MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faaf9067632f27df389f09dd6fc4bec073fc25bec1043672201b312c7f3454c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: faaf9067632f27df389f09dd6fc4bec073fc25bec1043672201b312c7f3454c7
SHA3-384 hash: 15c18fa8d740c01be16afe9ef0c0aefb781b1b61991def5ab67c8074f163368c319e746c79cb6ad4cf698119b498cf59
SHA1 hash: 7343b35365d6d7406a99ec00fd47bba71cd3c7e7
MD5 hash: 7e78c111943858ddd09bd268d492206e
humanhash: black-oranges-muppet-zebra
File name:PFR 2012R2-45137.lzh
Download: download sample
Signature Formbook
Create hunting rule
File size:510'288 bytes
First seen:2021-09-09 06:07:31 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:AXnvdDRF1/4ziHhBh6ECE7UMJUu7QB3k4l4B06oCw3h16j3E2VJIw:A3L/Pn232B0vCw1A3E2Aw
TLSH T10FB42392F2B4EB2070439D69859FB889ED009F32E03B28F2236D79D155F655C2BE58DC
Reporter cocaman
Tags:FormBook lzh rar


Avatar
cocaman
Malicious email (T1566.001)
From: "=?UTF-8?B?RUxNUyDEsE7FnkFBVA==?= <elmsinsaat@gmail.com>" (likely spoofed)
Received: "from gmail.com (unknown [45.137.22.48]) "
Date: "9 Sep 2021 06:40:27 +0200"
Subject: "=?UTF-8?B?UkU6IGlocmFjYXQgZXZyYWtsYXLEsQ==?="
Attachment: "PFR 2012R2-45137.lzh"

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/faaf9067632f27df389f09dd6fc4bec073fc25bec1043672201b312c7f3454c7/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 06:08:08 UTC
File Type:
Binary (Archive)
Extracted files:
11
AV detection:
5 of 45 (11.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7kxzaz3df4t56oe7bhow7rf6ybz7yjn6yecdm4radmysy7zuktdq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ergs rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210909-gvzh8saggn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.barry-associates.com/ergs/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/faaf9067632f27df389f09dd6fc4bec073fc25bec1043672201b312c7f3454c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar faaf9067632f27df389f09dd6fc4bec073fc25bec1043672201b312c7f3454c7

(this sample)

Formbook

Executable exe 6a778cbfb34a637265c39ae5a0a321010998d93fb7183b4e8766a4a2390bf72f

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 6a778cbfb34a637265c39ae5a0a321010998d93fb7183b4e8766a4a2390bf72f

Comments