MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e33caedba5f2102897274ac3220a30dd5e905e644a84b317299b30d02ac9695. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e33caedba5f2102897274ac3220a30dd5e905e644a84b317299b30d02ac9695
SHA3-384 hash: 91200c4ab683a72ae4e17ef2c5bc6d1bb3c56fb4b09e9f99d4b4b05977d4d4a53f195fe62210739ed142a8e67a9bc0a0
SHA1 hash: 69f64c1a889418f9bdfde7b575669557e8974d4b
MD5 hash: a87efc5644fbe1032bdb7baab75cdebf
humanhash: nineteen-november-floor-wisconsin
File name:Documents.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:644'438 bytes
First seen:2023-12-19 09:06:37 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:L/LMAB/VtSypFnmHzLgPBKIYzXKyu14vkHNrI06YsQ8UV6IH/rbMh:LjHB/V0ypFvPBKIYzlKaIrrMQ8/IPMh
TLSH T19CD42358BF6F59B3244072A70564530FD4BB29566CF21AEF00B62FB7E38223F4619922
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Purchasing <Purchasing@sc.com>" (likely spoofed)
Received: "from sc.com (unknown [91.92.252.186]) "
Date: "18 Dec 2023 18:47:16 -0800"
Subject: "Re: order confirmation"
Attachment: "Documents.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Documents.exe
File size:883'712 bytes
SHA256 hash: 659a4586010d7f595e7e25372c8590ed8321e9de68c316bf50999cfabd48c000
MD5 hash: 9685b04c347963e4c2e020693b011ba3
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fs2920.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.24904.ZipHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65815d38ffafd83ebc949ed9/reports/be36debd-488a-4cb2-b4f8-71df253d9c9a/overview
Verdict:
Malicious
Labled as:
Troj/Krypt
Link:
https://www.hybrid-analysis.com/sample/4e33caedba5f2102897274ac3220a30dd5e905e644a84b317299b30d02ac9695
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/4e33caedba5f2102897274ac3220a30dd5e905e644a84b317299b30d02ac9695
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
100%
Verdict:
Malware
File Type:
Archive
Link:
https://malprob.io/report/4e33caedba5f2102897274ac3220a30dd5e905e644a84b317299b30d02ac9695
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e33caedba5f2102897274ac3220a30dd5e905e644a84b317299b30d02ac9695/
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2023-12-18 15:22:24 UTC
File Type:
Binary (Archive)
Extracted files:
9
AV detection:
22 of 35 (62.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jyz4v3n2l4qqfclsoswdeifdbxk6sbpgisuewmlstgzq2avms2kq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:gd12 rat spyware stealer trojan
Link:
https://tria.ge/reports/231219-qfhfvabceq/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Formbook payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/4e33caedba5f2102897274ac3220a30dd5e905e644a84b317299b30d02ac9695

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 4e33caedba5f2102897274ac3220a30dd5e905e644a84b317299b30d02ac9695

(this sample)

Formbook

Executable exe 659a4586010d7f595e7e25372c8590ed8321e9de68c316bf50999cfabd48c000

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 659a4586010d7f595e7e25372c8590ed8321e9de68c316bf50999cfabd48c000
  
Dropping
MD5 9685b04c347963e4c2e020693b011ba3

Comments