MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5ab468c825733e9f01a7c7da0e1886ed0fb3a852305df114acb66ebf40c946a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5ab468c825733e9f01a7c7da0e1886ed0fb3a852305df114acb66ebf40c946a
SHA3-384 hash: a917aa16287bfa71fbf6d0efd617f705df54e40c13b439080ab0c1dda93c8da3b489c81ae387d38dcc83c3b2a2d0694f
SHA1 hash: 1cac979695101938224bcd5d1b47b69a62652e9e
MD5 hash: 58abce869158486f8d1eaa62e0ea3c5e
humanhash: nine-four-london-artist
File name:New Order pdf.r00
Download: download sample
Signature Formbook
Create hunting rule
File size:704'092 bytes
First seen:2024-07-08 14:30:29 UTC
Last seen:2024-07-08 14:31:20 UTC
File type: r00
MIME type:application/x-rar
ssdeep 12288:4Fat379turBlpUwdufVrnPSOaZ4pb8F7+Ts/V6HDLRzxUplAZ:R3pIRdu9rPS4SaIN6HPR9CCZ
TLSH T162E4332DD46F6865C07C91870297C3FBB2B00AC6F6AB48251EAD6DF4C1711A6F23A794
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:FormBook r00


Avatar
cocaman
Malicious email (T1566.001)
From: "Purchase<orderresponse@evonik.com>" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [45.137.22.85]) "
Date: "8 Jul 2024 10:23:34 +0200"
Subject: "RE: New Order"
Attachment: "New Order pdf.r00"

Intelligence

File Origin
# of uploads :
3
# of downloads :
96
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:AiWtPwwNq0ihlun.exe
File size:759'808 bytes
SHA256 hash: 668493fe37aeaea5f2e74a1a4b7d36b8a65728d317ecc8bbc7f0f2a7de549af4
MD5 hash: 0b23a8c7d1849ad79eae359e1344fa3a
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Rogue.0hr.20240708-1432.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=668b85c73bd942ce8f6def5bwin10vpnfull_triage
Tags:
Generic Static Swotter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/668bf8294c6b479391e41022/reports/a82c9d1e-63fa-4c48-9e3a-d17eaee5d7bb/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f5ab468c825733e9f01a7c7da0e1886ed0fb3a852305df114acb66ebf40c946a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5ab468c825733e9f01a7c7da0e1886ed0fb3a852305df114acb66ebf40c946a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-07-08 09:05:18 UTC
File Type:
Binary (Archive)
Extracted files:
17
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6wvundeck4z6t4a2pr62bymin3ipwoufemc56ekkzntox5amsrva._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5ab468c825733e9f01a7c7da0e1886ed0fb3a852305df114acb66ebf40c946a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

r00 f5ab468c825733e9f01a7c7da0e1886ed0fb3a852305df114acb66ebf40c946a

(this sample)

Formbook

Executable exe 668493fe37aeaea5f2e74a1a4b7d36b8a65728d317ecc8bbc7f0f2a7de549af4

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 668493fe37aeaea5f2e74a1a4b7d36b8a65728d317ecc8bbc7f0f2a7de549af4

Comments