MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0b6c699072069ff553e7a17c9c43961ba97d3a73c0dda64ea297d1ef9d0c75f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0b6c699072069ff553e7a17c9c43961ba97d3a73c0dda64ea297d1ef9d0c75f
SHA3-384 hash: 37863df7dd2dc6a03941241bfbf7d20eb9a7cb99faac732853754d444d8d4ab702b81e33483803533386d3101faef175
SHA1 hash: bfec964456838da3b37a6981072cbdf450554168
MD5 hash: 950d7ba3511783a6a30c8ce19dc6a91e
humanhash: neptune-georgia-summer-bakerloo
File name:RFQ 3728422023 pdf.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:539'027 bytes
First seen:2023-10-31 13:00:46 UTC
Last seen:2023-10-31 15:02:02 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:i5bWqMlRVYHhT5QdLwIvmM4K8HJAoe0F4wUR3gH+BANfZ/HJe:xq4RVshT5QLp4dpAoeXj3gH+yRfJe
TLSH T131B423E013598BF10AF226D602ADDCB87B15369D73EA7D849047A1D7D8DC0FA89789F0
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook RFQ Shipping zip


Avatar
cocaman
Malicious email (T1566.001)
From: "sales@overseasshippinginc.com" (likely spoofed)
Received: "from overseasshippinginc.com (unknown [163.123.142.181]) "
Date: "31 Oct 2023 16:01:19 +0100"
Subject: "RE.RE RE.RE:RFQ 3728422023 "
Attachment: "RFQ 3728422023 pdf.zip"

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:RFQ 3728422023 pdf.exe
File size:559'616 bytes
SHA256 hash: 93bc82b99ec0339576f7f93e026ee2dc33b8bdddd99b2addca44e5cbde6b59f8
MD5 hash: 3f7c59a688a73d9704c15205f34e1bac
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fs3391.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.738.20379.9173.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/c0b6c699072069ff553e7a17c9c43961ba97d3a73c0dda64ea297d1ef9d0c75f/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6540fa90b38131f117ab6716/reports/33ecf08f-7851-4f5f-a091-74a9822968bc/overview
Verdict:
Malicious
Labled as:
Mal/DrodZp
Link:
https://www.hybrid-analysis.com/sample/c0b6c699072069ff553e7a17c9c43961ba97d3a73c0dda64ea297d1ef9d0c75f
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c0b6c699072069ff553e7a17c9c43961ba97d3a73c0dda64ea297d1ef9d0c75f
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
100%
Verdict:
Malware
File Type:
Archive
Link:
https://malprob.io/report/c0b6c699072069ff553e7a17c9c43961ba97d3a73c0dda64ea297d1ef9d0c75f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0b6c699072069ff553e7a17c9c43961ba97d3a73c0dda64ea297d1ef9d0c75f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-10-31 12:25:21 UTC
File Type:
Binary (Archive)
Extracted files:
10
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yc3mngihebu76vj6pil4trbzmg5jpu5hhqg5uzhkff6r56oqy5pq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:cc73 rat spyware stealer trojan
Link:
https://tria.ge/reports/231031-sjf4asac31/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0b6c699072069ff553e7a17c9c43961ba97d3a73c0dda64ea297d1ef9d0c75f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip c0b6c699072069ff553e7a17c9c43961ba97d3a73c0dda64ea297d1ef9d0c75f

(this sample)

Formbook

Executable exe 93bc82b99ec0339576f7f93e026ee2dc33b8bdddd99b2addca44e5cbde6b59f8

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 93bc82b99ec0339576f7f93e026ee2dc33b8bdddd99b2addca44e5cbde6b59f8
  
Dropping
Formbook

Comments