MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa1e8326e5d55dacd4542efd308dea49bf73572c7b9068ffe062492408587ebb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa1e8326e5d55dacd4542efd308dea49bf73572c7b9068ffe062492408587ebb
SHA3-384 hash: 6e8687c6930ecaffaf5935785cabe77d027c10bb2edef88f8ecac87175f0cefee08088fe4b50819d4695108c12477005
SHA1 hash: a1fe3931c9148fb26bb3b006f2d269f946dbcea7
MD5 hash: 68702d170c2a1b1f54709c56c4a317d6
humanhash: magnesium-fourteen-snake-lion
File name:documents.pdf.7z
Download: download sample
Signature Formbook
Create hunting rule
File size:1'841'406 bytes
First seen:2023-03-20 10:41:30 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 49152:R7kw+AV6yKmCr8nMiSbh7kw+AV6yKmCr8nMiSbm:R7khAo1YfSF7khAo1YfS6
TLSH T1A08533B1A29622F5F68FE56D7FA963C71126DDB13C1B6D06AB2F38496C5C20070F8543
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:7z FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: "SharePoint Online <sevvalerol15@gmail.com>" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [45.137.22.251]) "
Date: "20 Mar 2023 11:38:45 +0100"
Subject: "Signed Documents"
Attachment: "documents.pdf.7z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:gsPzUI8EV8RoSMt.exe
File size:980'992 bytes
SHA256 hash: 85b572a6060bf6d434ab978aa1447096c11f84bcd329d71364de8daf261a4660
MD5 hash: bf7689cacf1c7ec05684d27628538b3d
MIME type:application/x-dosexec
Signature Formbook
File name:Doc___________ [[-Email-]].7z
File size:920'514 bytes
SHA256 hash: 084dc877e690fe4b279dcfeb27d9b54842597cddb8ca4635b13869cefac34752
MD5 hash: c69298af245b28c5ea1946c8485f9ba9
MIME type:application/zip
Signature Formbook
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6418387bf8dd0701d53c0260/reports/979c911c-a796-451c-9b79-dff1566e972d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/fa1e8326e5d55dacd4542efd308dea49bf73572c7b9068ffe062492408587ebb
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/fa1e8326e5d55dacd4542efd308dea49bf73572c7b9068ffe062492408587ebb
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa1e8326e5d55dacd4542efd308dea49bf73572c7b9068ffe062492408587ebb/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-20 09:16:06 UTC
File Type:
Binary (Archive)
Extracted files:
43
AV detection:
8 of 39 (20.51%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ipigjxf2vo2zvcuf36tbdpkjg7xgvzmpoigr77amjesiccyp25q._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:us38 rat spyware stealer trojan
Link:
https://tria.ge/reports/230320-nt1s8sdc86/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa1e8326e5d55dacd4542efd308dea49bf73572c7b9068ffe062492408587ebb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip fa1e8326e5d55dacd4542efd308dea49bf73572c7b9068ffe062492408587ebb

(this sample)

Formbook

zip 084dc877e690fe4b279dcfeb27d9b54842597cddb8ca4635b13869cefac34752

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 084dc877e690fe4b279dcfeb27d9b54842597cddb8ca4635b13869cefac34752
  
Dropping
SHA256 85b572a6060bf6d434ab978aa1447096c11f84bcd329d71364de8daf261a4660
  
Dropping
MD5 c69298af245b28c5ea1946c8485f9ba9
  
Dropping
MD5 bf7689cacf1c7ec05684d27628538b3d

Comments