MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c79d18cbcb3d8173a566953d17d6b9de45677be87bc580e234e6767488f096a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c79d18cbcb3d8173a566953d17d6b9de45677be87bc580e234e6767488f096a5
SHA3-384 hash: ad837800dd8a093e3cccfcb3cb5f67866512d144fd2ea811d2b4baa01edb6aaa2af18de9bd14931c74adda9bce8991c1
SHA1 hash: 321ff579f33b127030e886921d02e5a02a198bbf
MD5 hash: b745c521f8696b166f23f5c35c8826fd
humanhash: mississippi-sodium-july-nine
File name:IRQ2107797_pdf.rar
Download: download sample
Signature Formbook
Create hunting rule
File size:288'512 bytes
First seen:2022-04-04 12:19:47 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 6144:Eb+LEHfgcycM4IeDcEMCcisrayECr/YkdNQR8szKylWX8PFC6L01jvBQ0ig55V:bLYfRG4IeA13EOtQR8K70MPtL017BQ0X
TLSH T13354238A213A1A6BF6F9D706A04300346AF356031E5E931EFC12D2DE6DF295ED153E8D
Reporter cocaman
Tags:FormBook QUOTATION rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Deena Sarala<shirley@23.fxvinru.cfd>" (likely spoofed)
Received: "from hp0.23.fxvinru.cfd (hp0.23.fxvinru.cfd [159.65.71.104]) "
Date: "Mon, 04 Apr 2022 13:47:54 +0200"
Subject: "REQUEST FOR QUOTATION Ref. # IRQ/21/07797"
Attachment: "IRQ2107797_pdf.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27382.Rar5Heur.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/624ae274db9ca5cf841b6da0/reports/def9d7fc-8706-4ad9-b089-362994d00eca/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c79d18cbcb3d8173a566953d17d6b9de45677be87bc580e234e6767488f096a5/
Threat name:
Win32.Trojan.ZmutzyPong
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 12:20:06 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y6orrs6lhwaxhjlgsu6rpvvz3zcwo67ippcybyru4z3hjchqs2sq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:s09m rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220404-phra4aaafm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c79d18cbcb3d8173a566953d17d6b9de45677be87bc580e234e6767488f096a5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar c79d18cbcb3d8173a566953d17d6b9de45677be87bc580e234e6767488f096a5

(this sample)

Formbook

Executable exe ddfdab103d34dfc6ddd6518745c101342e9953e6c2e049576e15ea570fb16e3a

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 ddfdab103d34dfc6ddd6518745c101342e9953e6c2e049576e15ea570fb16e3a
  
Dropping
Formbook

Comments