MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88b839bed586fad53b03b85bd6d7d6514c51de244e56e671c3385e9cd3590dff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	88b839bed586fad53b03b85bd6d7d6514c51de244e56e671c3385e9cd3590dff
SHA3-384 hash:	f5e1d557d268d41f81f064fe6e70134ef5bdb56fa4120abfd3db91eede9f624330b10ea8f646c6405d2fa18dcb605026
SHA1 hash:	15de61fc4edc230be1ecd5d2fa0482fd10b58601
MD5 hash:	bb7e10017918658b8f3f4e05e505741f
humanhash:	snake-high-item-failed
File name:	Mirus Packaging GmbH Purchase Order.rar
Download:	download sample
Signature	Formbook Create hunting rule
File size:	762'523 bytes
First seen:	2023-06-20 06:45:22 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	12288:uR4y6/LQfitmM2ZiJoCudDQ2u8jIyQW92JgyH42h6vuoyF0JpM:um+iUM2IQ17jIyb92Jgu4han
TLSH	T19FF433F1D2FE2DC8971035783AD51A8C57E927AA50ABB9F3A06ED4A325C8F05D4C09E1
TrID	58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1) 41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	FormBook rar

cocaman

Malicious email (T1566.001)
From: "justin@matrigen.com" (likely spoofed)
Received: "from matrigen.com (unknown [185.222.57.71]) "
Date: "19 Jun 2023 14:07:10 +0200"
Subject: "Re: Mirus Packaging GmbH Purchase Order"
Attachment: "Mirus Packaging GmbH Purchase Order.rar"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Mirus Packaging GmbH Purchase Order.exe
File size:	924'160 bytes
SHA256 hash:	7c34a775e0bf30bcd2983db83edc98a9d4f0eace683ab77ae3d03173461c76ac
MD5 hash:	0279a95d310a259cbfb19199c4ccc441
MIME type:	application/x-dosexec
Signature	Formbook

Vendor Threat Intelligence

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/88b839bed586fad53b03b85bd6d7d6514c51de244e56e671c3385e9cd3590dff/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/64914b2b024b6169b0eb191f/reports/4e264a52-f17d-4626-910d-9fc2881464a8/overview

Verdict:

Malicious

Link:

https://www.hybrid-analysis.com/sample/88b839bed586fad53b03b85bd6d7d6514c51de244e56e671c3385e9cd3590dff

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/88b839bed586fad53b03b85bd6d7d6514c51de244e56e671c3385e9cd3590dff/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-06-19 12:04:07 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

19 of 37 (51.35%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rc4dtpwvq35nkoydxbn5nv6wkfgfdxrejzlom4odhbpjzu2zbx7q._file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230620-hm3flaaf24/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/88b839bed586fad53b03b85bd6d7d6514c51de244e56e671c3385e9cd3590dff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.