MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f52b9806cd2f5398beda8e65ead2ee5d0c818c0ca7872d6eb44b570a1bd58539. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	f52b9806cd2f5398beda8e65ead2ee5d0c818c0ca7872d6eb44b570a1bd58539
SHA3-384 hash:	e895f0a2eeb341d514349efe5d7423d6c4d6f0d4507ece3934f7a2420f490f78b3936c5269f93d3b9788acdc0507c667
SHA1 hash:	c463ddf203be2dbb2cf4e23749e1e7aac65fa6cb
MD5 hash:	06a7eac10627a09ac91ebd277c186425
humanhash:	jersey-alpha-jupiter-spaghetti
File name:	KJ 09112021 MT-SGWI.ace
Download:	download sample
Signature	Formbook Create hunting rule
File size:	373'520 bytes
First seen:	2021-11-12 10:15:29 UTC
Last seen:	Never
File type:	ace
MIME type:	application/octet-stream
ssdeep	6144:OADgYTHFOcbecnLrdEqkFPh8dKBEIOzpAUEowx22A3shsMtdix:NsOea7kdhIEVupOoCbvvdo
TLSH	T1558423E2AEB5F9534E400BAEC3195423CFEB27F7484B27924F525935B3B4D1508B09BA
Reporter	cocaman
Tags:	ace FormBook

cocaman

Malicious email (T1566.001)
From: ""Shahzad Faiz" <procurement.pk@mtechintl.com>" (likely spoofed)
Received: "from [45.133.1.148] (unknown [45.133.1.148]) "
Date: "10 Nov 2021 22:57:09 -0800"
Subject: "FW: INQUIRY / 09112021 / MT-SGWI"
Attachment: "KJ 09112021 MT-SGWI.ace"

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.25738.AceHeur.Exe.UNOFFICIAL

Sanesecurity.Malware.25166.AceHeur.Exe.UNOFFICIAL

SecuriteInfo.com.Suspicious-ACE-exe.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/618e3ee73edf00a722d02655/reports/1c77bdae-4a96-40c4-826c-e01b73ef03ac/overview

Result

Verdict:

MALICIOUS

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f52b9806cd2f5398beda8e65ead2ee5d0c818c0ca7872d6eb44b570a1bd58539/

Threat name:

ByteCode-MSIL.Infostealer.Fareit

Status:

Malicious

First seen:

2021-11-11 17:18:12 UTC

AV detection:

16 of 28 (57.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6uvzqbwnf5jzrpw2rzs6vuxolugiddamu6ds23vujnlqug6vqu4q._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:w8n5 loader rat

Link:

https://tria.ge/reports/211112-mavx7sdbc7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.fourjmedia.com/w8n5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/f52b9806cd2f5398beda8e65ead2ee5d0c818c0ca7872d6eb44b570a1bd58539

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ACE_Containing_EXE Create hunting rule
Author:	Florian Roth - based on Nick Hoffman' rule - Morphick Inc
Description:	Looks for ACE Archives containing an exe/scr file