MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cac485680e36e9e3cea0867d1373edff3a8995a20d21a2b7aa38247a0a3eb1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5cac485680e36e9e3cea0867d1373edff3a8995a20d21a2b7aa38247a0a3eb1d
SHA3-384 hash: d5853f47b7fba0309121d32aeef9aace77d359e0d7a9371ef5d0344f739883cf90ed4f7557a9dc0076078665fb027964
SHA1 hash: 83b439582a8f3392f18dde97b56d937c518b1cd2
MD5 hash: d5a84036071756dee960de255bd6ab94
humanhash: louisiana-sad-hawaii-utah
File name:spoofer.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:452'608 bytes
First seen:2024-01-19 22:20:09 UTC
Last seen:2024-01-20 00:55:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (35 x CoinMiner, 17 x AsyncRAT, 17 x BlankGrabber)
ssdeep 12288:3o0NHvykT8QNmJCDWs2qUa3zYgNl3Qc65snvJ:3phFT8QC6WsVUM7NxQcsaJ
TLSH T18AA4F1F0E49BB3CDC16CB4FADC3E61AE287357D195BCC04E45EC06B64A0AED6466D880
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter adm1n_usa32
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
292
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
UmbralStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/471770/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop24.52337.109.30712.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the Windows directory
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Using the Windows Management Instrumentation requests
Blocking the Windows Defender launch
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed stealer
Link:
https://www.filescan.io/uploads/65aaf5d3fbf3a226eec8bad5/reports/8434b7ce-3313-40f4-8731-f76f1753a91a/overview
Verdict:
Malicious
Labled as:
FakeAlert.Generic
Link:
https://www.hybrid-analysis.com/sample/5cac485680e36e9e3cea0867d1373edff3a8995a20d21a2b7aa38247a0a3eb1d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e05e8b4a-ca90-486a-8dc0-2ab575bcb516
Result
Threat name:
Blank Grabber, Dicrord Rat, Umbral Steal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1377786
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to disable the Task Manager (.Net Source)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Blank Grabber
Yara detected Dicrord Rat
Yara detected Umbral Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1377786 Sample: spoofer.exe Startdate: 19/01/2024 Architecture: WINDOWS Score: 100 55 ip-api.com 2->55 57 gateway.discord.gg 2->57 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for URL or domain 2->67 69 10 other signatures 2->69 9 spoofer.exe 4 2->9         started        signatures3 process4 file5 45 C:\Windows\cleaner.exe, PE32+ 9->45 dropped 47 C:\Windows\Woofer.exe, PE32 9->47 dropped 49 C:\Windows\Spoofer.exe, PE32+ 9->49 dropped 75 Found many strings related to Crypto-Wallets (likely being stolen) 9->75 77 Encrypted powershell cmdline option found 9->77 79 Drops executables to the windows directory (C:\Windows) and starts them 9->79 13 cleaner.exe 8 9->13         started        16 Woofer.exe 14 3 9->16         started        19 Spoofer.exe 14 2 9->19         started        21 powershell.exe 23 9->21         started        signatures6 process7 dnsIp8 81 Multi AV Scanner detection for dropped file 13->81 83 Machine Learning detection for dropped file 13->83 23 cmd.exe 1 13->23         started        51 ip-api.com 208.95.112.1, 49708, 80 TUT-ASUS United States 16->51 26 WMIC.exe 16->26         started        53 gateway.discord.gg 162.159.133.234, 443, 49707 CLOUDFLARENETUS United States 19->53 28 WerFault.exe 19->28         started        85 Potential dropper URLs found in powershell memory 21->85 30 conhost.exe 21->30         started        32 WmiPrvSE.exe 21->32         started        signatures9 process10 signatures11 71 Uses cmd line tools excessively to alter registry or file data 23->71 73 Uses schtasks.exe or at.exe to add and modify task schedules 23->73 34 reg.exe 23->34         started        37 reg.exe 23->37         started        39 reg.exe 23->39         started        43 27 other processes 23->43 41 conhost.exe 26->41         started        process12 signatures13 59 Disables Windows Defender (deletes autostart) 34->59 61 Disable Windows Defender real time protection (registry) 34->61
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5cac485680e36e9e3cea0867d1373edff3a8995a20d21a2b7aa38247a0a3eb1d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5cac485680e36e9e3cea0867d1373edff3a8995a20d21a2b7aa38247a0a3eb1d/
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2024-01-18 04:38:53 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
30 of 38 (78.95%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lsweqvua4nxj4phkbbt5cnz637z2rgk2edjbuk32uobepifd5moq._file
Verdict:
malicious
Result
Malware family:
umbral
Create hunting rule
Score:
  10/10
Tags:
family:discordrat family:umbral evasion persistence rat rootkit stealer trojan
Link:
https://tria.ge/reports/240119-19mmrsfbe8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Windows directory
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Detect Umbral payload
Discord RAT
Modifies Windows Defender Real-time Protection settings
Modifies security service
Umbral
Malware Config
C2 Extraction:
https://ptb.discord.com/api/webhooks/1197286741825048616/mPoY62Pti_IE-hGcDYD9Kd5GhKzKQHzuySPby-xlg9GCRDWrviTGJ9au_QMU1pKDVh50
Unpacked files
SH256 hash:
59f283a7f4a7d50e13c963bb2ae0b3ebd0433bb73f2d582b2c9dd0e7564bce0d
MD5 hash:
c0922cfbf0bc3b88f4ab89146f1c5225
SHA1 hash:
c9120012509c3942e0299c1c7eb9fe190b978917
Detections:
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Link:
https://www.unpac.me/results/5f9a060a-aa5e-42d7-a975-88337b4bbdd9/
SH256 hash:
5cac485680e36e9e3cea0867d1373edff3a8995a20d21a2b7aa38247a0a3eb1d
MD5 hash:
d5a84036071756dee960de255bd6ab94
SHA1 hash:
83b439582a8f3392f18dde97b56d937c518b1cd2
Link:
https://www.unpac.me/results/5f9a060a-aa5e-42d7-a975-88337b4bbdd9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5cac485680e3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5cac485680e36e9e3cea0867d1373edff3a8995a20d21a2b7aa38247a0a3eb1d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/471770/

Comments