MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90ab81c85dc4579b44691ecb394bc7faf1819d635a51497ad94b9539081446b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90ab81c85dc4579b44691ecb394bc7faf1819d635a51497ad94b9539081446b4
SHA3-384 hash: 62f1982d2e4a15caaf6436e9ee52f1ea22b4af753774337b92d19d30936f6a831116cb49e2510c1d3a4bfd4ca94ea035
SHA1 hash: bd6588d810159bc735d469ab9b06ff67f9325d63
MD5 hash: 56e227905a1436fc9f47d3bd8adf6ef7
humanhash: coffee-quiet-queen-spaghetti
File name:PURCHASE ORDER 4501226854_xlsx.z
Download: download sample
Signature Formbook
Create hunting rule
File size:607'561 bytes
First seen:2023-11-10 06:59:31 UTC
Last seen:Never
File type: z
MIME type:application/x-rar
ssdeep 12288:st7YhzTEWhubmRPkGne9ipO8XYoZJ5ND7AaNTSVhCyC3sNX1V5XzcbGV:kMvUbmRP5neipfYoZJ5NDsaNTmhCL3sf
TLSH T1DDD42340CC5AC4EFB9FD6F81869E8EE6355966523F1F1E6D3949104AAD32E3070CAD8C
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:FormBook z


Avatar
cocaman
Malicious email (T1566.001)
From: ""SILIKO doo Slovenia." <ana-miera@siliko.si>" (likely spoofed)
Received: "from pol.altia.team (altia.team [89.117.120.225]) "
Date: "Thu, 09 Nov 2023 16:09:49 +0100"
Subject: "RE PURCHASE ORDER: PO-4501226854_11-09-2023"
Attachment: "PURCHASE ORDER 4501226854_xlsx.z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:PURCHASE ORDER 4501226854_xlsx.exe
File size:735'744 bytes
SHA256 hash: 9c3637d925b3bb46ad68e7667e5958cc6e0926d9b12f022c6e0e990d63f45a9d
MD5 hash: 35065fb8357c2e1d99b1dcfd12af2732
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Suspected-exe-in-RAR.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/654dd4f9641154c7e3f13357/reports/54c59df4-949c-4cb8-8a10-da762fbec2bd/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/90ab81c85dc4579b44691ecb394bc7faf1819d635a51497ad94b9539081446b4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90ab81c85dc4579b44691ecb394bc7faf1819d635a51497ad94b9539081446b4/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-11-09 16:42:22 UTC
File Type:
Binary (Archive)
Extracted files:
14
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=scvydsc5yrlzwrdjd3ftss6h7lyydhldljius6wzjoktscaui22a._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90ab81c85dc4579b44691ecb394bc7faf1819d635a51497ad94b9539081446b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

z 90ab81c85dc4579b44691ecb394bc7faf1819d635a51497ad94b9539081446b4

(this sample)

Formbook

Executable exe 9c3637d925b3bb46ad68e7667e5958cc6e0926d9b12f022c6e0e990d63f45a9d

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 9c3637d925b3bb46ad68e7667e5958cc6e0926d9b12f022c6e0e990d63f45a9d
  
Dropping
MD5 35065fb8357c2e1d99b1dcfd12af2732

Comments