MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b0b6fef14872146bda4d7c9746e8a0aee86e823a8c8ac4d7b1e087fdebb8d37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	7b0b6fef14872146bda4d7c9746e8a0aee86e823a8c8ac4d7b1e087fdebb8d37
SHA3-384 hash:	ffb1cf048ed6f020ece51e09dd8aa3d960e2ca946088e4ad5c7aa353281ad4956aba2e061f9fcff18a634c8da2ade93f
SHA1 hash:	dd97f0a7b38f41ffc333728816632a9ae208fd5d
MD5 hash:	dbad163c237b9ae7973d129739772132
humanhash:	alpha-nitrogen-carpet-sodium
File name:	MBL+HBL NOTICE.zip
Download:	download sample
Signature	Formbook Create hunting rule
File size:	721'751 bytes
First seen:	2023-01-08 21:06:35 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:Xea6JTEGevC8QN8dVoivmWmb8hzU9BfE/t21yXQIQUlh9Od4wsw/K0Dw0G:uboGWY8fg9BfrPU5Od4afo
TLSH	T113E423D6A9F0A3711C06850FB6875F2B70CF4B98C4ADF117A2406651CCEBF61B26A753
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	FormBook zip

cocaman

Malicious email (T1566.001)
From: "bianca@wincologistics.com<bianca@wincologistics.com>" (likely spoofed)
Received: "from wincologistics.com (unknown [202.55.135.199]) "
Date: "6 Jan 2023 20:26:45 -0800"
Subject: "=?UTF-8?B?UFJFLUFMRVJUICBTTyNTSEFDQjIyMDQ2NzQ3ICBKT0IjU1pZQzIyMTIyMjgx77yaU2hhbmdoYWkgdG8gQ2hlbm5haSAvLyAxKjQwSFEgLy8gQk9FIHRvIERpeG9u?="
Attachment: "MBL+HBL NOTICE.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

n/a

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	MBL+HBL NOTICE.exe
File size:	1'441'280 bytes
SHA256 hash:	d4a8cd1afe16b614f4edc31c747e1c62535fe24ee6fe0a7b8fbc6336d19562f8
MD5 hash:	4a205e1cb6f3fe068df7ae9fa1b174bc
MIME type:	application/x-dosexec
Signature	Formbook

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Variant.Tedy.269903.13788.27804.UNOFFICIAL

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/7b0b6fef14872146bda4d7c9746e8a0aee86e823a8c8ac4d7b1e087fdebb8d37/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook msiexec.exe packed

Link:

https://www.filescan.io/uploads/63bb3077dde391056ac16e0a/reports/d11544b2-784e-4d5a-885e-bc3aef1474c8/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/7b0b6fef14872146bda4d7c9746e8a0aee86e823a8c8ac4d7b1e087fdebb8d37

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7b0b6fef14872146bda4d7c9746e8a0aee86e823a8c8ac4d7b1e087fdebb8d37/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2023-01-06 11:31:25 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

18 of 41 (43.90%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pmfw73yuq4qunpne27exi3ukblxin2bdvdekytl3dyeh7xv3ru3q._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/7b0b6fef14872146bda4d7c9746e8a0aee86e823a8c8ac4d7b1e087fdebb8d37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.