MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3166d4789667570986c7c36f66bd3cbf6cd54449cd0a18c23e9c8ff1fe467b90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3166d4789667570986c7c36f66bd3cbf6cd54449cd0a18c23e9c8ff1fe467b90
SHA3-384 hash: 63b5a951c13a378e060876bf08b459cac69f3cbf940d4e3b20c9dc6fe926c13a1ca5ed8104f09051e15b8b02b034082c
SHA1 hash: 7ed39b41b7ad56d21fa73e967c30c88fcff0b241
MD5 hash: 66730821c6262469431461d7ab1ad47e
humanhash: glucose-quebec-oven-mobile
File name:SKJjH877.r01
Download: download sample
Signature Formbook
Create hunting rule
File size:731'328 bytes
First seen:2023-07-18 06:38:09 UTC
Last seen:Never
File type: r01
MIME type:application/x-rar
ssdeep 12288:WNo56nKIvQYlqSqPt46KoiFhVk2lQpktG2KKlaRakyVO23g3JOj1GCVSAO2BzslJ:WhKIyneoOvdliktGmGvB2w3JOj1GCVSH
TLSH T183F423F5021A89E6E4F3DACA765A0253BBB0A1B4A54C0FBF510BD7590F2711847F8E9C
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:FormBook r01


Avatar
cocaman
Malicious email (T1566.001)
From: "JUDY<info@aczel.org>" (likely spoofed)
Received: "from aczel.org (unknown [194.59.31.183]) "
Date: "17 Jul 2023 21:15:33 +0200"
Subject: "sales contract "
Attachment: "SKJjH877.r01"

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
CH CH
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:SKJjH877.exe
File size:446'464 bytes
SHA256 hash: 4c7657ab48af02eaee9aced386140d9be5b6a77fd1aea45563d480ec28bdba49
MD5 hash: fb8f5907dea7f91643212ede079ebc4e
MIME type:application/x-dosexec
Signature Formbook
File name:sales contract.xls
File size:523'776 bytes
SHA256 hash: a2577fc056cfff4025b8cd15f49b2d2cb150c3f7f3fb0c1ee8067afc9f5c807d
MD5 hash: 4c67ee1f39fbbdc5fa1ecaba1792b0e8
MIME type:application/vnd.ms-excel
Signature Formbook
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin packed
Link:
https://www.filescan.io/uploads/64b633877a9c6ddebf0b4056/reports/18e708ab-20de-4494-a5d3-31e79c334beb/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/3166d4789667570986c7c36f66bd3cbf6cd54449cd0a18c23e9c8ff1fe467b90
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3166d4789667570986c7c36f66bd3cbf6cd54449cd0a18c23e9c8ff1fe467b90/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 12:58:05 UTC
File Type:
Binary (Archive)
Extracted files:
55
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gftni6ewm5lqtbwhynxwnpj4x5wnkrcjzufbrqr6tsh7d7sgpoia._file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

r01 3166d4789667570986c7c36f66bd3cbf6cd54449cd0a18c23e9c8ff1fe467b90

(this sample)

Formbook

Executable exe 4c7657ab48af02eaee9aced386140d9be5b6a77fd1aea45563d480ec28bdba49

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4c7657ab48af02eaee9aced386140d9be5b6a77fd1aea45563d480ec28bdba49
  
Dropping
Formbook
  
Dropping
SHA256 a2577fc056cfff4025b8cd15f49b2d2cb150c3f7f3fb0c1ee8067afc9f5c807d
  
Dropping
MD5 fb8f5907dea7f91643212ede079ebc4e

Comments