MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f257baeb95e78fa83112b2991739a120bb8033896d831d7f7ffd2ce6d104580b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f257baeb95e78fa83112b2991739a120bb8033896d831d7f7ffd2ce6d104580b
SHA3-384 hash: 592217ae52fa07e929129c093bbd02a796a159aa0df2fc0675f7891f8ed2919b85e60673761ff2affd01b1852bffa971
SHA1 hash: d429eaddb3cfd45c00f0a2274797cc21abb0e2b7
MD5 hash: e176653e327f0b039d5be515f9f313e5
humanhash: october-oregon-august-solar
File name:ПОКУПКА ТОВАРОВ.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:637'868 bytes
First seen:2024-07-15 09:57:02 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:5tzSeK1RExFEzW56vDyJFr0Py/LaH7V6TxqXsfK84DafxPnn:nzSX1R5SEDyv0Py/LaBAHy84epv
TLSH T168D4231CECFCB293279DE4A48845F700BFFF1F91102B48966A9EB2559C4649F2582E4F
Reporter cocaman
Tags:FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: "=?UTF-8?Q?=D0=90=D1=8F=D0=BB=D0=B1=D0=B0=D0=B5=D0=B2_=D0=90=D1=80?=
=?UTF-8?Q?=D0=BC=D0=B0=D0=BD?= <van.duong@alta.com.vn>" (likely spoofed)
Received: "from email.alta.com.vn (email.alta.com.vn [113.161.127.170]) "
Date: "Mon, 15 Jul 2024 05:41:22 +0100"
Subject: "=?UTF-8?Q?RE=3A_=D0=9D=D0=9E=D0=92=D0=AB=D0=99_=D0=97=D0=90?=
=?UTF-8?Q?=D0=9A=D0=90=D0=97_=D0=9D=D0=90_=D0=9F=D0=9E=D0=9A=D0=A3=D0=9F?=
=?UTF-8?Q?=D0=9A=D0=A3?="
Attachment: "ПОКУПКА ТОВАРОВ.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:ПОКУПКА ТОВАРОВ.exe
File size:3'126'397 bytes
SHA256 hash: 73f05c2e81609669d10849fc0c8d9750775adc3e7ec7f118b4e9f254ac1d2825
MD5 hash: f4888fe61cf63aea6500c260ceb0e118
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.37783.1690.14562.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6694f27384e955866872b3aewin7simulatehigh_evasion
Tags:
Banker Encryption Execution Swotter Dexter
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/f257baeb95e78fa83112b2991739a120bb8033896d831d7f7ffd2ce6d104580b/results/dashboard
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f257baeb95e78fa83112b2991739a120bb8033896d831d7f7ffd2ce6d104580b
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f257baeb95e78fa83112b2991739a120bb8033896d831d7f7ffd2ce6d104580b
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
97%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/f257baeb95e78fa83112b2991739a120bb8033896d831d7f7ffd2ce6d104580b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f257baeb95e78fa83112b2991739a120bb8033896d831d7f7ffd2ce6d104580b/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2024-07-15 09:57:05 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jl3v24v46h2qmiswkmroonbec5yam4jnwbr27377uwonuielafq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion execution persistence trojan
Link:
https://tria.ge/reports/240715-s1bvxaxelr/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Windows security modification
Adds policy Run key to start application
Command and Scripting Interpreter: PowerShell
UAC bypass
Windows security bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f257baeb95e78fa83112b2991739a120bb8033896d831d7f7ffd2ce6d104580b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip f257baeb95e78fa83112b2991739a120bb8033896d831d7f7ffd2ce6d104580b

(this sample)

Formbook

Executable exe 73f05c2e81609669d10849fc0c8d9750775adc3e7ec7f118b4e9f254ac1d2825

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 73f05c2e81609669d10849fc0c8d9750775adc3e7ec7f118b4e9f254ac1d2825
  
Dropping
MD5 f4888fe61cf63aea6500c260ceb0e118

Comments