MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5983b0652c9fdd9ebec3d51adfd9a8b9c25a029347a25837deb856a8d8131dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5983b0652c9fdd9ebec3d51adfd9a8b9c25a029347a25837deb856a8d8131dc
SHA3-384 hash: cda19a9e09abbb217dfec35946997f983100724be928c35ec7da0df9302279e6c2b91d8f24213d585ec9783f531aea8b
SHA1 hash: fe324941c55ffda2800afcee5b65596c63b65f22
MD5 hash: 86dd8dbaa46e84409645a1135b0e627d
humanhash: violet-colorado-table-neptune
File name:doc pdf.rar
Download: download sample
Signature Formbook
Create hunting rule
File size:785'481 bytes
First seen:2024-09-13 10:58:56 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:GO96YfKJcDeJh+rmg+Shp+bbBsaWE0QRIAcPAnUsmkF369Gzz+6yh/s/eyEfNh:UqImeOZ+Ip+3j0QRIAcYnUsmkFmGzzKR
TLSH T1A4F42354AB70B5BC1C965C3E8E80549A07BED64BD405E3D0206BF7571CBE0B8BA8E1F2
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika rar
Reporter cocaman
Tags:rar


Avatar
cocaman
Malicious email (T1566.001)
From: ""kiro.tsai" <kiro.tsai@yusin.com>" (likely spoofed)
Received: "from yusin.com (unknown [185.222.58.246]) "
Date: "13 Sep 2024 12:58:02 +0200"
Subject: "ARRIVAL MATERIAL - FCL - 4 CONTAINERS - WSS200115361"
Attachment: "doc pdf.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:doc pdf.exe
File size:1'264'640 bytes
SHA256 hash: 0d85faadca2fd253ac851a1bc6e089e2b80fdc752bba12fd834193e53a67c6fc
MD5 hash: 569b33b62d453dfe79e8a2ccaea1247d
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27342.RarHeur.v5.HideExt.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e41af8048bf838f7ad2f35
Tags:
Stealth Swotter
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f5983b0652c9fdd9ebec3d51adfd9a8b9c25a029347a25837deb856a8d8131dc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5983b0652c9fdd9ebec3d51adfd9a8b9c25a029347a25837deb856a8d8131dc/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-09-13 07:27:32 UTC
File Type:
Binary (Archive)
Extracted files:
13
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6wmdwbsszh65t27mhvi237m2rooclibjgr5cla355ocwvdmbghoa._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5983b0652c9fdd9ebec3d51adfd9a8b9c25a029347a25837deb856a8d8131dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar f5983b0652c9fdd9ebec3d51adfd9a8b9c25a029347a25837deb856a8d8131dc

(this sample)

Formbook

Executable exe 0d85faadca2fd253ac851a1bc6e089e2b80fdc752bba12fd834193e53a67c6fc

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 0d85faadca2fd253ac851a1bc6e089e2b80fdc752bba12fd834193e53a67c6fc
  
Dropping
MD5 569b33b62d453dfe79e8a2ccaea1247d

Comments