MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc05934c2dd38f5443589c2f688496b69fd90c07b1557ad578a15d39f4e4766b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 4

Intelligence 4 IOCs YARA 1 File information Comments

SHA256 hash:	fc05934c2dd38f5443589c2f688496b69fd90c07b1557ad578a15d39f4e4766b
SHA3-384 hash:	6a11d94fd91300dc93e03287d3cc7759309e421763a62a406b38432275023dda7d8c04226f23ad9d0d856b7ddcb8483a
SHA1 hash:	48127d3699752530dcfb9c01246e96037142ed2f
MD5 hash:	26a74f164204ae3693a8487e2482a010
humanhash:	alaska-indigo-apart-pizza
File name:	BP-50C26_20241220_082241.rar
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'037'655 bytes
First seen:	2025-01-08 13:57:56 UTC
Last seen:	2025-01-09 08:35:56 UTC
File type:	rar
MIME type:	application/x-rar
ssdeep	24576:uJ6ZlI1lPh4RO/jELLrSjsjIy53GP1fY+Ni9hLggTYTUum10haT2k2ZH:q6PI1lPiYIUsjlwVY+N2hM0py0T2NH
TLSH	T1942533AB485210E5AD849E0D6EE2E7006336F642D6DBA1E7B8313F47357B7F4B610A4C
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	cocaman
Tags:	FormBook rar

cocaman

Malicious email (T1566.001)
From: "Nikos Nikolaou <kit@migenetika.com>" (likely spoofed)
Received: "from bold-merkle.2-59-163-125.plesk.page (unknown [2.59.163.125]) "
Date: "08 Jan 2025 13:28:04 +0000"
Subject: "OPTIONS TO PURCHASE"
Attachment: "BP-50C26_20241220_082241.rar"

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

Vendor Threat Intelligence

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=677e85b4ffdcee13ec874ee8

Tags:

n/a

Gathering data

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/fc05934c2dd38f5443589c2f688496b69fd90c07b1557ad578a15d39f4e4766b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fc05934c2dd38f5443589c2f688496b69fd90c07b1557ad578a15d39f4e4766b/

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2025-01-08 13:57:59 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

19 of 38 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7qczgtbn2ohviq2ytqxwrbeww2p5sdahwfkxvvlyufott5heozvq._file

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/250108-twc3vavrdx/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fc05934c2dd38f5443589c2f688496b69fd90c07b1557ad578a15d39f4e4766b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)