MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ce1d17efa80d4157c768d1c44e5dfb84bb9a925591d8d9c5b9a53a64879b038. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ce1d17efa80d4157c768d1c44e5dfb84bb9a925591d8d9c5b9a53a64879b038
SHA3-384 hash: 4e40d310423688bfedc9c834adf195c7287d75581fda49beb4f46656281016b5bf1af2aa7d6bb9b475789d613dfe72fe
SHA1 hash: 04d2268d009e9b8a8d81ee477cd3a999e1733664
MD5 hash: ab73fe20080d88f1f3f41db649e11f5e
humanhash: oven-high-comet-mississippi
File name:anthoony.exe
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:348'328 bytes
First seen:2020-12-01 09:39:34 UTC
Last seen:2020-12-10 08:11:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 6144:3PCganNSO5wjPHpRmL+MqGyzdFGOg/z1GFpxo4IQAscy3EUYTags+HawlqqXY:Nanc7jm+MqGyzuOWzce9QADy3EGg3Ha7
Threatray 3'358 similar samples on MalwareBazaar
TLSH 4D7423366250ECE7E5A90430047FBCB0A6A4D51A5886744B3BE06FEF7D6B05ADC0E8C7
Reporter GovCERT_CH
Tags:Adware.Generic

Intelligence

File Origin
# of uploads :
29
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106196/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Sending a UDP request
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/552022
Signature
Hijacks the control flow in another process
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 325116 Sample: anthoony.exe Startdate: 01/12/2020 Architecture: WINDOWS Score: 100 40 www.augsburgconfession.net 2->40 42 www.mapomarket.com 2->42 58 Malicious sample detected (through community Yara rule) 2->58 60 Yara detected FormBook 2->60 62 Machine Learning detection for sample 2->62 64 Uses netstat to query active network connections and open ports 2->64 12 anthoony.exe 1 48 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\Roaming\...\vslogui.dll, PE32 12->32 dropped 34 C:\...\MicrosoftVisualStudioVSHelp80.dll, PE32 12->34 dropped 36 C:\Users\user\...\WizardFrameworkVS.dll, PE32 12->36 dropped 38 5 other files (none is malicious) 12->38 dropped 15 rundll32.exe 12->15         started        process6 signatures7 74 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->74 76 Hijacks the control flow in another process 15->76 78 Maps a DLL or memory area into another process 15->78 18 cmd.exe 15->18         started        process8 signatures9 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->50 52 Modifies the context of a thread in another process (thread injection) 18->52 54 Maps a DLL or memory area into another process 18->54 56 3 other signatures 18->56 21 explorer.exe 18->21 injected process10 dnsIp11 44 don8gr8.com 34.102.136.180, 49740, 80 GOOGLEUS United States 21->44 46 www.ranchomanantiales.com 208.91.197.27, 49739, 80 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 21->46 48 15 other IPs or domains 21->48 66 System process connects to network (likely due to code injection or exploit) 21->66 25 NETSTAT.EXE 21->25         started        signatures12 process13 signatures14 68 Modifies the context of a thread in another process (thread injection) 25->68 70 Maps a DLL or memory area into another process 25->70 72 Tries to detect virtualization through RDTSC time measurements 25->72 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ce1d17efa80d4157c768d1c44e5dfb84bb9a925591d8d9c5b9a53a64879b038/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-12-01 09:40:07 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ltq5c7x2qdkbk7dwruoejzo7xbf3tkjfleoy3hc3tjj2msdzwa4a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
121ce6392d23c72269e9581f98c66e9d2c5bf7f405923dd620902dc1216f9127
Adware.Generic
29f75d4db1b85197038c1ed08661ef0a72158ac895e6aac76526bab07d83c318
Adware.Generic
543297a97a78b4347302bded28c19777fc5a7771f5c20b8042cbac3e0baadfec
Adware.Generic
6499e8029a2f0db6a6a601d425217cd6bf076fe96accdce24fe042b24001bc8f
Adware.Generic
69357684ec8f83d428d2030db5f3d586718207e86457465e7fd37b3b4b7c4db2
Adware.Generic
72ec3dcd3d7a197c45c66605330968f86044d6a2ec37bf843e33b7f4668781f9
Adware.Generic
907ce816005834ccfbfc0ea29519e493dee2ae1f141e72f2971eadfc7c6893b1
Adware.Generic
c2ed9a707bd10d4d9d9291d1fd7bc7316d8a80f846b6263c800ff89885641e37
Adware.Generic
ed6182df3469dfdc4084aea0aca3714a90498401d608c7a0ab818329c42ab21f
Adware.Generic
f78a1ebc98a1c1482564cc64a7d10ba7c1ed03591b8cebeba72f27df590dd57d
Adware.Generic
+ 3'348 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook evasion rat spyware stealer trojan
Link:
https://tria.ge/reports/201201-mz8bm97376/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Enumerates VirtualBox registry keys
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.wellnesspharma.net/94sb/
Unpacked files
SH256 hash:
5ce1d17efa80d4157c768d1c44e5dfb84bb9a925591d8d9c5b9a53a64879b038
MD5 hash:
ab73fe20080d88f1f3f41db649e11f5e
SHA1 hash:
04d2268d009e9b8a8d81ee477cd3a999e1733664
Link:
https://www.unpac.me/results/feed3ebb-d232-407d-8d24-bd2e5de2100e/
SH256 hash:
e7504b4d3e0fd36c7cccd92e7514ed779767755153ead38d5be4901def6663b4
MD5 hash:
09e892b513f83e772277dcde6cfdf95b
SHA1 hash:
73eedc660bcef0743369b0320d3a0e42015768a0
Link:
https://www.unpac.me/results/feed3ebb-d232-407d-8d24-bd2e5de2100e/
SH256 hash:
55c7d82972dc0693272643c5fbf8c5a1fb60a24ab603d20b48c1ca56d6af2ac5
MD5 hash:
c591de209b3d4e0ccd1363eaff4db86f
SHA1 hash:
88c0da1747decb7cc2c0bf31a51cc3517c865f2a
Link:
https://www.unpac.me/results/feed3ebb-d232-407d-8d24-bd2e5de2100e/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ce1d17efa80/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ce1d17efa80d4157c768d1c44e5dfb84bb9a925591d8d9c5b9a53a64879b038

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Adware.Generic

zip d5179c49d25c407a327094e7eb23684b88582506ae9bc0602bcaae06f35708ef

Adware.Generic

Executable exe 5ce1d17efa80d4157c768d1c44e5dfb84bb9a925591d8d9c5b9a53a64879b038

(this sample)

  
Dropped by
MD5 64112232ea04a55f89d0dfe43388f920
  
Dropped by
SHA256 d5179c49d25c407a327094e7eb23684b88582506ae9bc0602bcaae06f35708ef
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/106196/

Comments