MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 000f51c227a70a0b10240fff9964aa951fed6721842849d87775cb64df52c35f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 000f51c227a70a0b10240fff9964aa951fed6721842849d87775cb64df52c35f
SHA3-384 hash: d847016ffa63a1917192de14bf01d1f1ceeeaf85b263be65ff776abebec7fffcf0c8284c748ba2bad1332e21ba4f4465
SHA1 hash: 648ed36d28f63bf433e41065fa145debcf9dec04
MD5 hash: ca3d1f669a9dbb6cf389ff3b0e2d9079
humanhash: butter-apart-michigan-romeo
File name:Document0081924.Pdf.7z
Download: download sample
Signature Formbook
Create hunting rule
File size:814'730 bytes
First seen:2024-08-19 07:04:26 UTC
Last seen:Never
File type: 7z
MIME type:application/x-rar
ssdeep 12288:SaFfdoct7eAoIoGQ7RpyL6G/aP5fAjOY0A3y4nTYOIB/5eExJOwgWK1cvFhx2KbN:Scf2ctxclp/o50C0wEDgl1cB2Kb4T+j
TLSH T1620533FDEB82103E72790958D0535B0A38C799D93B28888E6E7FC1BAF77D2218D6D454
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:7z FormBook


Avatar
cocaman
Malicious email (T1566.001)
From: "=?UTF-8?B?7Jyk67OR7KSA?= <luke@osstem.com>" (likely spoofed)
Received: "from osstem.com (unknown [198.23.206.42]) "
Date: "19 Aug 2024 08:51:33 +0200"
Subject: "Quote Repair Kit"
Attachment: "Document0081924.Pdf.7z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Document0081924.exe
File size:881'152 bytes
SHA256 hash: db87b7e683d92aa8d013663c6bc6ba116023af2cb7f9ec6c2ad88694235f2b12
MD5 hash: d14d08bd3c4c4e275b01b686dfe2448d
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c2eea4aa5b40be0aa07dde
Tags:
Generic Static Swotter
Result
Verdict:
Malicious
File Type:
PE File
Link:
https://app.docguard.net/000f51c227a70a0b10240fff9964aa951fed6721842849d87775cb64df52c35f/results/dashboard
Gathering data
Verdict:
Suspicious
Labled as:
Mal/RarMal
Link:
https://www.hybrid-analysis.com/sample/000f51c227a70a0b10240fff9964aa951fed6721842849d87775cb64df52c35f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/000f51c227a70a0b10240fff9964aa951fed6721842849d87775cb64df52c35f/
Threat name:
ByteCode-MSIL.Trojan.SuspMsilIn7zEmail
Create hunting rule
Status:
Malicious
First seen:
2024-08-19 06:50:07 UTC
File Type:
Binary (Archive)
Extracted files:
8
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aahvdqrhu4fawebeb77zszfksup62zzbqquetwdxoxfwjx2synpq._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/240819-h8y1asvarm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/000f51c227a70a0b10240fff9964aa951fed6721842849d87775cb64df52c35f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z 000f51c227a70a0b10240fff9964aa951fed6721842849d87775cb64df52c35f

(this sample)

Formbook

Executable exe db87b7e683d92aa8d013663c6bc6ba116023af2cb7f9ec6c2ad88694235f2b12

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 db87b7e683d92aa8d013663c6bc6ba116023af2cb7f9ec6c2ad88694235f2b12
  
Dropping
MD5 d14d08bd3c4c4e275b01b686dfe2448d

Comments