MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58a17912b19018fa6db6ba74701727fd0c1c88d9be8d52719e3a2febedca725b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58a17912b19018fa6db6ba74701727fd0c1c88d9be8d52719e3a2febedca725b
SHA3-384 hash: f7682b902cbd3da5845c8e0a05349ff76687d5562918c227b6a094549db79afe653bfa2493593ab2090a82bd9f70de0d
SHA1 hash: 089add450e5f175cc339f909f8e7c8f01164fd2c
MD5 hash: ef202e52d88ef74e0c5fc9022885baec
humanhash: fruit-oscar-fruit-jupiter
File name:SHIPPING DOCUMENT.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:271'532 bytes
First seen:2023-02-10 11:22:53 UTC
Last seen:2023-02-11 11:39:37 UTC
File type: zip
MIME type:application/zip
ssdeep 6144:aAj4ZOLFbPx7S5RhGKNHaLlVFF6wNztIFK/s2358JSZsV09o:aW4Qpzx7SHNJcVttIFKEY5WSOVn
TLSH T1374423CC31F4D4AC8D1C79B34C6378A395B9192E345A7D22B4ABB1084EFFAC15E75096
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook Shipping zip


Avatar
cocaman
Malicious email (T1566.001)
From: "<vuakem@vuakem.com>" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [45.137.22.136]) "
Date: "10 Feb 2023 16:50:08 +0100"
Subject: "SHIPPING DOC (CI,COO,PL,BL)"
Attachment: "SHIPPING DOCUMENT.zip"

Intelligence

File Origin
# of uploads :
4
# of downloads :
102
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:SHIPPING DOCUMENT.exe
File size:286'309 bytes
SHA256 hash: 6769905302dd965b16c74da2c0a5633dd4cbfe5c8879a5db6a7322d53d668533
MD5 hash: f3866e6abfafb795575214fa9cf62ca5
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fs3128.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.24794.ZipHeur.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/58a17912b19018fa6db6ba74701727fd0c1c88d9be8d52719e3a2febedca725b/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63e62919c7ca3840b5a1b8a4/reports/7d089574-63ef-433b-9962-e37b217ac997/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/58a17912b19018fa6db6ba74701727fd0c1c88d9be8d52719e3a2febedca725b
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/58a17912b19018fa6db6ba74701727fd0c1c88d9be8d52719e3a2febedca725b
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58a17912b19018fa6db6ba74701727fd0c1c88d9be8d52719e3a2febedca725b/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2023-02-10 11:22:57 UTC
File Type:
Binary (Archive)
Extracted files:
5
AV detection:
12 of 39 (30.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lcqxsevrsampu3nwxj2hafzh7ugbzcgzx2gve4m6hix6x3okojnq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/58a17912b19018fa6db6ba74701727fd0c1c88d9be8d52719e3a2febedca725b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 58a17912b19018fa6db6ba74701727fd0c1c88d9be8d52719e3a2febedca725b

(this sample)

Formbook

Executable exe 6769905302dd965b16c74da2c0a5633dd4cbfe5c8879a5db6a7322d53d668533

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 6769905302dd965b16c74da2c0a5633dd4cbfe5c8879a5db6a7322d53d668533
  
Dropping
Formbook
  
Dropping
MD5 f3866e6abfafb795575214fa9cf62ca5

Comments