MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0edcb3f434ae755c3cb8bca1938f0ac938ec6a744cb74fe84d47ab9c919dd6fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0edcb3f434ae755c3cb8bca1938f0ac938ec6a744cb74fe84d47ab9c919dd6fa
SHA3-384 hash: 69a5e36d455fa82310e0b2b793e9359edb5acaf4c35b051dc351716e75b42f398ffb14825583dce39790898b80aa4415
SHA1 hash: 731ff5943c2b64f33b56d204952695faa02bb6c5
MD5 hash: 454ad4aed1d340ef4a026deae4102908
humanhash: chicken-fish-music-butter
File name:USD Payment Confirmation.rar
Download: download sample
Signature Formbook
Create hunting rule
File size:1'053'113 bytes
First seen:2024-09-19 10:25:37 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 24576:wU+Q7KyXet4MCY7nHkJzlgXwlfzfMELu6IzEUUMhrXAyYUnBa:wU19I36la6ADIWhrXAO8
TLSH T1502533C4D72B3D880FA8E41F8933507714FA01962740809769E736EFA6D9A4EC7A63E1
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika rar
Reporter cocaman
Tags:FormBook payment rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Rahul Rajendran <efsg.bd@efsme.com>" (likely spoofed)
Received: "from efsme.com (unknown [185.222.58.247]) "
Date: "19 Sep 2024 06:06:10 +0200"
Subject: "RE: USD Payment Confirmation"
Attachment: "USD Payment Confirmation.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:USD Payment Confirmation.exe
File size:1'412'717 bytes
SHA256 hash: 27f7c51ecf059815a8a966e9bd52aea6951ac2dc93e7d7f8d240a80be0a85bec
MD5 hash: fac2195857b5b3a62d2ea2407ddca124
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Rogue.0hr.20240919-1037.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ebfc3c77496a3b0d6ef081
Tags:
Encryption Swotter
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0edcb3f434ae755c3cb8bca1938f0ac938ec6a744cb74fe84d47ab9c919dd6fa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0edcb3f434ae755c3cb8bca1938f0ac938ec6a744cb74fe84d47ab9c919dd6fa/
Threat name:
Script-AutoIt.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-09-19 10:25:40 UTC
File Type:
Binary (Archive)
Extracted files:
29
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b3olh5buvz2vypfyxsqzhdykze4oy2tujs3u72cni6vzzem5235a._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/240919-q2zl9asbnm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIt
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:AutoIT packer
Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 0edcb3f434ae755c3cb8bca1938f0ac938ec6a744cb74fe84d47ab9c919dd6fa

(this sample)

Formbook

Executable exe 27f7c51ecf059815a8a966e9bd52aea6951ac2dc93e7d7f8d240a80be0a85bec

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 27f7c51ecf059815a8a966e9bd52aea6951ac2dc93e7d7f8d240a80be0a85bec
  
Dropping
MD5 fac2195857b5b3a62d2ea2407ddca124

Comments