MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35c2ee1406834ee537a4c945e4755f53272d46241402e96c77d0deb505c9e52b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35c2ee1406834ee537a4c945e4755f53272d46241402e96c77d0deb505c9e52b
SHA3-384 hash: fdef659bd766bc1e90896ce9ce776b0317fe482b4fc93c8d48736f1d9dbeb1977be0f4361e6011f99839336c3ee45328
SHA1 hash: 74101083f93ada64c90cf9c847a85a977e32ea34
MD5 hash: 05fc21bea0e2af548877c86b403194a5
humanhash: cat-mango-xray-solar
File name:SecuriteInfo.com.Variant.Zusy.476566.32759.1467
Download: download sample
Signature Formbook
Create hunting rule
File size:876'544 bytes
First seen:2023-07-13 08:44:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c89e1efb96b387f5f5729480c1720cb4 (1 x Formbook, 1 x ModiLoader)
ssdeep 12288:9uFlh/9H4TTkazYIYUvyQZMBi3//S0TyuXs0OJhYLfOXmxkImCcph3UXZ:9GpZazfYUyaiE60ONrpdUX
Threatray 3'255 similar samples on MalwareBazaar
TLSH T11515BF26D6911876D21F1238ED9FA29898197FB03F24AC4ABBD43F5DFF34681B811346
TrID 30.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
28.1% (.SCR) Windows screen saver (13097/50/3)
14.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.6% (.EXE) Win32 Executable (generic) (4505/5/1)
4.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 10b0ac9c8c848a30 (2 x Formbook, 1 x ModiLoader)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Zusy.476566.32759.1467
Verdict:
No threats detected
Analysis date:
2023-07-13 08:45:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e6a9ea82-9b4f-4b5b-b772-8fbe5c7c337e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/417319/
Detection(s):
SecuriteInfo.com.Variant.Zusy.476566.3510.15587.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97411/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control keylogger lolbin masquerade overlay packed remote
Link:
https://www.filescan.io/uploads/64afb990057bff26cf2368aa/reports/9480fc5f-83fe-4455-bdda-ec557d9e0f52/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/35c2ee1406834ee537a4c945e4755f53272d46241402e96c77d0deb505c9e52b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/828736a2-8c82-448e-9447-ea28c751b863
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1272323
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1272323 Sample: SecuriteInfo.com.Variant.Zu... Startdate: 13/07/2023 Architecture: WINDOWS Score: 100 62 Snort IDS alert for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 7 other signatures 2->68 9 Pybidwji.bat 2->9         started        13 SecuriteInfo.com.Variant.Zusy.476566.32759.1467.exe 1 2 2->13         started        process3 dnsIp4 46 web.fe.1drv.com 9->46 48 puuk7g.ph.files.1drv.com 9->48 54 2 other IPs or domains 9->54 78 Antivirus detection for dropped file 9->78 80 Multi AV Scanner detection for dropped file 9->80 82 Machine Learning detection for dropped file 9->82 86 4 other signatures 9->86 16 explorer.exe 2 1 9->16 injected 50 web.fe.1drv.com 13->50 52 puuk7g.ph.files.1drv.com 13->52 56 2 other IPs or domains 13->56 32 C:\Users\Public\Libraries\Pybidwji.bat, PE32 13->32 dropped 84 Tries to detect virtualization through RDTSC time measurements 13->84 file5 signatures6 process7 dnsIp8 34 www.gongwenbo.com 172.67.145.136, 49704, 80 CLOUDFLARENETUS United States 16->34 36 www.seo-art.agency 16->36 38 27 other IPs or domains 16->38 58 System process connects to network (likely due to code injection or exploit) 16->58 20 Pybidwji.bat 16->20         started        24 WWAHost.exe 16->24         started        26 cmstp.exe 16->26         started        signatures9 60 Tries to resolve many domain names, but no domain seems valid 36->60 process10 dnsIp11 40 web.fe.1drv.com 20->40 42 puuk7g.ph.files.1drv.com 20->42 44 2 other IPs or domains 20->44 70 Modifies the context of a thread in another process (thread injection) 20->70 72 Maps a DLL or memory area into another process 20->72 74 Sample uses process hollowing technique 20->74 76 Tries to detect virtualization through RDTSC time measurements 24->76 28 cmd.exe 24->28         started        signatures12 process13 process14 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35c2ee1406834ee537a4c945e4755f53272d46241402e96c77d0deb505c9e52b/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-13 07:31:20 UTC
File Type:
PE (Exe)
Extracted files:
62
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gxbo4fagqnhokn5ezfc6i5k7kmts2rrecqbos3dx2dplkboj4uvq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3bfaaf7436f93dff822a8c0f81f2e805f1c6855da29e1ee3ddd6d18c04744ae8
Formbook
96bde9151480b20318275c2c0e045dc13486a76cf81465e4e02ad97cf37140b0
Formbook
99cd4e51fb0f2d9ba76ee4d12afd5c3cd096f0c390ecf657ea3a3d78158451ef
Formbook
b2d9890dbbc344c79e99127f7aebf3f459349081c2033e5288128bd2cb37a8b4
Formbook
bec4ef3573fb041d4a688c353f4682186f2bfe3918e9add4b9c5ceda5ec2627c
Formbook
e4a8a88bffaf744487df4bfd56f975542f59efb4aabe037f2ce5baea61875f98
Formbook
+ 3'245 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:euv4 loader persistence rat trojan
Link:
https://tria.ge/reports/230713-knp8rsfh66/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
ModiLoader Second Stage
Xloader payload
ModiLoader, DBatLoader
Xloader
Unpacked files
SH256 hash:
260ca5857221ea609d1efa7627236a251e6149080dc9c2afbb79dc81866d1fb3
MD5 hash:
2f469d7ace57c64d2ba89ac73c8baf36
SHA1 hash:
54115de9d01d10d21daebcee2222f9579f5ee0e8
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/d5a0c610-c34a-4b2a-b225-489e6c71e7dc/
Parent samples :
35c2ee1406834ee537a4c945e4755f53272d46241402e96c77d0deb505c9e52b
12d7296fa8ee95861d67877223842af8b28608bc8ea32cdff1c269701da3727e
f1e3c1051d3047c71e2cc9e3ddfb48e389aad587f927251363b1aed6281c2299
SH256 hash:
35c2ee1406834ee537a4c945e4755f53272d46241402e96c77d0deb505c9e52b
MD5 hash:
05fc21bea0e2af548877c86b403194a5
SHA1 hash:
74101083f93ada64c90cf9c847a85a977e32ea34
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/d5a0c610-c34a-4b2a-b225-489e6c71e7dc/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/35c2ee140683/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/417319/

Comments