MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1a7f55a5a5b5e82c411529be68388d90dde5ece7639751d5749b3e30e92eaa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	f1a7f55a5a5b5e82c411529be68388d90dde5ece7639751d5749b3e30e92eaa2
SHA3-384 hash:	5330366b0805eef76eeaeeebe349ab34493d1032c3dff16446e436ed12ed98789ec384cfb68a641e0ce6e411aab7eda5
SHA1 hash:	857a1feaf1bb97fcc2dee0a7782cae998618bf07
MD5 hash:	d0cea133e5f6c05ecbd8809e51793462
humanhash:	ceiling-cola-indigo-nevada
File name:	NpsklpjhrybdSWIFT-Kopie ejpswlorisqr.zip
Download:	download sample
Signature	Formbook Create hunting rule
File size:	370'532 bytes
First seen:	2021-07-12 11:02:41 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	6144:h+riPZoyPEtej3/uwlsuxDpv2rOQUuBCex/ZdvJ20s3tRzH9vIYw8FTjpBKEtA:hHPTPEtc/DdxDhKOQnEwZdx20WzdAYwT
TLSH	T1B37423EE45B7300174ED9434FCB1E6ECADD59F6ECE1A67280C1608A7329562D0A32E67
Reporter	cocaman
Tags:	FormBook SWIFT zip

cocaman

Malicious email (T1566.001)
From: "Claudia Zachrau <Claudia.Zachrau@oberpfalzmedien.de>" (likely spoofed)
Received: "from pkz61-1-spamexpert3.hoster.kz (pkz61-1-spamexpert3.hoster.kz [185.111.104.70]) "
Date: "Mon, 12 Jul 2021 22:33:55 +1200"
Subject: "AW: Frohe Weihnachten"
Attachment: "NpsklpjhrybdSWIFT-Kopie ejpswlorisqr.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/f1a7f55a5a5b5e82c411529be68388d90dde5ece7639751d5749b3e30e92eaa2

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f1a7f55a5a5b5e82c411529be68388d90dde5ece7639751d5749b3e30e92eaa2/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2021-07-12 11:03:04 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

11 of 46 (23.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6gt7kws2lnpifrarkkn6na4i3eg54xwooy4xkhkxjgz6gdus5kra._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210712-ep6clt67m6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.kmresults.com/n7ak/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f1a7f55a5a5b5e82c411529be68388d90dde5ece7639751d5749b3e30e92eaa2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip f1a7f55a5a5b5e82c411529be68388d90dde5ece7639751d5749b3e30e92eaa2

(this sample)

Formbook

exe c26154711ca9d9d48de370f242deb560bd0b99a0c8f12a2d1db5d4cd6e25d107

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 c26154711ca9d9d48de370f242deb560bd0b99a0c8f12a2d1db5d4cd6e25d107

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample