MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec976accdaabfcbaeb18221fa8ada42d15cb6dd8d9555413f02af3551b46b383. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	ec976accdaabfcbaeb18221fa8ada42d15cb6dd8d9555413f02af3551b46b383
SHA3-384 hash:	0fad2f8827b766877d7bf4e9fb4967254a8b3f3dc5a057cc5a4d651cb69bc58ebd932ccf5d575c2cd3e3771eac161a41
SHA1 hash:	76053ee8c572b2cae49843ff6450fe2b75f0e4ec
MD5 hash:	ba48224abd5d0caa406ccd3fe4a16972
humanhash:	vegan-fanta-nuts-bakerloo
File name:	Doc_93847332023.cab
Download:	download sample
Signature	Formbook Create hunting rule
File size:	531'942 bytes
First seen:	2023-07-13 12:25:07 UTC
Last seen:	2023-07-13 13:54:47 UTC
File type:	rar
MIME type:	application/x-rar
ssdeep	12288:IMbnLmkVLbYbhOePRBweru12JvBz0ZrqQFjIyxJq9HoT5+q4:IMbnSOfYdtpB/ruaWZRFjZxJWoQ9
TLSH	T170B423B1FBC62B1CE5493AA913D7F993B5A4321ACDA761C31153A0C3DDDC0D82C8AB56
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	cab rar

cocaman

Malicious email (T1566.001)
From: "WeTransfer <WeTransfer-online@taoplax.com>;" (likely spoofed)
Received: "from mail0.taoplax.com (mail0.taoplax.com [45.81.39.85]) "
Date: "13 Jul 2023 14:39:08 +0200"
Subject: "info@letempsmedia.ch received confidential fiIes via WeTransfer"
Attachment: "Doc_93847332023.cab"

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Doc_93847332023.exe
File size:	638'976 bytes
SHA256 hash:	3d1445e540b8f4dfee869812cde4bf208bdfc2a28a510336924c860868c07c25
MD5 hash:	338a91f4a24b4856a29165df68847cde
MIME type:	application/x-dosexec
Signature	Formbook

Vendor Threat Intelligence

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/ec976accdaabfcbaeb18221fa8ada42d15cb6dd8d9555413f02af3551b46b383/results/dashboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/64afed5b6e9f7019dea0310b/reports/92fc77c0-e4e6-4c7e-a722-d7b40b6755fe/overview

Verdict:

Suspicious

Labled as:

Mal/RarMal

Link:

https://www.hybrid-analysis.com/sample/ec976accdaabfcbaeb18221fa8ada42d15cb6dd8d9555413f02af3551b46b383

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec976accdaabfcbaeb18221fa8ada42d15cb6dd8d9555413f02af3551b46b383/

Threat name:

ByteCode-MSIL.Trojan.Strictor

Status:

Malicious

First seen:

2023-07-13 12:25:10 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

9 of 38 (23.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5slwvtg2vp6lv2yyeip2rlnefuk4w3oy3fkvie7qflzvkg2gwobq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230713-wrfpaahh48/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks computer location settings

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.