MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c4916153238d858b1a8722f8fe6c6d6462f1721e9b963f2c87ea3b7cbdad15e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	2c4916153238d858b1a8722f8fe6c6d6462f1721e9b963f2c87ea3b7cbdad15e
SHA3-384 hash:	3234944ee857c0c752b9dc544dc4c6ac4f2085b3c2fc71668e53f03aa8f560f2fcffcdf9535b728cf872ea17b6c903c3
SHA1 hash:	66f12812acdabdb9c3cee1b463fb7d7c609bfb42
MD5 hash:	ca2b25b2a9076f7a8daa9c16415352e3
humanhash:	vermont-eleven-north-eighteen
File name:	Purchase Order010524.zip
Download:	download sample
Signature	Formbook Create hunting rule
File size:	28'923 bytes
First seen:	2024-05-02 06:24:56 UTC
Last seen:	2024-05-02 07:23:24 UTC
File type:	zip
MIME type:	application/zip
ssdeep	768:7SwQJ+v+TUFUIeNUJDFiZx+UgVgv+7/Gx8k:7/QJ+mMUIeNUyZxJgVg6exv
TLSH	T133D2E14F38DD9675B75A85E33D02553A332B65200AA6D1D91808C884C3FB2B7FF5B066
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	CVE-2017-11882 FormBook zip

cocaman

Malicious email (T1566.001)
From: "C.Ramon <ramoncardoso@tckt.cam>" (likely spoofed)
Received: "from rdns0.tckt.cam (tckt.cam [79.141.167.19]) "
Date: "02 May 2024 00:23:03 -0700"
Subject: "Re: Telecon follow up / Purchase order"
Attachment: "Purchase Order010524.zip"

Intelligence

File Origin

# of uploads :

2

# of downloads :

239

Origin country :

CH

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.29015.RtfHeur.Msg.UNOFFICIAL

Sanesecurity.Shelter.Malware.BadRtf.ObjUpd.UNOFFICIAL

MiscreantPunch.EvilRTF.CommonLure.UNOFFICIAL

MiscreantPunch.RTF.2017-0199.Obfus.171711.UNOFFICIAL

TwinWave.EvilDoc.RoomService.20230808.UNOFFICIAL

Result

Verdict:

Malicious

File Type:

Fake RTF File

Link:

https://app.docguard.net/2c4916153238d858b1a8722f8fe6c6d6462f1721e9b963f2c87ea3b7cbdad15e/results/dashboard

Behaviour

BlacklistAPI detected

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/663331c1874e85cc56654560/reports/2c6d51a9-7b78-436a-bc22-2b1f8c52eaf5/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/2c4916153238d858b1a8722f8fe6c6d6462f1721e9b963f2c87ea3b7cbdad15e

Score:

99%

Verdict:

Malware

File Type:

ARCHIVE

Link:

https://malprob.io/report/2c4916153238d858b1a8722f8fe6c6d6462f1721e9b963f2c87ea3b7cbdad15e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2c4916153238d858b1a8722f8fe6c6d6462f1721e9b963f2c87ea3b7cbdad15e/

Threat name:

Document-Office.Exploit.CVE-2017-11882

Status:

Malicious

First seen:

2024-05-02 06:24:59 UTC

File Type:

Binary (Archive)

Extracted files:

4

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=frermfjshdmfrmnioixy7zwg2zdc6fzb5g4wh4wip2r3ps622fpa._file

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/240502-ja9jtacc81/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Launches Equation Editor

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Drops file in Windows directory

Suspicious use of SetThreadContext

Process spawned suspicious child process

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

Downloads MZ/PE file

Process spawned unexpected child process

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2c4916153238d858b1a8722f8fe6c6d6462f1721e9b963f2c87ea3b7cbdad15e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 2c4916153238d858b1a8722f8fe6c6d6462f1721e9b963f2c87ea3b7cbdad15e

(this sample)

doc 49eae141b85b2dee809a1e86df1518d2d32a79367cf1a01f55f98c98d32f59ce

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 49eae141b85b2dee809a1e86df1518d2d32a79367cf1a01f55f98c98d32f59ce

Dropping

MD5 7ebb7f9239d5dea3e17fd9b51f12c5a7

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample