MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cca33c129db5378e76c95d80d989373ddd042752e19a6ba3d2a6fa7dce4dd62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	1cca33c129db5378e76c95d80d989373ddd042752e19a6ba3d2a6fa7dce4dd62
SHA3-384 hash:	504992f5dfacb324d44cfdef54837ddf7bd97ba2f881a5734f6ddf48189869a477d3e9035a16e166f6e33fe43d0c43e3
SHA1 hash:	8b18f8aceda27741a9c1760b6fb49134019d5f3b
MD5 hash:	9be28563810dae9c0c747e6dcd9aa7ae
humanhash:	yellow-princess-bakerloo-hamper
File name:	Crypted.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	253'440 bytes
First seen:	2020-06-08 14:10:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:VgF0OnuVnK1DUsVgIW8KPTw6z2JZpyjFjWpax:Ve//VYbb2Tp7pax
Threatray	5'330 similar samples on MalwareBazaar
TLSH	8E44EF8D365876CFC8ABD4759AAC2CB4AB51387B930B9213905716ECDA0DA97CF040F7
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

81

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/7056/

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.52500.26323.14606.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-06-08 14:10:13 UTC

File Type:

PE (.Net Exe)

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dtfdhqjj3njxrz3msxma3getopo5aqtvfym2nor5fjx2pxhe3vra._file

Verdict:

malicious

Similar samples:

08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f

1acd132956421229e7c8fabb1001381956ff135d042b339f2871763498896d9e

2a093b2213d7d589020d69e76fdfd33b441ed125664cb3247d25e9103744011c

532b875f09991cdf7b57db59f0f7aa579d49b229d65ad1ace9f67bf6ffc7bca5

5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35

6dcf4557563343e881daf4b7d7b01e372457cee637ac001a1102a2e67a69cbf8

8606768cb758ba8379659f65220250ebc1c491dabd668e7f98663571419cadf2

9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412

a7060552a89c2044d1df428221961ff81b0e7ab4ad67ca8e90e121f003a6c85b

b1ab330d8407adbc0731fd66b869bca53515ccf732d1ad498515e5e04f993de4

+ 5'320 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-2k5hdcsl62/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.utimake.com/cbsxx/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/7056/

Cape

Cape

https://www.capesandbox.com/analysis/7054/

URLhaus

https://urlhaus.abuse.ch/url/383222/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample