MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36f115ed1982738394cbb69590c349fd4599394656c1dfd745e3533734ef04b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36f115ed1982738394cbb69590c349fd4599394656c1dfd745e3533734ef04b2
SHA3-384 hash: ca75da21486b079dc3b871d6788032a58c88bead7426fa48706031a341b799f2d2111002f5dce21b7fe837bcb741fd04
SHA1 hash: 7fb26f8ec751425707257c28335e6ba9a108adb6
MD5 hash: 86ebfdde7e0bfc420bce207296316fba
humanhash: glucose-nine-eighteen-pip
File name:scan_76567.pdf.z
Download: download sample
Signature Formbook
Create hunting rule
File size:979'752 bytes
First seen:2024-10-03 07:39:52 UTC
Last seen:Never
File type: z
MIME type:application/x-rar
ssdeep 24576:ZXk0FilGDo54i93pt/+bSHNRjTwegN19ETGgBM9nIu71p:ZXFS6a7JqSHTjTweAei+6nIu71p
TLSH T18B2523802BD3244AF372057A6370C50111AB7A1699C4F6F3DDEE5EBA2D173E12AC17B5
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika rar
Reporter cocaman
Tags:FormBook INVOICE payment SWIFT z


Avatar
cocaman
Malicious email (T1566.001)
From: "sales <info@wincor-nixdorf.com>" (likely spoofed)
Received: "from wincor-nixdorf.com (unknown [23.94.177.38]) "
Date: "3 Oct 2024 06:36:18 +0200"
Subject: "Payment Swift For Overdue Invoices"
Attachment: "scan_76567.pdf.z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:scan_76567.exe
File size:1'336'627 bytes
SHA256 hash: 0bf69f612cadf4348b28d3dcbfcd293a226c9415d59dd516fb161fb309946383
MD5 hash: 19c6a8ea065e0ecc60bd0a95506db093
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Rogue.0hr.20241002-1336.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fbfa4b58399e4484e7c182
Tags:
Autoit Emotet
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/36f115ed1982738394cbb69590c349fd4599394656c1dfd745e3533734ef04b2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36f115ed1982738394cbb69590c349fd4599394656c1dfd745e3533734ef04b2/
Threat name:
Win32.Trojan.Autoitinject
Create hunting rule
Status:
Malicious
First seen:
2024-10-01 14:28:43 UTC
File Type:
Binary (Archive)
Extracted files:
29
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g3yrl3izqjzyhfglw2kzbq2j7vczsokgk3a57v2f4njtonhpasza._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36f115ed1982738394cbb69590c349fd4599394656c1dfd745e3533734ef04b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIt
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:AutoIT packer
Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

z 36f115ed1982738394cbb69590c349fd4599394656c1dfd745e3533734ef04b2

(this sample)

Formbook

Executable exe 0bf69f612cadf4348b28d3dcbfcd293a226c9415d59dd516fb161fb309946383

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 0bf69f612cadf4348b28d3dcbfcd293a226c9415d59dd516fb161fb309946383
  
Dropping
Formbook

Comments