MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cd647cf45a089a687791658b81d5b5f32c7781a7f5134dfe965b86b18d2a3b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 5

Intelligence 5 IOCs YARA 8 File information Comments

SHA256 hash:	1cd647cf45a089a687791658b81d5b5f32c7781a7f5134dfe965b86b18d2a3b2
SHA3-384 hash:	075a655f534324cf08029b1534f3e028d22c19741a6fbd6c74028880f8c09a0b9cf4c1d06d310450b58a83e05fb06e85
SHA1 hash:	c4d74458bc7b984f6ec8d382ee3b74d8d9dae025
MD5 hash:	ce756500eb4c02f374ef4d50359e3032
humanhash:	mexico-bakerloo-gee-mars
File name:	RFQ220125pdf.arj
Download:	download sample
Signature	Formbook Create hunting rule
File size:	707'875 bytes
First seen:	2025-01-24 11:45:33 UTC
Last seen:	Never
File type:	arj
MIME type:	application/x-rar
ssdeep	12288:Qy902j4lyYWNOqzt+9f8lftKEEcDjQ4pShFkZCzGnnb0EID6VO6gsJ7ik98J:Z9BjwqzE8hgTjjnGnAEIDgO6gsZlKJ
TLSH	T17FE4337C3DB8B0EA4655CBB450D2FBA5EBF2E12231405266C65BC97D0A172F7CE02972
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	cocaman
Tags:	arj FormBook RFQ

cocaman

Malicious email (T1566.001)
From: "Hashtron International FZC <sales@hashtron.com>" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [185.222.58.241]) "
Date: "24 Jan 2025 03:43:08 -0800"
Subject: "RFQ# 220124-220125"
Attachment: "RFQ220125pdf.arj"

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	RFQ220125pdf.exe
File size:	818'696 bytes
SHA256 hash:	0873358f1252f19f17bf03e959386d2c39ceb8b90b7a73d0de11456082c2730e
MD5 hash:	e498a5fa7a6aa35f90b5da4ddfc3607a
MIME type:	application/x-dosexec
Signature	Formbook

Vendor Threat Intelligence

Gathering data

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/1cd647cf45a089a687791658b81d5b5f32c7781a7f5134dfe965b86b18d2a3b2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1cd647cf45a089a687791658b81d5b5f32c7781a7f5134dfe965b86b18d2a3b2/

Threat name:

ByteCode-MSIL.Trojan.Remcos

Status:

Malicious

First seen:

2025-01-24 05:16:44 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dtlept2fuce2nb3zczmlqhk3l4zmo6a2p5itjx7jmw4gwggsuoza._file

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)