MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f09fbab736a95a4d6aefcbfe08a0ed19ab627eb05fd13271dfd5d1de82cbdcd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f09fbab736a95a4d6aefcbfe08a0ed19ab627eb05fd13271dfd5d1de82cbdcd3
SHA3-384 hash: 0b193f506b2c627caeba6370104d4299db8c433887a211d8cff29cb6bb18fb0b092b6aab6e8db7b8a2b85ee352dbb9a1
SHA1 hash: e1c216a821d8dd36abe4ac7ae80f44b90c9172fe
MD5 hash: 058acb96a62c083c0d8914afb3e0974e
humanhash: vegan-vermont-skylark-fifteen
File name:Outstanding SOA.iso
Download: download sample
Signature Formbook
Create hunting rule
File size:677'888 bytes
First seen:2022-12-16 15:08:17 UTC
Last seen:2022-12-16 15:22:25 UTC
File type: iso
MIME type:application/x-iso9660-image
ssdeep 12288:yZ+9tvUmtBrASq86QaJZ76qIJgNhU3aHHI1S8WDcKEBkKmYu8gWd78rrYk3:Y+vvLo86QMZ7QQuoT8WYu8Rd78r
TLSH T1EFE42390AFF4E92DDE20447106B6B0C597B3F00853729A987B7C9F66A70FDD2252274B
TrID 99.4% (.NULL) null bytes (2048000/1)
0.2% (.ISO) ISO 9660 CD image (5100/59/2)
0.2% (.ATN) Photoshop Action (5007/6/1)
0.0% (.BIN/MACBIN) MacBinary 1 (1033/5)
0.0% (.ABR) Adobe PhotoShop Brush (1002/3)
Reporter cocaman
Tags:FormBook iso


Avatar
cocaman
Malicious email (T1566.001)
From: "Surplus Solicitors <amanda@greenboxdc.com>" (likely spoofed)
Received: "from adze.greenboxdc.com (adze.greenboxdc.com [88.209.254.164]) "
Date: "9 Dec 2022 21:55:59 +0100"
Subject: "Long Overdue Statement"
Attachment: "Outstanding SOA.iso"

Intelligence

File Origin
# of uploads :
3
# of downloads :
119
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Outstanding SOA.exe
File size:616'101 bytes
SHA256 hash: 0f271e19f44c1a2535e2010c6c9d25cacfba120bd75fab85e01feebe961dd4c7
MD5 hash: 5b18fe7d9aa3fdcdec0d0932827f7b05
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Rogue.0hr.20221209-1335.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f09fbab736a95a4d6aefcbfe08a0ed19ab627eb05fd13271dfd5d1de82cbdcd3/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-12-10 17:01:08 UTC
File Type:
Binary (Archive)
Extracted files:
33
AV detection:
22 of 40 (55.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6cp3vnzwvfne22xpzp7arihndgvwe7vql7ite4o72xi55awl3tjq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f09fbab736a95a4d6aefcbfe08a0ed19ab627eb05fd13271dfd5d1de82cbdcd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_EXE_in_ISO
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects ISO files that contains an Exe file. Does not need to be malicious
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso f09fbab736a95a4d6aefcbfe08a0ed19ab627eb05fd13271dfd5d1de82cbdcd3

(this sample)

Formbook

Executable exe 0f271e19f44c1a2535e2010c6c9d25cacfba120bd75fab85e01feebe961dd4c7

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 0f271e19f44c1a2535e2010c6c9d25cacfba120bd75fab85e01feebe961dd4c7
  
Dropping
Formbook

Comments