MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eef3a1c2b765433521f44e737d313ff6103e7f6edbdfd5d446c5e6636e3c9125. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	eef3a1c2b765433521f44e737d313ff6103e7f6edbdfd5d446c5e6636e3c9125
SHA3-384 hash:	8d314466f0f9e4a1df30ad4fe4a3a02fc4ca394896e22a9d3048d72a50555e5ce00e4ab55bb33043ff2b2371e3e802a3
SHA1 hash:	dd206007881456b32e688c0973fb9066e9a624e3
MD5 hash:	46051246532519f2991c86e8107a135e
humanhash:	ten-july-edward-timing
File name:	QUOTATION_pdf.gz
Download:	download sample
Signature	Formbook Alert Create hunting rule
File size:	337'598 bytes
First seen:	2023-12-05 08:39:27 UTC
Last seen:	Never
File type:	gz
MIME type:	application/gzip
ssdeep	6144:0b4kMDqIDkb4I4bhcxyDfr8VNWaC5fqE53BrjB0tafJF8:0ckMK4fhcxScAZJ5RHyEJa
TLSH	T17C7423E229C28122979D33FFE8CB856D7B2A35396FC740149E60FCD6601EDBC5943686
Reporter	cocaman
Tags:	FormBook gz QUOTATION

cocaman

Malicious email (T1566.001)
From: ""NGUYEN DUC TRI-Site Manager" <elsa@zendustry.com>" (likely spoofed)
Received: "from order.zendustry.com (order.zendustry.com [88.209.206.206]) "
Date: "Mon, 4 Dec 2023 04:29:55 -0800"
Subject: "REQUEST FOR QUOTATION"
Attachment: "QUOTATION_pdf.gz"

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

120

Origin country :

CH

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

Relevant files 1

File name:	QUOTATION_pdf.exe
File size:	351'546 bytes
SHA256 hash:	b2c65c335545ffd73fb92349404d68bd4f0866aae7e3d9eeec19ac28d0410312
MD5 hash:	bc8d6f34fb023a57395156053eb1a76e
MIME type:	application/x-dosexec
Signature	Formbook

Vendor Threat Intelligence

ClamAV Detected

Detection(s):

Sanesecurity.Malware.27383.GZipHeur.UNOFFICIAL

Alert

Create hunting rule

FileScan.IO Likely Malicious

Verdict:

Likely Malicious

Threat level:

  7.5/10

Confidence:

100%

Tags:

control installer lolbin masquerade overlay packed shell32

Link:

https://www.filescan.io/uploads/656ee1e53636548f373ae8b8/reports/824d3efe-a933-479e-b28f-9e1339db58fa/overview

Hybrid Analysis Mal/DrodGzip

Verdict:

Malicious

Labled as:

Mal/DrodGzip

Link:

https://www.hybrid-analysis.com/sample/eef3a1c2b765433521f44e737d313ff6103e7f6edbdfd5d446c5e6636e3c9125

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Nucleon Malprob Malware

Score:

98%

Verdict:

Malware

File Type:

Archive

Link:

https://malprob.io/report/eef3a1c2b765433521f44e737d313ff6103e7f6edbdfd5d446c5e6636e3c9125

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eef3a1c2b765433521f44e737d313ff6103e7f6edbdfd5d446c5e6636e3c9125/

ReversingLabs TitaniumCloud Win32.Trojan.FormBook

Threat name:

Win32.Trojan.FormBook

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-04 15:52:23 UTC

File Type:

Binary (Archive)

Extracted files:

3

AV detection:

22 of 36 (61.11%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=53z2dqvxmvbtkipujzzx2mj76yid473o3pp5lvcgyxtgg3r4sesq._file

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  7/10

Tags:

n/a

Link:

https://tria.ge/reports/231205-lfww1sac9s/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Legit

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/eef3a1c2b765433521f44e737d313ff6103e7f6edbdfd5d446c5e6636e3c9125