MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2add1ed737a7b2f4cbc819f608fca8d06c64000f56551ea70ac34ca002862ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2add1ed737a7b2f4cbc819f608fca8d06c64000f56551ea70ac34ca002862ec
SHA3-384 hash: d59418ea84e3e8275d82b1b553b821ebec8c11a57d7496b480e156a2ca19f3070e9559f11b4f2f3d3e5c8597e8c8df55
SHA1 hash: 037a5e29ce1c0a7c18a94031154a861ebf1c7521
MD5 hash: a59721bfddd808ca572a3b6d2efbfe01
humanhash: low-fish-papa-mars
File name:DSG2011001_INV+PL.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:301'213 bytes
First seen:2023-02-09 08:22:50 UTC
Last seen:2023-02-09 08:27:05 UTC
File type: zip
MIME type:application/zip
ssdeep 6144:I/jUb7hBVB0VN0nM/Vxi2z2cW3bxgS7/RdAA0Iv1oqOt5AmrzMn:IrUbrO/Vn2cW3bimb9ovt57ze
TLSH T1B854233C5C7C3D5C4518C54E80971B3D28E1B79FB3B92782DF4A97AA9C9398B22D7086
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: ""TANAVAN INDEE" <tanavan@dsgthai.com>" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [45.137.22.136]) "
Date: "9 Feb 2023 03:38:09 +0100"
Subject: "Re: [SUSPECTED SPAM]Shipment from DSG Thailand to Marvel Refrigeration (USA) "
Attachment: "DSG2011001_INV+PL.zip"

Intelligence

File Origin
# of uploads :
3
# of downloads :
98
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:DSG2011001_INV+PL.exe
File size:315'966 bytes
SHA256 hash: f4a6e60a7ee010bef6cb4ea0d9548d48ca5d7415336feff957eed8c043ead2b1
MD5 hash: 4b75a6e118d94db850863558197d5f21
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.20565.31746.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/b2add1ed737a7b2f4cbc819f608fca8d06c64000f56551ea70ac34ca002862ec/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63e4ad6a459bcf4604ffd9f3/reports/256025bf-d141-4f41-9578-7ec3e5a0277a/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/b2add1ed737a7b2f4cbc819f608fca8d06c64000f56551ea70ac34ca002862ec
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/b2add1ed737a7b2f4cbc819f608fca8d06c64000f56551ea70ac34ca002862ec
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2add1ed737a7b2f4cbc819f608fca8d06c64000f56551ea70ac34ca002862ec/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-02-09 07:37:08 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wkw5d3ltpj5s6tf4qgpwbd6krudmmqaa6vsvd2tqvq2muabimlwa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230209-nq6kbaae3t/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2add1ed737a7b2f4cbc819f608fca8d06c64000f56551ea70ac34ca002862ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip b2add1ed737a7b2f4cbc819f608fca8d06c64000f56551ea70ac34ca002862ec

(this sample)

Formbook

Executable exe f4a6e60a7ee010bef6cb4ea0d9548d48ca5d7415336feff957eed8c043ead2b1

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 f4a6e60a7ee010bef6cb4ea0d9548d48ca5d7415336feff957eed8c043ead2b1
  
Dropping
Formbook

Comments