MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a09a03abaedf3ef490589e11ab15af2e0a3a441f6a0e059e2305ee4ebcc58fa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a09a03abaedf3ef490589e11ab15af2e0a3a441f6a0e059e2305ee4ebcc58fa2
SHA3-384 hash: 4a309320ac956035aa72735250cc083a8b2413b7b032d5a0158905a963beeb3f5c253163a5111c72aad97a771240a844
SHA1 hash: 0405c5cde3969308a0871479280601cc39095f74
MD5 hash: 4e89151b51f616e2b559bb83881a68e6
humanhash: cold-leopard-mountain-spring
File name:СРОЧНЫЙ ЗАКАЗ НА ПОКУПКУ ‮s͏x͏l͏x͏..zip
Download: download sample
Signature Formbook
Create hunting rule
File size:802'019 bytes
First seen:2024-06-11 08:07:55 UTC
Last seen:2024-06-11 08:59:02 UTC
File type: zip
MIME type:application/zip
ssdeep 24576:qfVNQoWfV2Yt8Glck9erO7EOOreJP8OlRDosXB2BT0gF:8VNQoWfV23Gll918eOsLwt
TLSH T13805333DB80C589EECE6305E1DE149FBE4AC058CCC454A3DB919537DB426D0F972E2A9
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: "=?UTF-8?Q?=D0=93=D1=80=D0=B8=D0=B1=D0=B0=D0=BD=D0=BE=D0=B2=D0=B0_?=
=?UTF-8?Q?=D0=95=D0=BA=D0=B0=D1=82=D0=B5=D1=80=D0=B8=D0=BD=D0=B0_2?=
<e.gribanova@lenta.com>" (likely spoofed)
Received: "from zasvision.servidoresdedicados.com (zasvision.servidoresdedicados.com [31.24.41.224]) "
Date: "Sun, 09 Jun 2024 14:39:11 -0700"
Subject: "=?UTF-8?Q?RE=3A_RE=3A_=D0=97=D0=90=D0=9A=D0=90=D0=97_=D0=9D?=
=?UTF-8?Q?=D0=90_=D0=9F=D0=9E=D0=9A=D0=A3=D0=9F=D0=9A=D0=A3?="
Attachment: "СРОЧНЫЙ ЗАКАЗ НА ПОКУПКУ ‮s͏x͏l͏x͏..zip"

Intelligence

File Origin
# of uploads :
2
# of downloads :
204
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:СРОЧНЫЙ ЗАКАЗ НА ПОКУПКУ ‮s͏x͏l͏x͏..exe
File size:2'762'240 bytes
SHA256 hash: 46c56c73ef7f015efc0324de490c11519ff43d6e822967df67d3dde2ad9df8e8
MD5 hash: 9fc54f2baf929510d1fa5422dfa2c873
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_Hideexe.5.UNOFFICIAL
Create hunting rule

Porcupine.MSIL.GenKryptik.GXZG.240717.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malicious
File Type:
PE File
Link:
https://app.docguard.net/a09a03abaedf3ef490589e11ab15af2e0a3a441f6a0e059e2305ee4ebcc58fa2/results/dashboard
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a09a03abaedf3ef490589e11ab15af2e0a3a441f6a0e059e2305ee4ebcc58fa2
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a09a03abaedf3ef490589e11ab15af2e0a3a441f6a0e059e2305ee4ebcc58fa2
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
94%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/a09a03abaedf3ef490589e11ab15af2e0a3a441f6a0e059e2305ee4ebcc58fa2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a09a03abaedf3ef490589e11ab15af2e0a3a441f6a0e059e2305ee4ebcc58fa2/
Threat name:
ByteCode-MSIL.Spyware.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-06-09 22:02:50 UTC
File Type:
Binary (Archive)
Extracted files:
5
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ucnahk5o347pjecytyi2wfnpfyfdura7nihalhrdaxxe5pgfr6ra._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion execution persistence trojan
Link:
https://tria.ge/reports/240611-nq5ysawcmk/
Behaviour
Runs regedit.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Windows security modification
Adds policy Run key to start application
Command and Scripting Interpreter: PowerShell
UAC bypass
Windows security bypass
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip a09a03abaedf3ef490589e11ab15af2e0a3a441f6a0e059e2305ee4ebcc58fa2

(this sample)

Formbook

Executable exe 46c56c73ef7f015efc0324de490c11519ff43d6e822967df67d3dde2ad9df8e8

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 46c56c73ef7f015efc0324de490c11519ff43d6e822967df67d3dde2ad9df8e8
  
Dropping
Formbook

Comments