MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f901f3ffe7fbab466983a4a942b2c18137b37ba7bbad083311eb4e2c6a785c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	5f901f3ffe7fbab466983a4a942b2c18137b37ba7bbad083311eb4e2c6a785c0
SHA3-384 hash:	246508fc1cdf291797e2f9fbcc7238fa19473b8c15a98de1e9bac06c8f3fbe7eeae53434c8b8508cfc7d654362e2a336
SHA1 hash:	6a8a9d147ebac4e2a2048829b17c43cb9faf87c6
MD5 hash:	ea2fe31865517492cb6cfad4b575ac6c
humanhash:	hydrogen-angel-lemon-high
File name:	sales contract-876 & New-Order.tar
Download:	download sample
Signature	Formbook Create hunting rule
File size:	691'040 bytes
First seen:	2023-02-20 18:08:51 UTC
Last seen:	Never
File type:	tar
MIME type:	application/x-rar
ssdeep	12288:1WD4NkDg2Bmi9VNMNtOGyYrdAh7q62OJ01jExOT9ACFoBd17+ffxzFLj:1lMBZWOGyYBsPJ0qxJd17U5Fj
TLSH	T14CE4234DDEE16F09C105CC92262DC4521A537984244FAE1CA63F37F729EA7E9CF87868
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	FormBook tar

cocaman

Malicious email (T1566.001)
From: "Sales and Marketing Manager <sally@aldantechnology.com>" (likely spoofed)
Received: "from uajfdmli.midasconcepts.com (uajfdmli.midasconcepts.com [92.52.217.123]) "
Date: "Mon, 20 Feb 2023 10:47:54 +0100"
Subject: "sales contract-876 & New-Order"
Attachment: "sales contract-876 & New-Order.tar"

Intelligence

File Origin

# of uploads :

# of downloads :

158

Origin country :

n/a

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	sales contract-876 & New-Order.exe
File size:	1'035'264 bytes
SHA256 hash:	db0ce498e89e73428a0d1325a91da911e0b369615e4c1d22d5c8d17a8e5475f8
MD5 hash:	8d0505c74ffabbdc3b31bd29618ed478
MIME type:	application/x-dosexec
Signature	Formbook

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63f3b73f42bf85850e3e5282/reports/34fa9cc6-3eed-4d7a-b90e-33afd3427a8e/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/5f901f3ffe7fbab466983a4a942b2c18137b37ba7bbad083311eb4e2c6a785c0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5f901f3ffe7fbab466983a4a942b2c18137b37ba7bbad083311eb4e2c6a785c0/

Threat name:

Win32.Trojan.Zmutzy

Status:

Malicious

First seen:

2023-02-20 14:13:35 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

17 of 39 (43.59%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l6ib6p76p65lizuyhjfjikzmdajxwn52po5nbazrd22ofrvhqxaa._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/5f901f3ffe7fbab466983a4a942b2c18137b37ba7bbad083311eb4e2c6a785c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.