MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c2cdfe99ffce532ceb20554d5a9a3697e7032ae30020195101fdf5f5378b896. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	7c2cdfe99ffce532ceb20554d5a9a3697e7032ae30020195101fdf5f5378b896
SHA3-384 hash:	10cda40b19a15ac6f092f112832cc32138c09491637455458c51d1feb35c4088651c641c6e09ef1bf8102e8b994bf258
SHA1 hash:	f93e304ee526b2ec2b11fabb35a3fad6364f78b1
MD5 hash:	a617bfcb888213098a700a28f8551565
humanhash:	spring-nine-don-mike
File name:	SecuriteInfo.com.BackDoor.AgentTeslaNET.55.10932.4857
Download:	download sample
Signature	Formbook Create hunting rule
File size:	776'192 bytes
First seen:	2025-03-11 00:49:45 UTC
Last seen:	2025-03-11 02:18:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:m1Puc154ptksvzrCip12Lr1++ehyE8dxq+jhZf3J2B/LGoD31/J:m1PubtRvzrCi2Ax4xq+jhZf4FH1/J
Threatray	4'554 similar samples on MalwareBazaar
TLSH	T17BF4011572A89E63E6B715F04A32E27547F67D6DA020E3C8CDD5ACEF74E0B406920B27
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

444

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.BackDoor.AgentTeslaNET.55.10932.4857

Verdict:

No threats detected

Analysis date:

2025-03-11 06:31:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/60d43069-4ac7-4823-b9f7-dbcaa653cca6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67cf92360d1b39e3a208e7fc

Tags:

virus micro

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/67cf88ca4a3011c802ccbae5/reports/3a610962-c860-4896-8531-b7e101d0ab4c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/7c2cdfe99ffce532ceb20554d5a9a3697e7032ae30020195101fdf5f5378b896

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/5b518ca1-442a-4b17-ad05-4af187b0d528

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1634640

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7c2cdfe99ffce532ceb20554d5a9a3697e7032ae30020195101fdf5f5378b896

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7c2cdfe99ffce532ceb20554d5a9a3697e7032ae30020195101fdf5f5378b896/

Threat name:

ByteCode-MSIL.Trojan.Masslogger

Status:

Malicious

First seen:

2025-03-10 21:59:22 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 38 (73.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pqwn72m77tstftvsavknlkndnf7hamvogabadfiqd7pv6u3yxcla._file

Verdict:

malicious

Label(s):

unc_loader_037

Formbook

48fd2e1bc3ad4873e7a40d5c5b47757c9ce0f0104b0406797a584f791772eb7e

Formbook

7c2cdfe99ffce532ceb20554d5a9a3697e7032ae30020195101fdf5f5378b896

Formbook

7fd19fb3bc8558dba218a1877438cbccb2412baf3e50918b9f2d808591c27280

Formbook

d4771040c76dca1e55f72d53e5d4866c2b22ef12cb48d18a291bbf3cd35484bb

Formbook

error

Formbook

f6e4833668ca8d61f06a531d2dbaa1ec38f0905c7a3d4523c1cb142df066d74e

Formbook

+ 4'544 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/250311-a61r4svvg1/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a7ee7a5d-c03c-453f-a423-48fb7a6a1b64

Unpacked files

SH256 hash:

7c2cdfe99ffce532ceb20554d5a9a3697e7032ae30020195101fdf5f5378b896

MD5 hash:

a617bfcb888213098a700a28f8551565

SHA1 hash:

f93e304ee526b2ec2b11fabb35a3fad6364f78b1

Link:

https://www.unpac.me/results/d0932910-3d3e-4b76-9e5c-d528c4dc6379/

SH256 hash:

49e60159c13ac81c29868600a116ef6fa38f8171f746b46f5222906ecdb94c1e

MD5 hash:

95b776146d30b0835932e6999e0b9ce9

SHA1 hash:

0036ec828ad1447bf19963854cd31025b15dbfa9

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/d0932910-3d3e-4b76-9e5c-d528c4dc6379/

Parent samples :

36f3d01dceb7d29694c694c04cba259c39200ff8028dbfe061ae84929ac3248a
7c2cdfe99ffce532ceb20554d5a9a3697e7032ae30020195101fdf5f5378b896
48fd2e1bc3ad4873e7a40d5c5b47757c9ce0f0104b0406797a584f791772eb7e

SH256 hash:

0f27f173e67929fd59e8a736a941e301d77620c4db3fb6938b846d1b70f66d99

MD5 hash:

d37290c436f11496d526e3e613b60159

SHA1 hash:

338a2e58ca1c2ec19dcf24c4333e2433c7bb939d

Link:

https://www.unpac.me/results/d0932910-3d3e-4b76-9e5c-d528c4dc6379/

SH256 hash:

56249d080e13f3505aff1370f0236bc46e90611a26972f6a7dd06000ef12f21d

MD5 hash:

a1bb89783aa0fb9cb81eb3452ccb71da

SHA1 hash:

797189dfdb6f6eb8d4ba0dec3d9c63878a1a2b8f

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/d0932910-3d3e-4b76-9e5c-d528c4dc6379/

SH256 hash:

303cfc8857765ef526d7f517d55940a3df2f852619eedfba9d08b9239cee50fb

MD5 hash:

377461d06903e4b729b975715a45a8f6

SHA1 hash:

847639f8cfc5a2726fa359aa1f62c33326f60b54

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/d0932910-3d3e-4b76-9e5c-d528c4dc6379/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7c2cdfe99ffc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7c2cdfe99ffce532ceb20554d5a9a3697e7032ae30020195101fdf5f5378b896

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample