MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 208e88702493ec9c59ef7f4f052adfb7300533bf3913fb66fd0711516786725c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	208e88702493ec9c59ef7f4f052adfb7300533bf3913fb66fd0711516786725c
SHA3-384 hash:	0a0af081ad349d2875811975124e9d35e7acb247ad2ed2e6d0196ca715a18c40232dad9347b72039fefcc37de685d35b
SHA1 hash:	de355b70f27a6d6a899daf17a5fa98b7ad6a4f4f
MD5 hash:	dcd2de08ed1e1a568fc3fc7dbbc7aca2
humanhash:	monkey-september-autumn-lake
File name:	SOA END OF JULY 2023_PDF.cab
Download:	download sample
Signature	Formbook Create hunting rule
File size:	266'752 bytes
First seen:	2023-08-17 05:41:55 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	6144:CCXit2LPtP0yMW0Aa7gSwan2M/BrvKQHZWSn:zXitWlbRNo/w8/sQ5L
TLSH	T13C44230F61DFCFF5E914BEC2F9A6C1751033BEA090788125A7A635388934BCEEA552D1
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	cab FormBook INVOICE QUOTATION rar

cocaman

Malicious email (T1566.001)
From: ""Lgpartner Docu.Scanned" <info@czeckav.com>" (likely spoofed)
Received: "from willards.czeckav.com (willards.czeckav.com [88.209.206.70]) "
Date: "Tue, 15 Aug 2023 13:39:04 +0100"
Subject: "Re: Lgpartner - SOA JULY, 2023 INVOICES, QUOTATION & ISSUED
DOCUMENTS - id:PBUCvtJl_ urs.lustenberger"
Attachment: "SOA END OF JULY 2023_PDF.cab"

Intelligence

File Origin

# of uploads :

# of downloads :

100

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	SOA END OF JULY 2023_PDF.exe
File size:	282'687 bytes
SHA256 hash:	86fe793dd78fe5b8f80d271bad4f574577222d150fa1d21517f26ac8b77193be
MD5 hash:	745187a622580b5979668fabc06e0fe4
MIME type:	application/x-dosexec
Signature	Formbook

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27271.Rar5Heur.UNOFFICIAL

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/208e88702493ec9c59ef7f4f052adfb7300533bf3913fb66fd0711516786725c/results/dashboard

Gathering data

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/208e88702493ec9c59ef7f4f052adfb7300533bf3913fb66fd0711516786725c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/208e88702493ec9c59ef7f4f052adfb7300533bf3913fb66fd0711516786725c/

Threat name:

Win32.Trojan.ZmutzyPong

Status:

Malicious

First seen:

2023-08-15 13:01:30 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

20 of 38 (52.63%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=echiq4bespwjywppp5hqkkw7w4yakm57hej7wzx5a4ivcz4gojoa._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/208e88702493ec9c59ef7f4f052adfb7300533bf3913fb66fd0711516786725c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.