MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f56f99de1e3783b8cbca1bd1c7f00685cc04a283f93c8e9b03fb67d494388a1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f56f99de1e3783b8cbca1bd1c7f00685cc04a283f93c8e9b03fb67d494388a1d
SHA3-384 hash: 0f610f2b7ef416c61acabfc7c7b2c6646eab975c715c6d2899df0a2c2ac421cc494e2d21aad4297a2b11ee82186f8d21
SHA1 hash: ff31596f767aa6f6d5302bd71054a012878ffe5a
MD5 hash: 0698e6fa3a6f9ce7e0432276a8669f19
humanhash: south-magazine-echo-kentucky
File name:po# 7648 and po# 7649.pdf.z
Download: download sample
Signature Formbook
Create hunting rule
File size:31'327 bytes
First seen:2023-05-10 06:29:18 UTC
Last seen:Never
File type: z
MIME type:application/x-rar
ssdeep 768:sbdXpYlx6NSjvNRJrZGdagjBvxYfXkoVOj9WvORdsiAmwRV:sZZYlxHvNRrGdFBvxYf9VOj96OHUmw
TLSH T171E2F1867C5EFAE56A050CE6CA4E43D7F04528B4E5992B4DBA188E6B01D033C9970E72
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:FormBook z


Avatar
cocaman
Malicious email (T1566.001)
From: "Amila Attanayaka <tammy@bocaprime.com>" (likely spoofed)
Received: "from michelle.bocaprime.com (michelle.bocaprime.com [45.14.9.106]) "
Date: "Tue, 09 May 2023 20:48:29 -0700"
Subject: "PO-HLL/2023/Labtech/001 for USD 6,347.51. **Urgent**."
Attachment: "po# 7648 and po# 7649.pdf.z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:po# 7648 and po# 7649.exe
File size:61'440 bytes
SHA256 hash: 6a57e513b61e8a308a00109c55555b710dcaa64629a25982ddcf3c4433fed248
MD5 hash: 7442ea2f1e130694ac2cb10de30dcd39
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/645b39eed054a0b0ef847502/reports/ec3b93d9-e196-4ea6-bbb0-02c29a9bcca4/overview
Verdict:
Malicious
Labled as:
Mal/DrodRar
Link:
https://www.hybrid-analysis.com/sample/f56f99de1e3783b8cbca1bd1c7f00685cc04a283f93c8e9b03fb67d494388a1d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f56f99de1e3783b8cbca1bd1c7f00685cc04a283f93c8e9b03fb67d494388a1d/
Threat name:
Win32.Trojan.Zmutzy
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 03:34:19 UTC
File Type:
Binary (Archive)
Extracted files:
9
AV detection:
15 of 36 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6vxztxq6g6b3rs6kdpi4p4agqxgajiud7e6i5gyd7nt5jfbyrioq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

z f56f99de1e3783b8cbca1bd1c7f00685cc04a283f93c8e9b03fb67d494388a1d

(this sample)

Formbook

Executable exe 6a57e513b61e8a308a00109c55555b710dcaa64629a25982ddcf3c4433fed248

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 6a57e513b61e8a308a00109c55555b710dcaa64629a25982ddcf3c4433fed248

Comments