MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36c59fca2be8a3be742cfa48db7112d01fc18ec1eb855e46f44a014de1726607. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36c59fca2be8a3be742cfa48db7112d01fc18ec1eb855e46f44a014de1726607
SHA3-384 hash: eeb19da50fb07f876acbd7f1a3077d797f16632e0f465bfcfc3c16fcbad68a566a576ccbb2a704dbb947a30832289474
SHA1 hash: cd17f46a9e3d47cbc3fda12c82109df11fb4d458
MD5 hash: f0624386c0f6acdb6bc4510eb93fb327
humanhash: leopard-mango-uniform-ack
File name:PRE ALERT NOTICE#202307.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:231'008 bytes
First seen:2023-06-30 06:26:21 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 6144:RpU8PLhi1LB2NHdPfIOM3lZEjs8E8MMRbWLhU/:3PLhi1ENlIv7Gs5MRbWY
TLSH T1FB34239BCE215654C5DF227516C676B345AA378B65A8C3C07EE01392C068A3B7F78BCC
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: "rsvn@regaljinfeng.com<rsvn@regaljinfeng.com>" (likely spoofed)
Received: "from [45.12.253.71] (unknown [45.12.253.71]) "
Date: "29 Jun 2023 21:51:31 +0200"
Subject: "=?UTF-8?B?UFJFLUFMRVJUIFNPI1NaUEE1OTI5MTcwMCAgSk9CI1NaWUMyMzAyMDY3Oe+8mkZPQiAvLyBTaGVuemhlbiB0byBJQ0QgVEtEIC8vICAxKjIwR1AgLy8gVG8gQWpheSBQb2x5IFB2dCBsdGQ=?="
Attachment: "PRE ALERT NOTICE#202307.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:PRE ALERT NOTICE#202307.exe
File size:245'825 bytes
SHA256 hash: 215bf08032eb73c5e0b50bcce07def909e22f769315b0f90ed6cec87b28d44f6
MD5 hash: 4449429ef363924a7fcff191dd03a72b
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fs3462.UNOFFICIAL
Create hunting rule

Sanesecurity.Rogue.0hr.20230629-1537.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/36c59fca2be8a3be742cfa48db7112d01fc18ec1eb855e46f44a014de1726607/results/dashboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/649e75b82299d26882637618/reports/131cd461-c34a-4810-af51-fed29b240c7c/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/36c59fca2be8a3be742cfa48db7112d01fc18ec1eb855e46f44a014de1726607
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/36c59fca2be8a3be742cfa48db7112d01fc18ec1eb855e46f44a014de1726607
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36c59fca2be8a3be742cfa48db7112d01fc18ec1eb855e46f44a014de1726607/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-06-29 09:37:00 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g3cz7srl5cr345bm7jenw4is2ap4ddwb5ocv4rxujiau3ylsmydq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:s28y persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230630-hvx6vahc6y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Loads dropped DLL
Formbook payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36c59fca2be8a3be742cfa48db7112d01fc18ec1eb855e46f44a014de1726607

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 36c59fca2be8a3be742cfa48db7112d01fc18ec1eb855e46f44a014de1726607

(this sample)

Formbook

Executable exe 215bf08032eb73c5e0b50bcce07def909e22f769315b0f90ed6cec87b28d44f6

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 215bf08032eb73c5e0b50bcce07def909e22f769315b0f90ed6cec87b28d44f6
  
Dropping
Formbook

Comments