MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80185d2c2dfe72063459e5a69b3313d38effd650efa19da78ba3e11187bcec65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	80185d2c2dfe72063459e5a69b3313d38effd650efa19da78ba3e11187bcec65
SHA3-384 hash:	89389ea41ece54cd601b6b348fcb9bf531963c1393d5dfbc22667b6ee2fb1d8d6f7df6e67af5619e2e7fcd4b24de71a9
SHA1 hash:	7594a5a4e481c0bc8160d41e5bf729885c9add11
MD5 hash:	a3c4030e4b17e0a0bea605ad5591155d
humanhash:	foxtrot-fish-march-jig
File name:	PART SHIPMENT- FEDEX - Cargo Arrival Notification Import Track No 270962529096 MR V fKUMAR.pdf.arj
Download:	download sample
Signature	Formbook Create hunting rule
File size:	465'595 bytes
First seen:	2022-04-06 05:50:03 UTC
Last seen:	Never
File type:	arj
MIME type:	application/x-rar
ssdeep	12288:T7jbl6bL8/HooZGoI0K6mdtDg4sJ1t1s+8tokL:TPobGoOI2mdtDg4e8ug
TLSH	T177A423C56C7539E81B39C0FD1808BB296A219FF5E4DD98F82CB070A20B891F71957E5B
Reporter	cocaman
Tags:	arj FormBook

cocaman

Malicious email (T1566.001)
From: "Charles Anthony Carroll <canthonycarroll@fedex.com>" (likely spoofed)
Received: "from fedex.com (unknown [37.49.225.131]) "
Date: "6 Apr 2022 05:01:17 +0200"
Subject: "PART SHIPMENT- FEDEX - Cargo Arrival Notification / Import Track No : : 270962529096"
Attachment: "PART SHIPMENT- FEDEX - Cargo Arrival Notification Import Track No 270962529096 MR V fKUMAR.pdf.arj"

Intelligence

File Origin

# of uploads :

# of downloads :

239

Origin country :

n/a

Vendor Threat Intelligence

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe obfuscated packed

Link:

https://www.filescan.io/uploads/624d2a0eaa7e43c6a6c0b39b/reports/034e37d9-ce45-4d8b-8e43-9ebe2f1f32c3/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/80185d2c2dfe72063459e5a69b3313d38effd650efa19da78ba3e11187bcec65/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2022-04-06 05:51:07 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qamf2lbn7zzamncz4wtjwmyt2ohp7vsq56qz3j4lupqrdb545rsq._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/80185d2c2dfe72063459e5a69b3313d38effd650efa19da78ba3e11187bcec65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_RAR_with_PDF_Script_Obfuscation Create hunting rule
Author:	Florian Roth
Description:	Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:	Internal Research

Rule name:	SUSP_RAR_with_PDF_Script_Obfuscation_RID34A4 Create hunting rule
Author:	Florian Roth
Description:	Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:	Internal Research