MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b37a66d9c4dce04b671f22c0746f1472e9dc089972e4b0c949d3884bfcb2b66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b37a66d9c4dce04b671f22c0746f1472e9dc089972e4b0c949d3884bfcb2b66
SHA3-384 hash: 89bdd3ea3c38c8479906075d57af2d54ff24c7a54451c317edc0a66dc4f486f2f4ef993d51d89ffe573f99afeed9e4f7
SHA1 hash: bc20b979b8d1e77d39389b5b9786a97bc76d1ac7
MD5 hash: c509b6a808c193e10da64c8835361080
humanhash: romeo-video-alpha-mirror
File name:202139769574 Shipping Documents.r11
Download: download sample
Signature Formbook
Create hunting rule
File size:219'890 bytes
First seen:2021-05-04 04:59:01 UTC
Last seen:2021-05-04 06:01:55 UTC
File type: rar
MIME type:application/x-rar
ssdeep 3072:vARyFNeIswDS7ubqTPDhFsu3CX6d4oqoM9WwJdGBmX4lwlx1Ky8sI6SRh3sxL0m+:PFIwOS6PDhf26d/qrUKQC0w4y12sx4As
TLSH E82423D817D68102E10413E204F74BD70FCDDEBF768969190A9898BBC5BBB9C41E2D6D
Reporter cocaman
Tags:r11


Avatar
cocaman
Malicious email (T1566.001)
From: "Nurma <nur.marifah@mitrarubber.co.id>" (likely spoofed)
Received: "from mitrarubber.co.id (unknown [45.137.22.71]) "
Date: "3 May 2021 20:47:37 -0700"
Subject: "RE: PO#6275473 INSPIRED Indotube Shipping Plan (06-05-21)"
Attachment: "202139769574 Shipping Documents.r11"

Intelligence

File Origin
# of uploads :
3
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b37a66d9c4dce04b671f22c0746f1472e9dc089972e4b0c949d3884bfcb2b66/
Threat name:
Win32.Trojan.Zmutzy
Create hunting rule
Status:
Malicious
First seen:
2021-05-04 00:48:06 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
14 of 47 (29.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lm32m3m4jxhajntr6iwaorxri4xj3qejs4xewdeutu4ijp6lfnta._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210504-zevm7nqevs/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.magnumopuspro.com/nyr/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/5b37a66d9c4dce04b671f22c0746f1472e9dc089972e4b0c949d3884bfcb2b66

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 5b37a66d9c4dce04b671f22c0746f1472e9dc089972e4b0c949d3884bfcb2b66

(this sample)

Formbook

Executable exe cc7b066e0fa912d406c27790458ad6feb171b27275b6e3fe46b7a7574da7bfce

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 cc7b066e0fa912d406c27790458ad6feb171b27275b6e3fe46b7a7574da7bfce

Comments