MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68cfc89e9e632f47255727d82390400f4207f8999725c83ab346ead1018a3ddf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	68cfc89e9e632f47255727d82390400f4207f8999725c83ab346ead1018a3ddf
SHA3-384 hash:	dbed91ed32060a4150a9c4fdc72d58f38a9991bd7aaf61e03865746228704c079ad9a2f537cfdf3486262887acf656b0
SHA1 hash:	a07352c7b54e97101c0ee7297b8da078c40898b9
MD5 hash:	2824b78c696d22d8374f8b4d21f4738a
humanhash:	indigo-kilo-indigo-oregon
File name:	Proforma Invoice pdf.zip
Download:	download sample
Signature	Formbook Create hunting rule
File size:	229'578 bytes
First seen:	2023-08-17 05:40:58 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	3072:y/igFEroxf4gcZ4Eqc6nJQSMzGe6qrx7JNpOIQgLbtbtj8c/51l8gNVqII4++CAz:yuKf4gaWQx6qVc6lR/5z8gNVqqXCSt
TLSH	T1F2242329B3A5DFEC9545DA069104F8D7C8ECA8037F93FA8477135C18E477B2A9E2A107
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	FormBook INVOICE payment zip

cocaman

Malicious email (T1566.001)
From: "Alan Wu <zhengda@singnet.com.sg>" (likely spoofed)
Received: "from [37.139.129.109] (unknown [37.139.129.109]) "
Date: "15 Aug 2023 14:11:35 +0200"
Subject: "Invoice Payment Instruction"
Attachment: "Proforma Invoice pdf.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Proforma Invoice pdf.exe
File size:	243'598 bytes
SHA256 hash:	63d353bf92bb9d4fa31656308d30a39b91b8dd4005d6254502b1e829b74ae79a
MD5 hash:	e153fb09c6996b4d1084836e32414396
MIME type:	application/x-dosexec
Signature	Formbook

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fs3391.UNOFFICIAL

Sanesecurity.Rogue.0hr.20230815-1338.UNOFFICIAL

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/68cfc89e9e632f47255727d82390400f4207f8999725c83ab346ead1018a3ddf/results/dashboard

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control lolbin masquerade overlay packed shell32

Link:

https://www.filescan.io/uploads/64ddb2f0b3ff67c5573b3975/reports/e9010b46-7881-4bdb-8d5f-b2100586e992/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/68cfc89e9e632f47255727d82390400f4207f8999725c83ab346ead1018a3ddf

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/68cfc89e9e632f47255727d82390400f4207f8999725c83ab346ead1018a3ddf

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/68cfc89e9e632f47255727d82390400f4207f8999725c83ab346ead1018a3ddf/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-08-15 12:21:03 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

20 of 38 (52.63%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ndh4rhu6mmxuojkxe7mchecab5bap6ezs4s4qovti3vncamkhxpq._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/68cfc89e9e632f47255727d82390400f4207f8999725c83ab346ead1018a3ddf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.