MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ccd7791942d7fb2a511b0841af3669d365aba20dd73739808c3666352fa9dea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ccd7791942d7fb2a511b0841af3669d365aba20dd73739808c3666352fa9dea
SHA3-384 hash: 02be11e2361b8ac80ffdef02aa880e3c91d22623ee407e3056b8db3909ea34f36b1d242882dd5c3799454f81176fe8e0
SHA1 hash: 27ac60c8d23d4c93d65a1981db54a1a1d94359a7
MD5 hash: adce9ab8247be2087a3c8c897e6cfd97
humanhash: cat-montana-princess-bakerloo
File name:Revised documents.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'090'560 bytes
First seen:2024-01-17 09:45:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:uz5Y1MN62qZaSjVObADlonESN4A0wr35ZSAhqnAPwMbjRKhzJ2ShvkBx9XZXbIG:uzGSUZaITo4A0wrbSA0APwW8eSmr9Bn
Threatray 848 similar samples on MalwareBazaar
TLSH T16C358ED1F190899AEC6B4AF16D3AA43025E3BE9D54A4C10C59997B5B36F3342209FF0F
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
342
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471286/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65a7a1dd784d3498d741010f/reports/3cab83e3-3e04-484a-989a-de884c08cdb3/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/7ccd7791942d7fb2a511b0841af3669d365aba20dd73739808c3666352fa9dea
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/62f674c9-547d-4e26-910e-4ba36bfd104e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1375946
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1375946 Sample: Revised_documents.exe Startdate: 17/01/2024 Architecture: WINDOWS Score: 92 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected FormBook 2->26 28 4 other signatures 2->28 8 Revised_documents.exe 3 2->8         started        process3 signatures4 30 Injects a PE file into a foreign processes 8->30 11 Revised_documents.exe 8->11         started        process5 signatures6 32 Maps a DLL or memory area into another process 11->32 14 sxNPkTDMrmGkMYo.exe 11->14 injected 16 sxNPkTDMrmGkMYo.exe 11->16 injected process7 process8 18 WerFault.exe 3 21 14->18         started        20 WerFault.exe 21 16->20         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7ccd7791942d7fb2a511b0841af3669d365aba20dd73739808c3666352fa9dea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ccd7791942d7fb2a511b0841af3669d365aba20dd73739808c3666352fa9dea/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-01-15 02:25:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ptgxpemufv73fjirwccbv43gtu3fvora3vzxhgaiyntggux2txva._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
26ed54f0d441f0f3dd744f03f30d8f1fa01de0ed267df7b7fec4c9b2eab742d2
Formbook
33e2197c8f024767830350d957a058e21d21b14574d846b88bc1bae507fc5933
Formbook
3bccd5cdf61005f1008359d1fbf6bd705994189ddb234bdd25dc433866aa1f1f
Formbook
3f72928d0f49086a7a5f96d15e5e3eb0dac7a7927da3717bc6d90d576877c88e
Formbook
4efc9ad66b0d09b4e5ddae9e2c02bd112cb6e8cb7e9881969f231a10768b558f
Formbook
+ 838 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240117-lrl6yscgbl/
Behaviour
Enumerates processes with tasklist
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
0c6d69a44ab790d2b5c969bb6fe745922c021c5a8045db416d95d66fea7f6949
MD5 hash:
d4fa28533a5dab916e6b1b29272d9894
SHA1 hash:
0b525a5bef5a0a5588f6d5279eae2760df5dcb60
Link:
https://www.unpac.me/results/162a731a-bacb-4bc1-beb1-4a0f33fbdb51/
SH256 hash:
a99197a2e3f477d15802a9b2250a01f7cd2be8ed435141a4e280307f2a7f2b7a
MD5 hash:
9ac50796df27f8b3977d71000d15927c
SHA1 hash:
dcf769debf4522b0800188ab9cbef26d1dbe8aed
Link:
https://www.unpac.me/results/162a731a-bacb-4bc1-beb1-4a0f33fbdb51/
SH256 hash:
891abe863c31135fbe4a6ff1bd6d50a77d824635ce278147e585b444c5e4f12f
MD5 hash:
6acdcbce98cac74d8bc911e1b18cc832
SHA1 hash:
f4e2d1b9a0c16b3a2d7b5cba2c99e4ba9f8e7d28
Link:
https://www.unpac.me/results/162a731a-bacb-4bc1-beb1-4a0f33fbdb51/
SH256 hash:
c474c20f2dba669737454f7049eb0434338ae7a250d31f6b111a01743976e602
MD5 hash:
779318746f1f24780999494e7f32f866
SHA1 hash:
56fc39fef6b0b505cc87196ac8d50a6e4c09bd4b
Link:
https://www.unpac.me/results/162a731a-bacb-4bc1-beb1-4a0f33fbdb51/
SH256 hash:
21afe82a0b71ee589c26f32dc88e0a6e22817f21194b2a83f1807c6cecc8c818
MD5 hash:
440bb4db146ccb1161ac2bcf365d7676
SHA1 hash:
506eda511b46df6e95d86861e70fda81307f8623
Link:
https://www.unpac.me/results/162a731a-bacb-4bc1-beb1-4a0f33fbdb51/
SH256 hash:
7ccd7791942d7fb2a511b0841af3669d365aba20dd73739808c3666352fa9dea
MD5 hash:
adce9ab8247be2087a3c8c897e6cfd97
SHA1 hash:
27ac60c8d23d4c93d65a1981db54a1a1d94359a7
Link:
https://www.unpac.me/results/162a731a-bacb-4bc1-beb1-4a0f33fbdb51/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ccd7791942d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ccd7791942d7fb2a511b0841af3669d365aba20dd73739808c3666352fa9dea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/471286/

Comments