MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c2c448679a3d7255c2d16805cc5582e72f010d01e20b6bdc15c008b8c4fe8b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c2c448679a3d7255c2d16805cc5582e72f010d01e20b6bdc15c008b8c4fe8b6
SHA3-384 hash: 73844e54f9d3a9fd56e703e5b42f874eedd90ba08a292cab3e834442b5e288624e3a49efacd21f3d01993ad7aedef8d6
SHA1 hash: f4903473b8ddef1c39744150c3f85eb8e84e788a
MD5 hash: c55319e6e100eebb058fa187aced4626
humanhash: robert-arizona-lemon-minnesota
File name:Cox Purchase.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'344'512 bytes
First seen:2024-09-09 08:38:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla)
ssdeep 24576:EqDEvCTbMWu7rQYlBQcBiT6rprG8aN9Z1lKAGtf2BDkmSQ:ETvC/MTQYxsWR7aN9RpP
TLSH T1C155D00273C1D022FFAB92734F5AF6115BBC69660123A51F13981DB9BE701B2563E7A3
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
405
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Cox Purchase.exe
Verdict:
No threats detected
Analysis date:
2024-09-09 08:43:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/83b52b1e-dccb-4a27-baad-ab2b4193457c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66deb42b6b8536bde965da80
Tags:
Inject
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit epmicrosoft_visual_cc fingerprint keylogger lolbin masquerade microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66deb42c62e23382110822d8/reports/4a01e601-3338-47b7-b7d7-eafdf43e35a5/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/7c2c448679a3d7255c2d16805cc5582e72f010d01e20b6bdc15c008b8c4fe8b6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/32b8a572-cd87-4b97-b77f-e59f9eb18664
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1507795
Signature
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7c2c448679a3d7255c2d16805cc5582e72f010d01e20b6bdc15c008b8c4fe8b6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c2c448679a3d7255c2d16805cc5582e72f010d01e20b6bdc15c008b8c4fe8b6/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2024-09-09 03:04:58 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pqwejbtzuplskxbnc2afzrkyfzzpaegqdyqlnpoblqaixdcp5c3a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/240909-kkaznsscmb/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c43236d1-5735-4de5-b4a2-b83508f230f7
Unpacked files
SH256 hash:
c8287953dd8f853e53fda1e7844c866e6e8de586885a7bbea66915b292c68d95
MD5 hash:
4e3962abf3397e07930c9788b42832d4
SHA1 hash:
d02f9a84237d79f34177e558b7b6f254c2343859
Detections:
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
Link:
https://www.unpac.me/results/346b6702-7935-4444-8cc5-abc630a65f9a/
Parent samples :
3bf9a72ced96da885ff2c3eb4c582332c8c24a9b262623d9fb37cff69f607657
7c2c448679a3d7255c2d16805cc5582e72f010d01e20b6bdc15c008b8c4fe8b6
36f38401f7eef848c4791724b8f1828e8310d3f76a0d4b5e8d302a509ffb260c
22b12746a9cd2c8dcb01f0bf0afd026a9e924410b6b1747c782c3bbc261a8cdb
932112a36c590952c5321ca64f6b85b6119a4f969d4685d617c09ce9eecd78ab
59999cfd989c49af6310f01698666a810c665ca402f6caf0c90cd8be216b81d9
SH256 hash:
2ec8ea0a9ebb5de346d8f5e9a567b8d1ae1e7a818eb1ffbb7aa3d20732396521
MD5 hash:
b109c520a3e22a145bb22d4bc2a94724
SHA1 hash:
00f7a7702f0a937704aca065d153c1f9beb77ab2
Link:
https://www.unpac.me/results/346b6702-7935-4444-8cc5-abc630a65f9a/
SH256 hash:
7c2c448679a3d7255c2d16805cc5582e72f010d01e20b6bdc15c008b8c4fe8b6
MD5 hash:
c55319e6e100eebb058fa187aced4626
SHA1 hash:
f4903473b8ddef1c39744150c3f85eb8e84e788a
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/346b6702-7935-4444-8cc5-abc630a65f9a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7c2c448679a3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c2c448679a3d7255c2d16805cc5582e72f010d01e20b6bdc15c008b8c4fe8b6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7c2c448679a3d7255c2d16805cc5582e72f010d01e20b6bdc15c008b8c4fe8b6

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments