d81b243354cab40e8175dbefa7166c371d1

Comments