MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1f5427b31de5567c9cfbe974144742316f340eb8987f4b237c11447a213a9a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1f5427b31de5567c9cfbe974144742316f340eb8987f4b237c11447a213a9a8
SHA3-384 hash: 20ad60c2fdea8b315089184dd5ae6a49123c794f16b69fd3f73a926114bc8b4a365ea63c9e8034baca7b3b33fc026cf8
SHA1 hash: 545188635f3f89bb5ed62755535039ed2e04cde5
MD5 hash: 088975093263b414de3ca77163eb2c5e
humanhash: timing-louisiana-apart-beryllium
File name:Remittance Advice PO#2.rar
Download: download sample
Signature Formbook
Create hunting rule
File size:696'619 bytes
First seen:2025-04-04 06:38:44 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:U2xBquSHB5b6y9/YTRw7h0RkAxmo60r9VQzhUm9Wdn+FXtTVGWpqJqLxY:XxBqDPblcRw7t9WVQt59WetBHpqSxY
TLSH T1D0E42300F1A6ECFC763C237866A0C1619F7810C6A6456FE2B96503FD3E621319EB757A
TrID 58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1)
41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Magika rar
Reporter cocaman
Tags:FormBook rar


Avatar
cocaman
Malicious email (T1566.001)
From: "trade@boratr.co.kr" (likely spoofed)
Received: "from [195.211.191.132] (unknown [195.211.191.132]) "
Date: "3 Apr 2025 18:31:04 -0700"
Subject: "Remittance Details for PO#2"
Attachment: "Remittance Advice PO#2.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Remittance Advice PO#2.exe
File size:1'190'912 bytes
SHA256 hash: cc9466116928990ca27627947bf03b92d6bbf4f9bb7d2e5fb005a7a3be041159
MD5 hash: d073d944518815e573dc239d110e56db
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27363.Rar5Heur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ef8094cfd0a37f830dbee4
Tags:
autoit emotet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug autoit compiled-script fingerprint hacktool keylogger lolbin microsoft_visual_cc packed packed packer_detected regedit wmic
Link:
https://www.filescan.io/uploads/67ef7e99b070fb3f945ea3fa/reports/79de81e1-c756-461c-ae1a-d6fc031a55d9/overview
Verdict:
Malicious
Labled as:
Ransom.Zbot
Link:
https://www.hybrid-analysis.com/sample/f1f5427b31de5567c9cfbe974144742316f340eb8987f4b237c11447a213a9a8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1f5427b31de5567c9cfbe974144742316f340eb8987f4b237c11447a213a9a8/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2025-04-04 06:38:46 UTC
File Type:
Binary (Archive)
Extracted files:
24
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6h2ue6zr3zkwpsopx2lucrduemlpgqhlrgd7jmrxyekepiqtvgua._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250404-hfyttstqw7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1f5427b31de5567c9cfbe974144742316f340eb8987f4b237c11447a213a9a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:testing_win_formbook_autoit
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar f1f5427b31de5567c9cfbe974144742316f340eb8987f4b237c11447a213a9a8

(this sample)

Formbook

Executable exe cc9466116928990ca27627947bf03b92d6bbf4f9bb7d2e5fb005a7a3be041159

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 cc9466116928990ca27627947bf03b92d6bbf4f9bb7d2e5fb005a7a3be041159
  
Dropping
MD5 d073d944518815e573dc239d110e56db

Comments