MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97b0b66e5430162df359acaf374f16741a74b2a0d54123cd4169a9f573f039aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97b0b66e5430162df359acaf374f16741a74b2a0d54123cd4169a9f573f039aa
SHA3-384 hash: 9b4c8ed4ec338f909ed270debd3d65b42e155c8e53a21df163582beeab340f9d37feeb2e4db3768988e728193c8ea5e6
SHA1 hash: 92e3be5d6755c20cec2585dd2c3d2017aa5f8436
MD5 hash: 6d1a27b280d043b43d401563a45fdb0f
humanhash: nuts-princess-apart-indigo
File name:034254168729092.zip
Download: download sample
Signature FormBook
Create hunting rule
File size:502'447 bytes
First seen:2022-08-30 20:35:38 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:cQ0tr3puQ5TK44iOJB1vcEgC2eu7f3Pxt1umqYvQZUdlrwHuMg1qoOMxAI:cO8FZje0/xCCQZUQHuMg1q3kH
TLSH T12EB423C642A0EC32DEBE4A6B193FA81D6CE17639A6556C53E26E13B187DFC5470D80F0
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Ivana Nikolic <ivana.nikolic@nb.rs>" (likely spoofed)
Received: "from hosting3.netsys.am (hosting3.netsys.am [80.86.231.190]) "
Date: "Mon, 29 Aug 2022 21:51:47 +0000"
Subject: "RE: RE: RE: RE: =?utf-8?b?0J3QvtCy0Lgg0L/QvtGA0LXQtNCw0Lo=?="
Attachment: "034254168729092.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_exenum416.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AI.Packer.7BA51BF319.5940.3331.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay
Link:
https://www.filescan.io/uploads/630e75eaa7450371f68f07d9/reports/9a280385-cbe8-41a6-bee5-d2b64f366f96/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/97b0b66e5430162df359acaf374f16741a74b2a0d54123cd4169a9f573f039aa
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97b0b66e5430162df359acaf374f16741a74b2a0d54123cd4169a9f573f039aa/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-08-29 20:48:35 UTC
File Type:
Binary (Archive)
Extracted files:
29
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6ylm3sugalc342zvsxtotywoqnhjmva2vashtkbngu7k47qhgva._file
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:3nop persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220830-zdndrahagr/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
Formbook payload
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97b0b66e5430162df359acaf374f16741a74b2a0d54123cd4169a9f573f039aa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 97b0b66e5430162df359acaf374f16741a74b2a0d54123cd4169a9f573f039aa

(this sample)

FormBook

Executable exe 8945a72bfeac4f8234fa7eb586fa51f0cab91a0a48fdc65120947dfe37fb9970

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 8945a72bfeac4f8234fa7eb586fa51f0cab91a0a48fdc65120947dfe37fb9970
  
Dropping
FormBook

Comments