MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9351b9b74ef0244d678c907db4003e2a7a25f5678cc540b9e65615135958737. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9351b9b74ef0244d678c907db4003e2a7a25f5678cc540b9e65615135958737
SHA3-384 hash: 2453c01896a39cca5c404018bfd777c10f09b8756e2de3ced216a1b59bf7af881b51b3ef022ca9caa3faaf84aeb4bd02
SHA1 hash: a3986c181bdf383f2d64ad9167e801c35cdbb8c9
MD5 hash: 7d27f673e83e0c656871292ac1dd41e2
humanhash: september-bravo-uniform-tennessee
File name:HXM0300550018.img
Download: download sample
Signature Formbook
Create hunting rule
File size:358'400 bytes
First seen:2023-02-08 15:19:14 UTC
Last seen:2023-02-09 07:49:49 UTC
File type: img
MIME type:application/x-iso9660-image
ssdeep 6144:KYa6FM+2pDlj3uGJpZrJ52Gp0yK0Iqbu2Cz99Dzr2Oc:KY4+21lruApZNP0yXI6u2CzPeO
TLSH T1D9741290B794C86ADD600472156892366BA7AC3668BA5D4F379C370A7B33183DE2F713
TrID 99.4% (.NULL) null bytes (2048000/1)
0.2% (.ISO) ISO 9660 CD image (5100/59/2)
0.2% (.ATN) Photoshop Action (5007/6/1)
0.0% (.BIN/MACBIN) MacBinary 1 (1033/5)
0.0% (.ABR) Adobe PhotoShop Brush (1002/3)
Reporter cocaman
Tags:FormBook img INVOICE


Avatar
cocaman
Malicious email (T1566.001)
From: "onne.iwnuqt@alic.eorz.net" (likely spoofed)
Received: "from mg1.eee.tw (mg1.eee.tw [43.254.16.251]) "
Date: "Wed, 08 Feb 2023 16:01:34 +0800"
Subject: "DC DISTRIBUIDORA DE ALIMENTOS LTDA-Invoice_1859 1824"
Attachment: "HXM0300550018.img"

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:HXM0300550018.exe
File size:303'638 bytes
SHA256 hash: 8770f9d32f3b5b26267d6320c355f576df3d09e49d58e50ac16d044f4cf2cf54
MD5 hash: 56c21a2796f5c5bdf12603e3e18f59d4
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Garf.Gen.6.18940.6472.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
83%
Tags:
context-iso overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63e3bda4459bcf4604ff7d5e/reports/b3235646-bcb2-4f6f-ad36-112ca99f180d/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/a9351b9b74ef0244d678c907db4003e2a7a25f5678cc540b9e65615135958737
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9351b9b74ef0244d678c907db4003e2a7a25f5678cc540b9e65615135958737/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-02-08 09:34:31 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
13 of 39 (33.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ve2rxg3u54bejvtyzed5wqad4kt2ex2wpdgfic46mvqvcnmvq43q._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a9351b9b74ef0244d678c907db4003e2a7a25f5678cc540b9e65615135958737

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_EXE_in_ISO
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects ISO files that contains an Exe file. Does not need to be malicious
Reference:Internal Research
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img a9351b9b74ef0244d678c907db4003e2a7a25f5678cc540b9e65615135958737

(this sample)

Formbook

Executable exe 8770f9d32f3b5b26267d6320c355f576df3d09e49d58e50ac16d044f4cf2cf54

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 8770f9d32f3b5b26267d6320c355f576df3d09e49d58e50ac16d044f4cf2cf54
  
Dropping
Formbook
  
Dropping
MD5 56c21a2796f5c5bdf12603e3e18f59d4

Comments