MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6711c995ac7969ff29da0b552321649f46e38726b01c18df401d8b0085120073. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6711c995ac7969ff29da0b552321649f46e38726b01c18df401d8b0085120073
SHA3-384 hash: db7d48ab01d88fa5bc32a82dabc4f096e293c291fd199bf1f3b68e7076b8612c2ba3e733285892afc29d2caa765e1da6
SHA1 hash: 40a8dc2db3e21dec463c78bed9f5ed9332d6eae8
MD5 hash: ef87a41d5da2a6aa33762326090efb71
humanhash: jersey-glucose-kansas-delta
File name:PFI20-21008_.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:306'165 bytes
First seen:2023-01-10 08:57:22 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 6144:vvF+buq4jNS+s5XeoX4P4umhQVZV8YDXVDqqSoC/xAGkmi+To+mo:vNcufxXs5fX4PjOQVH86qq5Cjq+EK
TLSH T1D354234A36241098D319A3BA3CF529087C5F1ACC7B5F9ED1C75B317A8B8F1E2496578C
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Audrey Yarmishko<oozdemir@tamcam.com.tr>" (likely spoofed)
Received: "from [103.99.3.82] (unknown [103.99.3.82]) "
Date: "9 Jan 2023 23:29:03 -0800"
Subject: "RE:PFI/20-21/008_NEW INQUIRY"
Attachment: "PFI20-21008_.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:PFI20-21008_.exe
File size:460'610 bytes
SHA256 hash: 65c9f0517f21362d05bbc7361cf2fa89ae13933ac6f5d1c2092fff55795c20f3
MD5 hash: ad8256cb4be1b817a6df0726f8cdee0f
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Rogue.0hr.20230110-0534.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.25545.ZipHeur.Ext.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.25560.ZipHeur.Ext.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/6711c995ac7969ff29da0b552321649f46e38726b01c18df401d8b0085120073/results/dashboard
Gathering data
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/6711c995ac7969ff29da0b552321649f46e38726b01c18df401d8b0085120073
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6711c995ac7969ff29da0b552321649f46e38726b01c18df401d8b0085120073/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2023-01-10 08:58:07 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
16 of 21 (76.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m4i4tfnmpfu76ko2bnksgilet5dohbzgwaobrx2adwfqbbisabzq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230110-k3wzvsfe57/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6711c995ac7969ff29da0b552321649f46e38726b01c18df401d8b0085120073

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 6711c995ac7969ff29da0b552321649f46e38726b01c18df401d8b0085120073

(this sample)

Formbook

Executable exe 65c9f0517f21362d05bbc7361cf2fa89ae13933ac6f5d1c2092fff55795c20f3

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 65c9f0517f21362d05bbc7361cf2fa89ae13933ac6f5d1c2092fff55795c20f3
  
Dropping
Formbook
  
Dropping
MD5 ad8256cb4be1b817a6df0726f8cdee0f

Comments