MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce3fd6d7303e91a975b9abcf35e5a21da98fa7559e761256a906412064034256. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce3fd6d7303e91a975b9abcf35e5a21da98fa7559e761256a906412064034256
SHA3-384 hash: 4a73837148a0e338e96c8c94ee1078c6e90cd43fee5faf8053d476a2f89630325792087c9b2d3f82e7b713587e253d80
SHA1 hash: 38551e268a82eb268d37859fb00d2bc2a4ebb16e
MD5 hash: 5f70739ec4c9092e732a995b5b284aaa
humanhash: single-sink-leopard-rugby
File name:our inqgiry.r23
Download: download sample
Signature Formbook
Create hunting rule
File size:738'723 bytes
First seen:2022-09-20 05:58:41 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:hjzKPx7arGWp0ONbYbR15KaTRwV+1Z8GtlyCF0APuDEbfm7qmbfAMxbHvfW:ReP9RYfbYbR1EaTGY84l/PkQm+mbZPfW
TLSH T145F423DC82E974748E5EE1603968E63833E520BB1F503762FC6ED64079A7B807C69277
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook r23 zip


Avatar
cocaman
Malicious email (T1566.001)
From: "AYITEX <sales@mekotex.com>" (likely spoofed)
Received: "from pldpukeb.koreapath.com (unknown [85.217.145.236]) "
Date: "Thu, 08 Sep 2022 11:42:27 +0100"
Subject: "RE: URGENT PRICE LIST NEEDED"
Attachment: "our inqgiry.r23"

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'339
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject4.42577.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
lokibot packed
Link:
https://www.filescan.io/uploads/63295721e64c53f047f72097/reports/c04be9d3-950f-4925-b325-b84e60ec6a49/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ce3fd6d7303e91a975b9abcf35e5a21da98fa7559e761256a906412064034256
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce3fd6d7303e91a975b9abcf35e5a21da98fa7559e761256a906412064034256/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-08 17:22:37 UTC
File Type:
Binary (Archive)
Extracted files:
37
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zy75nvzqh2i2s5nzvphtlzncdwuy7j2vtz3bevvjazasazadijla._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:awqu rat spyware stealer trojan
Link:
https://tria.ge/reports/220920-gpqzxacba4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/ce3fd6d7303e91a975b9abcf35e5a21da98fa7559e761256a906412064034256

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip ce3fd6d7303e91a975b9abcf35e5a21da98fa7559e761256a906412064034256

(this sample)

Formbook

Executable exe 959fc8883e6b1d4ab77f9738792435e2dae1969530f36d2672db6cb397778687

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 959fc8883e6b1d4ab77f9738792435e2dae1969530f36d2672db6cb397778687
  
Dropping
Formbook

Comments