MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e45e050839b17e21868dcd7e07c4f3ac4cf94fe727f51c6e958b680739e5f23b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e45e050839b17e21868dcd7e07c4f3ac4cf94fe727f51c6e958b680739e5f23b
SHA3-384 hash: addcd134a7bac449db1a3b27f99e424079f089e802690179794475a903164605555c5c0dd445e053ea2258e341b945b4
SHA1 hash: d5b6d5efe66c8629dd86d22348f1d832a6a2f650
MD5 hash: b8374940215d019e8690b9d9362ad745
humanhash: hydrogen-ceiling-rugby-indigo
File name:FINAL SELECTION SAMPLE QUOTATION.arj
Download: download sample
Signature Formbook
Create hunting rule
File size:581'179 bytes
First seen:2023-10-23 15:19:04 UTC
Last seen:2023-10-23 17:46:36 UTC
File type: arj
MIME type:application/x-rar
ssdeep 12288:ERynwNk3HBjobp32Tq4v9cuds24sZUfyIPdYoyl:ERTS3HB8l3Sq4evXIUffPyX
TLSH T117C42326240ED5F1FB5329E8261C90E078A380D5DEB797FD9F50CF78A855A2E09E9720
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:arj FormBook QUOTATION


Avatar
cocaman
Malicious email (T1566.001)
From: "Purchasing 18 - Qasr Alawani<purc18@qasralawani.com>" (likely spoofed)
Received: "from [45.62.170.73] (unknown [45.62.170.73]) "
Date: "15 Oct 2023 19:01:12 -0700"
Subject: "Re: SAMPLE REQUEST - HH22-245 - QASR AL AWANI CO.,LTD. "
Attachment: "FINAL SELECTION SAMPLE QUOTATION.arj"

Intelligence

File Origin
# of uploads :
62
# of downloads :
105
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:FINAL SELECTION SAMPLE QUOTATION.exe
File size:634'880 bytes
SHA256 hash: afbcc4589635ef9e83579c9865d99e7b454f827e5ae02b8248db0fc73d9553c4
MD5 hash: b3a6049df6caece43dfe7484f80519c4
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65368f235f371a3fc85f86e2/reports/6fd61d3d-2e10-4651-98b1-3695e9f6e8e8/overview
Verdict:
Malicious
Labled as:
Mal/DrodRar
Link:
https://www.hybrid-analysis.com/sample/e45e050839b17e21868dcd7e07c4f3ac4cf94fe727f51c6e958b680739e5f23b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e45e050839b17e21868dcd7e07c4f3ac4cf94fe727f51c6e958b680739e5f23b/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Suspicious
First seen:
2023-10-16 04:40:48 UTC
File Type:
Binary (Archive)
Extracted files:
11
AV detection:
19 of 38 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4rpakcbzwf7cdbunzv7aprhtvrgpst7he72ry3uvrnuaoopf6i5q._file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

arj e45e050839b17e21868dcd7e07c4f3ac4cf94fe727f51c6e958b680739e5f23b

(this sample)

Formbook

Executable exe afbcc4589635ef9e83579c9865d99e7b454f827e5ae02b8248db0fc73d9553c4

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 afbcc4589635ef9e83579c9865d99e7b454f827e5ae02b8248db0fc73d9553c4
  
Dropping
Formbook
  
Dropping
MD5 b3a6049df6caece43dfe7484f80519c4

Comments