MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5ef403f6eb24be53ab7293ad56c54f6853df005b6b9d34c48f0132d794a32d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5ef403f6eb24be53ab7293ad56c54f6853df005b6b9d34c48f0132d794a32d9
SHA3-384 hash: a129aea184e5cd1e0c566d1f702804c9d2e247ac924cca3d86f6f250e9f8b1f5a38845bd54bb295534886cc6a3799983
SHA1 hash: 1c7a02430b048e5d71ecdbdcea17025bfbdc9510
MD5 hash: d90dc4011ae0968a98859f42a06277d4
humanhash: coffee-maryland-texas-hot
File name:Payment (2).r11
Download: download sample
Signature Formbook
Create hunting rule
File size:433'723 bytes
First seen:2023-05-05 14:11:25 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:oxLbhYmZHdfZQWkLjrKeoctrb2WEf6gLWro:GZHdGWkDvpzrro
TLSH T1B994237469F6E81305607CB6AEABE7547329F817D28AD31848D044EBC7A31D75B3109F
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:FormBook payment r11 rar


Avatar
cocaman
Malicious email (T1566.001)
From: "lgpartner.ch Administrator<no-reply@lgpartner.ch>" (likely spoofed)
Received: "from lgpartner.ch (unknown [94.131.107.124]) "
Date: "05 May 2023 14:10:40 -0700"
Subject: "Re:Payment Remittance"
Attachment: "Payment (2).r11"

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Payment (2).exe
File size:979'968 bytes
SHA256 hash: c1d948fee0541e31cfa3affa9d99a6ad6cf287601f3ddae9238c3ca379a4686c
MD5 hash: 2ebf7f5b65c0e71bf0f36e8e9bbde1c3
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/c5ef403f6eb24be53ab7293ad56c54f6853df005b6b9d34c48f0132d794a32d9/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
anti-debug anti-vm greyware keylogger overlay packed
Link:
https://www.filescan.io/uploads/64550eb5ed8cdc2625ae1994/reports/0cf6283b-ed68-4973-bd32-7edf6b964090/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c5ef403f6eb24be53ab7293ad56c54f6853df005b6b9d34c48f0132d794a32d9
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5ef403f6eb24be53ab7293ad56c54f6853df005b6b9d34c48f0132d794a32d9/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-05-05 14:12:09 UTC
File Type:
Binary (Archive)
Extracted files:
46
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yxxuap3owjf6kovxfe5nk3cu62ct34afw245gtci6ajs26kkglmq._file
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:bs92 persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230505-rrt5fsba64/
Behaviour
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Formbook payload
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5ef403f6eb24be53ab7293ad56c54f6853df005b6b9d34c48f0132d794a32d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:win_dbatloader_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Description:targets stager

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar c5ef403f6eb24be53ab7293ad56c54f6853df005b6b9d34c48f0132d794a32d9

(this sample)

Formbook

Executable exe c1d948fee0541e31cfa3affa9d99a6ad6cf287601f3ddae9238c3ca379a4686c

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 c1d948fee0541e31cfa3affa9d99a6ad6cf287601f3ddae9238c3ca379a4686c
  
Dropping
Formbook
  
Dropping
MD5 2ebf7f5b65c0e71bf0f36e8e9bbde1c3

Comments