MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d62ae4f4816a151da707fb01995ad07ff3cc85f7807f7b9ffa844131aaa449b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	8d62ae4f4816a151da707fb01995ad07ff3cc85f7807f7b9ffa844131aaa449b
SHA3-384 hash:	925831227fa5bccc27cc0a2748e578b5bdc04ce3f42409b2cb092bb2252f4b28da3a7303c8ad5dbcc960350bc52d447c
SHA1 hash:	b8893f478da25db0fde9cf01cd2269ccf66e7bf7
MD5 hash:	94d1f5c20eb622479424d9b19a80d798
humanhash:	nuts-fifteen-ink-kansas
File name:	RFQ # 1045981 - MAA_D Plant Project r01.rar
Download:	download sample
Signature	Formbook Create hunting rule
File size:	711'741 bytes
First seen:	2023-06-14 09:17:54 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	12288:cC4hYjkdpSRwGCJOxmzrd6Et6UNz8YHhYwtYpIP9zrm55fJsiFxtw+5jo6zJ:j4hYALSRQumPsEt62YY1+ps9zrAfJ1xB
TLSH	T172E423F6B73CA00E142DA45DFD4B3A4119F28EB53159B50A0BDB68FAC69F87B70111CA
TrID	58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1) 41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	FormBook rar RFQ

cocaman

Malicious email (T1566.001)
From: "maria@mybiosource.com" (likely spoofed)
Received: "from mybiosource.com (unknown [185.222.57.71]) "
Date: "14 Jun 2023 09:41:02 +0200"
Subject: "RFQ # 1045981 - MAA_D Plant Project r01"
Attachment: "RFQ # 1045981 - MAA_D Plant Project r01.rar"

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	RFQ # 1045981 - MAA_D Plant Project r01.exe
File size:	783'872 bytes
SHA256 hash:	d2b52bb53b70d2c91072c917fec7a81ab9de2384eafd1abe8c66e85f5b3e85ca
MD5 hash:	c4dda327f0195a7aa33a249f3c1088c3
MIME type:	application/x-dosexec
Signature	Formbook

Vendor Threat Intelligence

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/8d62ae4f4816a151da707fb01995ad07ff3cc85f7807f7b9ffa844131aaa449b/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo formbook packed remcos

Link:

https://www.filescan.io/uploads/648985cb39f32abaefb352a8/reports/799fad5c-749a-424b-9b37-85de3754be9d/overview

Verdict:

Malicious

Labled as:

Mal/DrodRar

Link:

https://www.hybrid-analysis.com/sample/8d62ae4f4816a151da707fb01995ad07ff3cc85f7807f7b9ffa844131aaa449b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8d62ae4f4816a151da707fb01995ad07ff3cc85f7807f7b9ffa844131aaa449b/

Threat name:

ByteCode-MSIL.Trojan.Leonem

Status:

Malicious

First seen:

2023-06-14 07:37:06 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

21 of 37 (56.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rvrk4t2ic2qvdwtqp6ybtfnna77tzsc7pad7pop7vbcbggvkisnq._file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230614-larp4sff4v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8d62ae4f4816a151da707fb01995ad07ff3cc85f7807f7b9ffa844131aaa449b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.