MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f50a048e567c1bf04467e9f26f300274b2cb0c4c23026968eb91346930383913. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f50a048e567c1bf04467e9f26f300274b2cb0c4c23026968eb91346930383913
SHA3-384 hash: b59d3d63067dfa580f9833e7348a34955d4561205f387cb36fb0123ca78980e68df97098303c07603b6c84a8dcaed84e
SHA1 hash: 8e4754c557c60b1024cfc7add29cc58309503a8f
MD5 hash: 21fbe73b1ffcd9b36a4fed613e901bf1
humanhash: purple-bakerloo-bluebird-angel
File name:Шұғыл сатып алу тапсырысы.Pdf.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:732'500 bytes
First seen:2022-03-09 14:41:50 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:uFr/pkSF9x+wO+ixDUbMIKrVbrixO64/wWtc7UCODvRjYexXzebnOH4IAV:uFbF90v+i+bMIKrQxj4AdODJsexDeSXK
TLSH T17AF423DD381E7186AD0B88B5451E2DAE2B8F0D51381FC40BA550E1CE4C6F89B8B7E7B5
Reporter cocaman
Tags:FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: "ALC Kastamonu <kastamonu@alcservis.com>" (likely spoofed)
Received: "from notification.alcservis.com (notification.alcservis.com [176.53.90.83]) "
Date: "Wed, 9 Mar 2022 06:27:57 +0300 (EET)"
Subject: "=?utf-8?B?UmU6IFJlOiDQqNKx0pPRi9C7INGB0LA=?=
=?utf-8?B?0YLRi9C/INCw0LvRgyDRgtCw0L/RgdGL0YDRi9GB0Ys=?="
Attachment: "Шұғыл сатып алу тапсырысы.Pdf.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_pdf.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.25516.ZipHeur.Ext.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6228bcbfdfdfa8501c80b7e0/reports/ea82a5f5-66d5-4609-bef4-504ca56a7e28/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f50a048e567c1bf04467e9f26f300274b2cb0c4c23026968eb91346930383913
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f50a048e567c1bf04467e9f26f300274b2cb0c4c23026968eb91346930383913/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-09 05:20:23 UTC
File Type:
Binary (Archive)
Extracted files:
20
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ufajdswpqn7ardh5hzg6macoszmwdcmembgs2hlse2gsmbyhejq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:d2g7 rat spyware stealer trojan
Link:
https://tria.ge/reports/220309-r22x2shdf9/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
.NET Reactor proctector
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f50a048e567c1bf04467e9f26f300274b2cb0c4c23026968eb91346930383913

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip f50a048e567c1bf04467e9f26f300274b2cb0c4c23026968eb91346930383913

(this sample)

Formbook

Executable exe ffd04d82156eede57a242db418b539e9ee13aa1bf5123df96db273c0f6f6ce71

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 ffd04d82156eede57a242db418b539e9ee13aa1bf5123df96db273c0f6f6ce71
  
Dropping
Formbook

Comments