MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cc48271c89fbe5dcd0af4aeb1302b9ecc3810cad890e5d2817d9b949449b026. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 15 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cc48271c89fbe5dcd0af4aeb1302b9ecc3810cad890e5d2817d9b949449b026
SHA3-384 hash: 92eff16f06be9d4a439be8180b261f53cbbc2740e4182f2168cd51880ef363c93ad36b7c6eee03d887846f8b9e395d80
SHA1 hash: 22ec04f8c59bd08cd7afd4739ffb069edf9abb7b
MD5 hash: 7652a95c64befc504577638e16d248a1
humanhash: pip-oven-fruit-red
File name:7652a95c64befc504577638e16d248a1
Download: download sample
Signature Formbook
Create hunting rule
File size:2'707'512 bytes
First seen:2024-01-31 05:22:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:1l7v7NDVLkzxw7kexEvi9XRS9mBYmDpdsebzwtBOof6oXGcanuee:vb7TLkzxw7keWyhaAYApdsmzwh13aI
Threatray 408 similar samples on MalwareBazaar
TLSH T1B4C5120773028966C7519735C5A793240B27EAB3A273E70766CAA6F525133BB3FA0707
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
541
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2cc48271c89fbe5dcd0af4aeb1302b9ecc3810cad890e5d2817d9b949449b026.exe
Verdict:
Malicious activity
Analysis date:
2024-01-31 05:25:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2d0dfa06-8128-4f30-9311-11f666cc5b38

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473679/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Win.Trojan.Generic-10014419-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/65b9d93a4aed8b65c87c5629/reports/13a4f042-f2fa-442e-ba3a-81484d9fbd3b/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/2cc48271c89fbe5dcd0af4aeb1302b9ecc3810cad890e5d2817d9b949449b026
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed793e04-29c3-4cee-aa86-e6b30dd8ff9d
Result
Threat name:
Nightingale Stealer, PureLog Stealer, zg
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1383805
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to prevent local Windows debugging
Drops PE files to the startup folder
Drops VBS files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Drops script at startup location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
UAC bypass detected (Fodhelper)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Nightingale Stealer
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1383805 Sample: CfVl15VHO1.exe Startdate: 31/01/2024 Architecture: WINDOWS Score: 100 100 mystictesting.com 2->100 102 ip-api.com 2->102 130 Multi AV Scanner detection for domain / URL 2->130 132 Malicious sample detected (through community Yara rule) 2->132 134 Antivirus detection for URL or domain 2->134 136 19 other signatures 2->136 10 CfVl15VHO1.exe 3 2->10         started        14 wscript.exe 2->14         started        16 svchost.exe 2->16         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 90 C:\Users\user\AppData\Local\Temp\update.exe, PE32+ 10->90 dropped 144 Drops VBS files to the startup folder 10->144 146 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->146 148 Injects a PE file into a foreign processes 10->148 21 update.exe 1 10->21         started        25 CfVl15VHO1.exe 10->25         started        27 CfVl15VHO1.exe 10->27         started        29 CfVl15VHO1.exe 10->29         started        150 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->150 31 RuntimeBroker.exe 14->31         started        92 127.0.0.1 unknown unknown 16->92 file6 signatures7 process8 file9 80 C:\Users\user\AppData\Local\...\smsD612.tmp, PE32 21->80 dropped 138 Multi AV Scanner detection for dropped file 21->138 33 smsD612.tmp 26 3 21->33         started        82 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32 25->82 dropped 84 C:\Users\user\AppData\...\RuntimeBroker.vbs, ASCII 25->84 dropped 140 Writes to foreign memory regions 25->140 142 Injects a PE file into a foreign processes 25->142 37 MSBuild.exe 25->37         started        40 RuntimeBroker.exe 31->40         started        42 start.exe 31->42         started        44 RuntimeBroker.exe 31->44         started        46 RuntimeBroker.exe 31->46         started        signatures10 process11 dnsIp12 94 ip-api.com 208.95.112.1, 49734, 80 TUT-ASUS United States 33->94 96 94.156.71.237, 3999, 49742, 49743 TERASYST-ASBG Bulgaria 33->96 98 8.8.8.8 GOOGLEUS United States 33->98 114 Multi AV Scanner detection for dropped file 33->114 116 UAC bypass detected (Fodhelper) 33->116 118 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->118 128 5 other signatures 33->128 48 cmd.exe 33->48         started        51 cmd.exe 33->51         started        53 cmd.exe 33->53         started        60 60 other processes 33->60 86 C:\Users\user\AppData\Roaming\install.exe, PE32 37->86 dropped 88 C:\Users\user\AppData\Roaming\...\start.exe, PE32 37->88 dropped 120 Drops PE files to the startup folder 37->120 122 Writes to foreign memory regions 37->122 124 Allocates memory in foreign processes 37->124 55 RegAsm.exe 37->55         started        126 Injects a PE file into a foreign processes 40->126 58 conhost.exe 42->58         started        file13 signatures14 process15 dnsIp16 106 Adds a directory exclusion to Windows Defender 48->106 62 conhost.exe 48->62         started        64 powershell.exe 48->64         started        66 conhost.exe 51->66         started        68 powershell.exe 51->68         started        76 2 other processes 53->76 104 mystictesting.com 172.67.155.234, 443, 49735, 49736 CLOUDFLARENETUS United States 55->104 108 Contain functionality to detect virtual machines 55->108 110 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 55->110 112 Contains functionality to prevent local Windows debugging 55->112 70 WerFault.exe 55->70         started        72 conhost.exe 60->72         started        74 powershell.exe 60->74         started        78 117 other processes 60->78 signatures17 process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2cc48271c89fbe5dcd0af4aeb1302b9ecc3810cad890e5d2817d9b949449b026
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2cc48271c89fbe5dcd0af4aeb1302b9ecc3810cad890e5d2817d9b949449b026/
Threat name:
ByteCode-MSIL.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-31 05:23:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ftcie4oit67f3tik6sxlcmblt3gdqegk3cioluubpwnzjfcjwata._file
Verdict:
malicious
Similar samples:
3187b0afed12d7d408ed397bd025fc13c46d627eacc94e20438a4bd0078e4f57
Formbook
87e7fce64ab334392c6676f01885c5210b1b3235a76314d1326b6eb285978ffb
Formbook
8e406ad902e5beefcdfd9cb95cb5d211138bc144289c51e3e4bd4fc0a8880877
Formbook
9b61ab1b854861a9e98bc354da2b104c277c97fd758e39a24c382a9b06e29bc9
Formbook
a6c05c63623b019614ab1d5cf533f9599d42fe18773d1d92cb1caccee809d2ae
Formbook
ced57a9b17c9363644d04c475209c834dde348eb225e4d37a96e42347ffb4d17
Formbook
e0d6fe1659965a09e2ddab62be3e33f49fac580bccac65d97fc319ffd4f4af13
Formbook
f73a77c5c8fd42ccc4ebd0976a2b6adf8f4770712f04c959b9410620c51bff13
Formbook
+ 398 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat persistence rat spyware stealer
Link:
https://tria.ge/reports/240131-f25s6aeaaj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
2cc48271c89fbe5dcd0af4aeb1302b9ecc3810cad890e5d2817d9b949449b026
MD5 hash:
7652a95c64befc504577638e16d248a1
SHA1 hash:
22ec04f8c59bd08cd7afd4739ffb069edf9abb7b
Detections:
Typical_Malware_String_Transforms
Create hunting rule
Link:
https://www.unpac.me/results/66fa373f-9de6-4742-b0b2-0d219ac54cda/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2cc48271c89f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2cc48271c89fbe5dcd0af4aeb1302b9ecc3810cad890e5d2817d9b949449b026

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Debugger
Create hunting rule
Rule name:Check_VBox_Guest_Additions
Create hunting rule
Rule name:CMD_Shutdown
Create hunting rule
Author:adm1n_usa32
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 2cc48271c89fbe5dcd0af4aeb1302b9ecc3810cad890e5d2817d9b949449b026

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2753948/
Cape
Cape
https://www.capesandbox.com/analysis/473679/

Comments


Avatar
zbet commented on 2024-01-31 05:22:30 UTC

url : hxxp://116.202.101.219:8080/L3dr2/Update.exe