MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a379689538197079d55983bc9c34f94d83f71675c4bee189a98bd8808170453a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a379689538197079d55983bc9c34f94d83f71675c4bee189a98bd8808170453a
SHA3-384 hash: 65f3197d72ac51274bcc42d714a8d6d5c9188af96d6fcbf81be753e44d3ff7ac2d9ae7cdd36f64c585b1dc5a76f840a6
SHA1 hash: c20503e3255c1f69ecebfdbb566b761f7b8f961a
MD5 hash: 8fef6a131d294080f4859598a07d239f
humanhash: avocado-pip-angel-white
File name:payslip-10-14.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:40'390 bytes
First seen:2022-10-15 10:09:16 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 768:jd9qqsMVbHRoot/JarYXMk+XGYDa0g9zKb/8alEh3tsyBWFud08:KO/t/ErYXIGQw9+XlE8ywudr
TLSH T18D03F18A8AC22BB4700DA5618DFF0D68625FB1217639E93E777C15335638F3B78804A3
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook payment zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Lim Hooi Nee <ken.dal@ccitafna.com>" (likely spoofed)
Received: "from rhizxqyu.ccitafna.com (rhizxqyu.ccitafna.com [85.217.145.141]) "
Date: "14 Oct 2022 07:52:01 +0200"
Subject: "Payment slip"
Attachment: "payslip-10-14.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
334
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:payslip-10-14.exe
File size:122'880 bytes
SHA256 hash: c827c4ccc4914e937026eee75929817bd13977777900d97a14834582c55e8824
MD5 hash: d814d6b2b68825eb6ea6122617841df2
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi obfuscated packed
Link:
https://www.filescan.io/uploads/634a86fb7f72336a8d6261a8/reports/19df14aa-d9a8-44c8-a0e3-bf4b2c3358eb/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a379689538197079d55983bc9c34f94d83f71675c4bee189a98bd8808170453a
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a379689538197079d55983bc9c34f94d83f71675c4bee189a98bd8808170453a/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2022-10-14 05:10:41 UTC
File Type:
Binary (Archive)
Extracted files:
15
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=un4wrfjydfyhtvkzqo6jynhzjwb7oftvys7odcnjrpmibalqiu5a._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221015-l7cx8afdh9/
Behaviour
Suspicious use of AdjustPrivilegeToken
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/a379689538197079d55983bc9c34f94d83f71675c4bee189a98bd8808170453a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip a379689538197079d55983bc9c34f94d83f71675c4bee189a98bd8808170453a

(this sample)

Formbook

Executable exe c827c4ccc4914e937026eee75929817bd13977777900d97a14834582c55e8824

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 c827c4ccc4914e937026eee75929817bd13977777900d97a14834582c55e8824
  
Dropping
MD5 d814d6b2b68825eb6ea6122617841df2

Comments