MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a6df8bc2547ccd52803a48656114e0177332d62f36c559f32d9035ad0b04030. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA 23 File information Comments

SHA256 hash:	5a6df8bc2547ccd52803a48656114e0177332d62f36c559f32d9035ad0b04030
SHA3-384 hash:	62425ddea714cf03b9909db761a8eab94f6f2b833e22bcc1c4315e09a59d39767d7774309693cb338a2c9865d1bc5a13
SHA1 hash:	e7e8c47de6cf5dabf764692b2c0a65ddb94b1cbf
MD5 hash:	2fdffb6ad97ad521a6ef0dfb21bea4f7
humanhash:	arizona-alabama-hot-ohio
File name:	BL-SHIPPING INVOICE.zip
Download:	download sample
Signature	Formbook Create hunting rule
File size:	603'298 bytes
First seen:	2024-02-26 09:43:28 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:h4xgA7O42TDYIaXBg7rRlVOh7usLUMvrfh7sCTtSSSNvl1UkW:ajO42o3XBqrPk7Rzt8ZHC
TLSH	T17DD423F2CD2B45A9938D1AB564EA97755FAA131BDE0B97F34B0B22FF04821E369C1140
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	FormBook INVOICE Shipping zip

cocaman

Malicious email (T1566.001)
From: "Suki.Su@mic.com.tw<Suki.Su@mic.com.tw>" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [185.222.57.132]) "
Date: "21 Feb 2024 21:12:30 +0100"
Subject: "Re: CONTRACT OF RING TRAVELLER - TP-LRT/0401-24 INV.3175001503"
Attachment: "BL-SHIPPING INVOICE.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

271

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	BL-SHIPPING INVOICE.exe
File size:	747'008 bytes
SHA256 hash:	02a690404a3d82ed7aef87f8518cac02809384d6b0550a36fc837c8552255d3d
MD5 hash:	04f44a0cce98b16a0c4154119ff88cd6
MIME type:	application/x-dosexec
Signature	Formbook

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fn23.UNOFFICIAL

Sanesecurity.Rogue.0hr.20240221-1540.UNOFFICIAL

Win.Trojan.EmbeddedDotNetBinary-9940868-0

Win.Trojan.EmbeddedReversedDLL-9940922-0

Win.Trojan.Generic-10014419-0

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/65dc5d6322703c3491b2897f/reports/74d860fb-27a9-49a6-8fb2-3292579cbadb/overview

Verdict:

Suspicious

Labled as:

Troj/Inject

Link:

https://www.hybrid-analysis.com/sample/5a6df8bc2547ccd52803a48656114e0177332d62f36c559f32d9035ad0b04030

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/5a6df8bc2547ccd52803a48656114e0177332d62f36c559f32d9035ad0b04030

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a6df8bc2547ccd52803a48656114e0177332d62f36c559f32d9035ad0b04030/

Threat name:

ByteCode-MSIL.Trojan.PureLogStealer

Status:

Malicious

First seen:

2024-02-21 13:41:46 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

28 of 38 (73.68%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ljw7rpbfi7gnkkadusdfmekoaf3tgllc6nwflhzs3ebvvufqiaya._file

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_Archive_Phishing_Attachment_Characteristics_Jun22_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments
Reference:	https://twitter.com/0xtoxin/status/1540524891623014400?s=12&t=IQ0OgChk8tAIdTHaPxh0Vg

Rule name:	SUSP_Archive_Phishing_Attachment_Characteristics_Jun22_1 Create hunting rule
Author:	Florian Roth
Description:	Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments
Reference:	https://twitter.com/0xtoxin/status/1540524891623014400?s=12&t=IQ0OgChk8tAIdTHaPxh0Vg

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Windows_Trojan_AgentTesla_ebf431a8 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla