MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f96bf8cd1b734fada186e80b3639ca2abadad7da338664da37db1f6468726954. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f96bf8cd1b734fada186e80b3639ca2abadad7da338664da37db1f6468726954
SHA3-384 hash: 38d60f6839aa2bc54119b080aca2279a1797430a28ec153d2c7098fe79dd8ba578140d856bd53731a13f3c9ff0751270
SHA1 hash: adde982d470dc3f4b8b7814136d1e7ed1be9884f
MD5 hash: 0d4c3ce57776b7a94353c8bae90034b1
humanhash: crazy-comet-iowa-pizza
File name:ifecotrade oder_details.7z
Download: download sample
Signature Formbook
Create hunting rule
File size:607'554 bytes
First seen:2022-10-07 09:24:28 UTC
Last seen:2022-10-07 09:30:52 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:6Umydf/sCjTCztyCvQ+ejRhh3qsOoZ9J6pnvPusE8f6S1FpYPf:6UldXsC37CvQ+Uhh3qsOswpnNE8ff1i
TLSH T1DBD423F428E7791968BBD66E18A71CB7D553A448639F0A8CD606930D3E7C078E311A3F
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:7z FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Ralph Sankt<sales@d-oh.top>" (likely spoofed)
Received: "from d-oh.top (d-oh.top [45.136.58.43]) "
Date: "7 Oct 2022 07:24:59 +0000"
Subject: "RE: FW: NETHERLANDS NEW ORDER EURO 24,987.00"
Attachment: "ifecotrade oder_details.7z"

Intelligence

File Origin
# of uploads :
2
# of downloads :
167
Origin country :
n/a
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:ifecotrade oder_details.scr
File size:896'512 bytes
SHA256 hash: 07ed72a4bb4104975ab6854613bea6283bd16a3948e6d5c8531edd51ca21870d
MD5 hash: 1638a175d8b534a53054996844d1b8ef
MIME type:application/x-dosexec
Signature Formbook
File name:32512
File size:20 bytes
SHA256 hash: fadbda8f2fb14f82337069aacbe05641115d7e75e66a06d3c2fa234cbfb73a88
MD5 hash: f196819a6a0f9879c7e3568e335f50fa
MIME type:application/octet-stream
Signature Formbook
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject4.44721.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/633ff06fc9e2f34354330687/reports/ce563fbe-0a9f-4e06-a213-aef1a05c49c8/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f96bf8cd1b734fada186e80b3639ca2abadad7da338664da37db1f6468726954
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f96bf8cd1b734fada186e80b3639ca2abadad7da338664da37db1f6468726954/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-10-07 06:04:30 UTC
File Type:
Binary (Archive)
Extracted files:
27
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7fv7rti3onh23img5aftmookfk5nvv62godgjwrx3mpwi2dsnfka._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:awqu rat spyware stealer trojan
Link:
https://tria.ge/reports/221007-ldlm9scccq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/f96bf8cd1b734fada186e80b3639ca2abadad7da338664da37db1f6468726954

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip f96bf8cd1b734fada186e80b3639ca2abadad7da338664da37db1f6468726954

(this sample)

Formbook

Executable exe 07ed72a4bb4104975ab6854613bea6283bd16a3948e6d5c8531edd51ca21870d

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 07ed72a4bb4104975ab6854613bea6283bd16a3948e6d5c8531edd51ca21870d
  
Dropping
Formbook
  
Dropping
MD5 1638a175d8b534a53054996844d1b8ef

Comments