MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0e30a346b311fc900cf4092286d1aebd5c4f028f632405a10bf6bedfa8a100d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0e30a346b311fc900cf4092286d1aebd5c4f028f632405a10bf6bedfa8a100d
SHA3-384 hash: 0358bdbc91e90705fab369d72bbe24b8adf90fff49777fa50f9574092ba9e1f4c4e6a2611fb528a562881a96108f6e76
SHA1 hash: f0c00be99eb2999943beca70488872146227cf73
MD5 hash: a31bc094279bd65f568076d2aece6c99
humanhash: monkey-oven-blossom-fillet
File name:Order Inquiry_pdf.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:241'801 bytes
First seen:2023-03-22 06:20:12 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 6144:8avB1JevjktZwm+1W2iYcBm4AP0urYEDAKGKebKAy7tFmLXjz5:5H8kLwBSAPxYEDAB/bKAkt+X5
TLSH T18834127EFBB2082BDF22B9B9997B781151EC44C2208F1B6876B7B569231043D9B1F245
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Zhang Kevin <cari@gerbilfun.com>" (likely spoofed)
Received: "from annette.gerbilfun.com (annette.gerbilfun.com [83.137.158.188]) "
Date: "Wed, 22 Mar 2023 00:40:23 +0100"
Subject: "Order Inquiry"
Attachment: "Order Inquiry_pdf.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:kkkke.exe
File size:255'830 bytes
SHA256 hash: 4fec09c02c8f80d1d158bfd9bc6e4adc5aa9891726901db4572843c405e2519d
MD5 hash: 2421d5bcf078bf77abf3759bb80695ca
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28885.BadCo.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/c0e30a346b311fc900cf4092286d1aebd5c4f028f632405a10bf6bedfa8a100d/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo nemesis overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/641a9e4f3b01ade53e704069/reports/4b6174e9-9d5e-419a-8f3d-cd9a72df911c/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c0e30a346b311fc900cf4092286d1aebd5c4f028f632405a10bf6bedfa8a100d
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c0e30a346b311fc900cf4092286d1aebd5c4f028f632405a10bf6bedfa8a100d
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0e30a346b311fc900cf4092286d1aebd5c4f028f632405a10bf6bedfa8a100d/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-22 06:20:19 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
14 of 37 (37.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ydrqundlgep4sagpicjcq3i25pk4j4bi6yzeawqqx5v636ukcagq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230322-he714shc2y/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0e30a346b311fc900cf4092286d1aebd5c4f028f632405a10bf6bedfa8a100d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip c0e30a346b311fc900cf4092286d1aebd5c4f028f632405a10bf6bedfa8a100d

(this sample)

Formbook

Executable exe 4fec09c02c8f80d1d158bfd9bc6e4adc5aa9891726901db4572843c405e2519d

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4fec09c02c8f80d1d158bfd9bc6e4adc5aa9891726901db4572843c405e2519d
  
Dropping
MD5 2421d5bcf078bf77abf3759bb80695ca

Comments