MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82d16fbc771fc5c9c5ef32ecf33f802546a8d69770cd2eb75cc8f44e40b7960f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	82d16fbc771fc5c9c5ef32ecf33f802546a8d69770cd2eb75cc8f44e40b7960f
SHA3-384 hash:	317438ad515ec4f9b1b0c2fc0e087ab200976cabb44558b0bf5466d123742646d98bf5cbb31323271e820277bb869507
SHA1 hash:	f44bdcb370b89d3c89dc090ceee0d9829b9b9633
MD5 hash:	d9147e7cc518ca55cce6114c0ae5a45d
humanhash:	two-nitrogen-minnesota-equal
File name:	Mirus Packaging GmbH Purchase Order.rar
Download:	download sample
Signature	Formbook Create hunting rule
File size:	608'677 bytes
First seen:	2023-06-16 11:00:17 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	12288:AxNRqWkSrm3TBjk+YPCQMKLUX93xvBks/yS8mFqRtA:AxTqvSruTBjk2KLUXPmW8jR2
TLSH	T1F3D42333798B67B8C731AFFB8228F2E4FC58EB807E5A41150A17310A0B88E15D2571ED
TrID	58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1) 41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	FormBook rar

cocaman

Malicious email (T1566.001)
From: "justin@matrigen.com" (likely spoofed)
Received: "from matrigen.com (unknown [185.222.57.71]) "
Date: "16 Jun 2023 11:42:31 +0200"
Subject: "Re: Mirus Packaging GmbH Purchase Order"
Attachment: "Mirus Packaging GmbH Purchase Order.rar"

Intelligence

File Origin

# of uploads :

# of downloads :

117

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Mirus Packaging GmbH Purchase Order.exe
File size:	657'920 bytes
SHA256 hash:	f3053c7e048f3a0446a3a5b005a73173720e037f7372c4dad57955b23c42d3f0
MD5 hash:	571a7a86aa6bdda404b67c04f13fac00
MIME type:	application/x-dosexec
Signature	Formbook

Vendor Threat Intelligence

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/82d16fbc771fc5c9c5ef32ecf33f802546a8d69770cd2eb75cc8f44e40b7960f/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo jigsaw packed

Link:

https://www.filescan.io/uploads/648c40eee8a7749a2a225772/reports/37f5da1d-19f4-4b3c-bdbd-7dfcccadca6f/overview

Verdict:

Malicious

Link:

https://www.hybrid-analysis.com/sample/82d16fbc771fc5c9c5ef32ecf33f802546a8d69770cd2eb75cc8f44e40b7960f

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/82d16fbc771fc5c9c5ef32ecf33f802546a8d69770cd2eb75cc8f44e40b7960f/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-06-16 09:39:50 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

19 of 35 (54.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qliw7pdxd7c4trppglwpgp4aevdkrvuxodgs5n24zd2e4qfxsyhq._file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230616-nf1w3seg28/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/82d16fbc771fc5c9c5ef32ecf33f802546a8d69770cd2eb75cc8f44e40b7960f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.