MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04b2a4620edf4bbb317ecd373cd29fcc663514dd0c5b2115e39994ed5be91d1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA 18 File information Comments

SHA256 hash:	04b2a4620edf4bbb317ecd373cd29fcc663514dd0c5b2115e39994ed5be91d1e
SHA3-384 hash:	bdc2d6c13bf4fcaf627380bf9dc5542cdfc8e4ac2628754b57dfc8ed6c62daf352e528042d2a5b284d3c9524763ad023
SHA1 hash:	763b8000992683e88fe3a308d6cb058da54dd6e9
MD5 hash:	676a8bfecb53e8b2c8300b978bc7fce3
humanhash:	fruit-arizona-wolfram-potato
File name:	PI-INV-0459384.ARJ
Download:	download sample
Signature	Formbook Create hunting rule
File size:	378'821 bytes
First seen:	2023-10-30 08:34:20 UTC
Last seen:	2023-10-30 08:34:45 UTC
File type:	arj
MIME type:	application/x-rar
ssdeep	6144:/T9V6xCDX3GtilUYdfgA6f2ZC1Jbi6aJJVwdfkMxkdxg53QcnoOgMZx9kwMyeza/:h0xsbG8TK2A1JbiN3QkMxkdu5/3gMr9H
TLSH	T12A8423E9257A3FB7A8B777002B324C78526766E40C573C93660E9DC25C56F409E133EA
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	arj FormBook INVOICE

cocaman

Malicious email (T1566.001)
From: "Sales Manager <pharmapet105@gmail.com>" (likely spoofed)
Received: "from [79.110.62.118] (unknown [79.110.62.118]) "
Date: "30 Oct 2023 04:22:15 +0100"
Subject: "Revise Invoice to Euro Currency"
Attachment: "PI-INV-0459384.rar"

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	PI-INV-0459384.exe
File size:	392'164 bytes
SHA256 hash:	b253502d8bce85fda32fc5264bb7736c3280149b529fffc2e77f2c66257b0696
MD5 hash:	e2c27799f6cadebcc100c42409bbd869
MIME type:	application/x-dosexec
Signature	Formbook

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/653f6ab7b38131f117aaa361/reports/51539f59-a271-4262-b363-800628e64c97/overview

Verdict:

Malicious

Labled as:

Mal/DrodRar

Link:

https://www.hybrid-analysis.com/sample/04b2a4620edf4bbb317ecd373cd29fcc663514dd0c5b2115e39994ed5be91d1e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/04b2a4620edf4bbb317ecd373cd29fcc663514dd0c5b2115e39994ed5be91d1e/

Threat name:

Win32.Trojan.Zmutzy

Status:

Malicious

First seen:

2023-10-30 00:02:44 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

14 of 23 (60.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aszkiyqo35f3wml6zu3tzuu7zrtdkfg5brnscfpdtgko2w7jdupa._file

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

arj 04b2a4620edf4bbb317ecd373cd29fcc663514dd0c5b2115e39994ed5be91d1e

(this sample)

Formbook

exe b253502d8bce85fda32fc5264bb7736c3280149b529fffc2e77f2c66257b0696

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 b253502d8bce85fda32fc5264bb7736c3280149b529fffc2e77f2c66257b0696

Dropping

Formbook

Dropping

MD5 e2c27799f6cadebcc100c42409bbd869

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample