MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a449544a9b218ed5c712c293d169ee6342c641b3f452f1b5dc1a0e663b64b99c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a449544a9b218ed5c712c293d169ee6342c641b3f452f1b5dc1a0e663b64b99c
SHA3-384 hash: 3f274292247138132644da3d0157a90099ed2fdb7711031905828d7d0617c3e92edbd506416c25745ad89f596895b499
SHA1 hash: 2241ac156bd9bd0baf71dbb108cd93a87254dee7
MD5 hash: 7f65547e82cd4d50dd511447fb78837c
humanhash: batman-pluto-mountain-steak
File name:Availability and prices - inquiry.rar
Download: download sample
Signature Formbook
Create hunting rule
File size:801'905 bytes
First seen:2024-08-22 05:41:06 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 24576:X2MLhZ9tHN/LCczNpsR4adWO040sgU/R1j+ngVo4T:Xz9tNjFzNpsR4m04BgwT
TLSH T1490533DA16E128531D867C072FE70C1ECE62C814276A605B5CEF6709DB44EAB0D6F9BC
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:FormBook rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Anis Moumene <mimc@moumene.com>" (likely spoofed)
Received: "from moumene.com (unknown [185.222.58.41]) "
Date: "22 Aug 2024 06:24:15 +0200"
Subject: "Request for availability and prices - inquiry"
Attachment: "Availability and prices - inquiry.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Availability and prices - inquiry.exe
File size:1'330'176 bytes
SHA256 hash: 35aad958ea02458da32208308f06b03c43d414108eb36ecb9f030df395797711
MD5 hash: 718620e0c14d32edbc0c41085eda3072
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c6cface7ff3f5a063bbca8
Tags:
Heur
Gathering data
Verdict:
Suspicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a449544a9b218ed5c712c293d169ee6342c641b3f452f1b5dc1a0e663b64b99c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a449544a9b218ed5c712c293d169ee6342c641b3f452f1b5dc1a0e663b64b99c/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2024-08-22 05:08:04 UTC
File Type:
Binary (Archive)
Extracted files:
29
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=urevisu3eghnlrysykj5c2pomnbmmqnt6rjpdno4dihgmo3exgoa._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/240822-gprlfasane/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a449544a9b218ed5c712c293d169ee6342c641b3f452f1b5dc1a0e663b64b99c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar a449544a9b218ed5c712c293d169ee6342c641b3f452f1b5dc1a0e663b64b99c

(this sample)

Formbook

Executable exe 35aad958ea02458da32208308f06b03c43d414108eb36ecb9f030df395797711

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 35aad958ea02458da32208308f06b03c43d414108eb36ecb9f030df395797711
  
Dropping
Formbook
  
Dropping
MD5 718620e0c14d32edbc0c41085eda3072

Comments