MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6dcc7e5e65f4abe9d4c7f11232e888129fefd086f4e8d2c1abe94b22a419ddc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6dcc7e5e65f4abe9d4c7f11232e888129fefd086f4e8d2c1abe94b22a419ddc1
SHA3-384 hash: 8b95ffaa14925b38835a72f255906443d896a5f52acef02facc7940e205f0f542270c441c4133e6126d940662a1e14b6
SHA1 hash: 9ee88df32b1b4b77cdc9b8cb659309e8a1c1e744
MD5 hash: f32116bc8afcc4cf5dccc3b1dc42a8f0
humanhash: gee-pizza-cold-mike
File name:PO198945.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:587'790 bytes
First seen:2025-02-25 09:58:46 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:XPpRHC8PFzIcGFEZeYPl3yIJjPOl4FBj5fiCCSS6w8rR2t0zArD:RRHdP1IZEoYPl5jXFBkCV7q0CD
TLSH T148C42353CB61BEB38DD1244D065189E3FEDCD0E80A5ACC787DD693B34BC868206A5C57
Magika zip
Reporter cocaman
Tags:zip


Avatar
cocaman
Malicious email (T1566.001)
From: "santosh.m@adityabirla.com" (likely spoofed)
Received: "from [195.211.191.129] (unknown [195.211.191.129]) "
Date: "25 Feb 2025 01:47:23 -0800"
Subject: "PO#198945"
Attachment: "PO198945.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
646
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:BD7vEFDWDVNQGK4.exe
File size:644'608 bytes
SHA256 hash: cb122b2022fcde8c2f1704ac186a0add17028456d867be7fed22e4244bca4a64
MD5 hash: 9b5f913dc76f78ec27f519bf60dbbf87
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.31590.25814.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bd94c2a0fd713c335cb4bd
Tags:
infosteal shellcode shell sage
Result
Verdict:
Malicious
File Type:
PE File
Link:
https://app.docguard.net/6dcc7e5e65f4abe9d4c7f11232e888129fefd086f4e8d2c1abe94b22a419ddc1/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67bd94753afc3763bec59694/reports/9cdc1aaf-dd29-4dd0-9d56-4b5197d2c922/overview
Verdict:
Suspicious
Labled as:
Troj/Krypt
Link:
https://www.hybrid-analysis.com/sample/6dcc7e5e65f4abe9d4c7f11232e888129fefd086f4e8d2c1abe94b22a419ddc1
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/6dcc7e5e65f4abe9d4c7f11232e888129fefd086f4e8d2c1abe94b22a419ddc1
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/6dcc7e5e65f4abe9d4c7f11232e888129fefd086f4e8d2c1abe94b22a419ddc1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6dcc7e5e65f4abe9d4c7f11232e888129fefd086f4e8d2c1abe94b22a419ddc1/
Threat name:
ByteCode-MSIL.Infostealer.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2025-02-25 09:58:51 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nxgh4xtf6sv6tvgh6ejdf2eickp67ueg6tunfqnl5ffsfjaz3xaq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:my18 discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250225-mq7lyatqv2/
Behaviour
Gathers network information
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6dcc7e5e65f4abe9d4c7f11232e888129fefd086f4e8d2c1abe94b22a419ddc1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Latam_MSI_and_ZIP_Files
Create hunting rule
Author:eremit4, P4nd3m1cb0y
Description:Detects suspicious .msi and .zip files used in Latam banking trojan campaigns.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 6dcc7e5e65f4abe9d4c7f11232e888129fefd086f4e8d2c1abe94b22a419ddc1

(this sample)

Formbook

Executable exe cb122b2022fcde8c2f1704ac186a0add17028456d867be7fed22e4244bca4a64

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 cb122b2022fcde8c2f1704ac186a0add17028456d867be7fed22e4244bca4a64
  
Dropping
MD5 9b5f913dc76f78ec27f519bf60dbbf87

Comments