MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fa059f48f1e2a8cf4296bfa3a5c584c949874dc26f2079d2acc5ea46cb6edb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	6fa059f48f1e2a8cf4296bfa3a5c584c949874dc26f2079d2acc5ea46cb6edb9
SHA3-384 hash:	ca47623c8cbb48283acc8117f8fb1e3ddfb97da25e9e59fac650b4729c3e942e846c6575f4cd0907cf2af6583eb5edbd
SHA1 hash:	35e4d9c4cc89ffbfa1e4c8d8b6e62d5e9c22c9b2
MD5 hash:	c83ca7e7e14659639d4c77440171951b
humanhash:	golf-emma-vegan-montana
File name:	Quote##-PDF.gz
Download:	download sample
Signature	Formbook Create hunting rule
File size:	691'002 bytes
First seen:	2023-02-20 18:09:49 UTC
Last seen:	Never
File type:	gz
MIME type:	application/x-rar
ssdeep	12288:aWD4NkDg2Bmi9VNMNtOGyYrdAh7q62OJ01jExOT9ACFoBd17+ffxzFLu:alMBZWOGyYBsPJ0qxJd17U5Fu
TLSH	T1FCE4234DDEE16F09C105CC92262DC4521A537984244FAE1CA63F37F729EA7E9CF87868
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	FormBook gz

cocaman

Malicious email (T1566.001)
From: "Sales and Marketing Manager <sally@aldantechnology.com>" (likely spoofed)
Received: "from uajfdmli.midasconcepts.com (uajfdmli.midasconcepts.com [92.52.217.123]) "
Date: "Mon, 20 Feb 2023 10:47:54 +0100"
Subject: "sales contract-876 & New-Order"
Attachment: "Quote##-PDF.gz"

Intelligence

File Origin

# of uploads :

# of downloads :

183

Origin country :

n/a

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Quote##-PDF.exe
File size:	1'035'264 bytes
SHA256 hash:	db0ce498e89e73428a0d1325a91da911e0b369615e4c1d22d5c8d17a8e5475f8
MD5 hash:	8d0505c74ffabbdc3b31bd29618ed478
MIME type:	application/x-dosexec
Signature	Formbook

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63f3b77dd385ee58584e26f4/reports/fd027366-1a11-44eb-b0f5-699bb53c01c5/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/6fa059f48f1e2a8cf4296bfa3a5c584c949874dc26f2079d2acc5ea46cb6edb9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6fa059f48f1e2a8cf4296bfa3a5c584c949874dc26f2079d2acc5ea46cb6edb9/

Threat name:

Win32.Trojan.ZmutzyPong

Status:

Malicious

First seen:

2023-02-20 14:11:11 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

16 of 39 (41.03%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n6qft5epdyviz5bjnp5duxcyjskjq5g4e3zaphjkzrpki3fw5w4q._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/6fa059f48f1e2a8cf4296bfa3a5c584c949874dc26f2079d2acc5ea46cb6edb9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.