MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4d20b334ed6ca9107b7dcb397bb8411bf13b6fa0021305a358415f8ffe83015. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	a4d20b334ed6ca9107b7dcb397bb8411bf13b6fa0021305a358415f8ffe83015
SHA3-384 hash:	f37ce05efca6d18f3ee5887e8d6563aa96f011effdcf677f432e044a88e1e016e331d90cd6f1b39788b62945a33866f7
SHA1 hash:	4adec56eab19f97405b7f5aef43640e750494c5e
MD5 hash:	83735591195b877481eda11e9d9952e2
humanhash:	mississippi-iowa-papa-jupiter
File name:	06062023_648.7z
Download:	download sample
Signature	Formbook Alert Create hunting rule
File size:	10'145 bytes
First seen:	2023-06-09 08:14:55 UTC
Last seen:	Never
File type:	7z
MIME type:	application/x-7z-compressed
ssdeep	192:2IKwrHrrqMi5uC9Xcpmga9pWkq1KJ41d6ABIf:myH/qMoBcpa9pWzz1ju
TLSH	T1B422BFD11BE14DADD4B2403090A24E3623167EE08D696823E691B2FEC7C69A3664E1F7
TrID	57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1) 42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Reporter	cocaman
Tags:	7z FormBook

cocaman

Malicious email (T1566.001)
From: ""Timo Tuominen" <mechsekre@mechsekretariateko.com>" (likely spoofed)
Received: "from mail0.mechsekretariateko.com (unknown [2.59.255.15]) "
Date: "6 Jun 2023 16:43:54 +0300"
Subject: "neue Bestellung"
Attachment: "06062023_648.7z"

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

104

Origin country :

CH

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

Relevant files 1

File name:	06062023_648.exe
File size:	22'016 bytes
SHA256 hash:	6f95ab99f175c18ddac4b83a164fa7b4caf500c066cd5f486837d39a80f41ac3
MD5 hash:	c44087705a82fdd12fd87fa6e69578df
MIME type:	application/x-dosexec
Signature	Formbook

Vendor Threat Intelligence

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win64.PWSX-gen.22440.16912.UNOFFICIAL

Alert

Create hunting rule

DocGuard Unknown

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/a4d20b334ed6ca9107b7dcb397bb8411bf13b6fa0021305a358415f8ffe83015/results/dashboard

FileScan.IO Likely Malicious

Verdict:

Likely Malicious

Threat level:

  7.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6482df8839ba775c46e0b2a7/reports/04359ae7-e7bc-4710-868d-b0b27222f576/overview

Hybrid Analysis Malicious

Verdict:

Malicious

Link:

https://www.hybrid-analysis.com/sample/a4d20b334ed6ca9107b7dcb397bb8411bf13b6fa0021305a358415f8ffe83015

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a4d20b334ed6ca9107b7dcb397bb8411bf13b6fa0021305a358415f8ffe83015/

ReversingLabs TitaniumCloud Win32.Trojan.Leonem

Threat name:

Win32.Trojan.Leonem

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-06-06 17:22:01 UTC

File Type:

Binary (Archive)

Extracted files:

3

AV detection:

21 of 37 (56.76%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=utjawm2o23fjcb5x3szzpo4ecg7rhnx2aaqtawrvqqk7r77igakq._file

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  5/10

Tags:

n/a

Link:

https://tria.ge/reports/230609-j6p52sbf26/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Formbook

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a4d20b334ed6ca9107b7dcb397bb8411bf13b6fa0021305a358415f8ffe83015