MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ace246a5e84665f04d18849f84748a0ece2092b155197a8be1374d082507511. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ace246a5e84665f04d18849f84748a0ece2092b155197a8be1374d082507511
SHA3-384 hash: e835a827351cb9f46b247d3503e9c152618fe7b53db6041f059e4e59c500b2a6421c3f517f51e5e38b07e2aa197cf436
SHA1 hash: 0bcb5c3706543f69493926d36f4ba1374249e1b1
MD5 hash: 52b7c68c8cdb4fd3ebd710cc386c45ba
humanhash: jersey-fifteen-grey-salami
File name:TELEX RELEASE BL +COO_pdf.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:261'148 bytes
First seen:2023-03-24 07:43:34 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 6144:Rk+QnJIj8JZSzYrplBX7E5x1qX2aIZnnYL905SB7mJl3:++QyjGhdE5x1o4Znnyq5rV
TLSH T18E44239D964A562627845ACC83C11B774A13F648FCCF2AAC064908DF14D4EB1DCF9EBB
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Chosen Qiu <cari@gerbilfun.com>" (likely spoofed)
Received: "from annette.gerbilfun.com (annette.gerbilfun.com [83.137.158.188]) "
Date: "Fri, 24 Mar 2023 07:50:08 +0100"
Subject: "TELEX RELEASE BL +COO"
Attachment: "TELEX RELEASE BL +COO_pdf.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:JHhGg762.exe
File size:300'264 bytes
SHA256 hash: 148b60e2e8fddc7742ecec22573a0972da98d6bf0f0c1361f80f49d6799a1e09
MD5 hash: 469d4bff5636ca2035c291a119d0069d
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/0ace246a5e84665f04d18849f84748a0ece2092b155197a8be1374d082507511/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/641d54c39c109cf74b2f1280/reports/04bc8718-b0e3-4682-9ccf-8e21a3524826/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/0ace246a5e84665f04d18849f84748a0ece2092b155197a8be1374d082507511
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/0ace246a5e84665f04d18849f84748a0ece2092b155197a8be1374d082507511
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ace246a5e84665f04d18849f84748a0ece2092b155197a8be1374d082507511/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=blhci2s6qrtf6bgrrbe7qr2iudwoecjlcvizpkf6cn2nbasqouiq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230324-j55jcafc2v/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 0ace246a5e84665f04d18849f84748a0ece2092b155197a8be1374d082507511

(this sample)

Formbook

Executable exe 148b60e2e8fddc7742ecec22573a0972da98d6bf0f0c1361f80f49d6799a1e09

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 148b60e2e8fddc7742ecec22573a0972da98d6bf0f0c1361f80f49d6799a1e09
  
Dropping
MD5 469d4bff5636ca2035c291a119d0069d

Comments