MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f74cc276efed80b7a39ef167c256c4572c50810d546f532aade1580e46a3020b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	f74cc276efed80b7a39ef167c256c4572c50810d546f532aade1580e46a3020b
SHA3-384 hash:	77f01942a7e17dd3b422a759a1da664a1019cf183c68eee0f253f93c897181c22bc2d91b260ab169a1d2c76f519a15f8
SHA1 hash:	1089e8173a3e181c03187033a3f3a30d45e5917c
MD5 hash:	37ffe497fa3482d78464a92a069c697f
humanhash:	edward-paris-potato-winner
File name:	$23,248.98.PSWIFT.PAYMENT.PDF.zip
Download:	download sample
Signature	Formbook Create hunting rule
File size:	899'088 bytes
First seen:	2022-09-01 08:55:01 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	24576:rEsSe3zvo7KtWnqmXyzTf66Xg/kLb73X9qnTECwVi:Ievx4nq+yS6Xg8b7UTECH
TLSH	T1521523941BD2B8474A397B93A2B44446B367568BD4F9DA1CF0E81FFD2D7C213148A3B2
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	payment SWIFT zip

cocaman

Malicious email (T1566.001)
From: ""BANK OF AMERICA"<hr@nycthai.com>" (likely spoofed)
Received: "from nycthai.com (unknown [109.206.241.76]) "
Date: "01 Sep 2022 07:38:29 +0200"
Subject: "Payment copy Confirm and get back to me."
Attachment: "$23,248.98.PSWIFT.PAYMENT.PDF.zip"

Intelligence

File Origin

# of uploads :

1

# of downloads :

182

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_pdf.UNOFFICIAL

SecuriteInfo.com.Trojan.PackedNET.1427-2.UNOFFICIAL

Sanesecurity.Malware.25510.ZipHeur.Ext.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fareit packed remcos

Link:

https://www.filescan.io/uploads/631073a6a7450371f695ffdd/reports/014e3c9c-1ab1-4cda-850f-b1433771f452/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/f74cc276efed80b7a39ef167c256c4572c50810d546f532aade1580e46a3020b

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f74cc276efed80b7a39ef167c256c4572c50810d546f532aade1580e46a3020b/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-09-01 07:59:27 UTC

File Type:

Binary (Archive)

Extracted files:

32

AV detection:

22 of 40 (55.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=65gme5xp5walpi466ft4evwek4wfbainkrxvgkvn4fma4rvdaifq._file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/220901-kvfynsdbb3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DYEPACK

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f74cc276efed80b7a39ef167c256c4572c50810d546f532aade1580e46a3020b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip f74cc276efed80b7a39ef167c256c4572c50810d546f532aade1580e46a3020b

(this sample)

exe 0e0dbd77f23d8c81b21d351b9a85d3fae401bb4b8ef5feec7634264671eafd1e

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 0e0dbd77f23d8c81b21d351b9a85d3fae401bb4b8ef5feec7634264671eafd1e

Dropping

MD5 ed50513b926ef3d4c7e0cc8c05d9528f

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample