MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae5114c5da2a6df0df3bde9a6c57f8eefb71cf78fc94aeb1f710bb77030e42b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae5114c5da2a6df0df3bde9a6c57f8eefb71cf78fc94aeb1f710bb77030e42b5
SHA3-384 hash: 82ef9fa3669bf745d9f3d633ccf9c4029774891ccb1d3935332a747bcbdbef7caf517249c3e423226d660cc6672731fd
SHA1 hash: 4c69658a49721567b7701cd0ff38671552cb9e99
MD5 hash: 793148d6d3fbd4a07f2c8cbbd850c5d6
humanhash: fifteen-mississippi-florida-speaker
File name:CHEATBEAR.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:4'074'944 bytes
First seen:2022-08-10 05:44:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fa32974ca6c4da742c6f56ca33f35ee1 (22 x RedLineStealer, 3 x Formbook, 2 x RecordBreaker)
ssdeep 98304:kiD3O+sIMaWtBxtlEtj+SSPtlgWhtz5VZuzo:aRIwBvt55VIM
Threatray 284 similar samples on MalwareBazaar
TLSH T1841622B7132B0309E0F58C32C527BED135B2075A7F83ACBCA9996DD196325F4B216993
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter tech_skeech
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CHEATBEAR.exe
Verdict:
Malicious activity
Analysis date:
2022-08-10 05:45:41 UTC
Tags:
evasion trojan stealer
Link:
https://app.any.run/tasks/aafd8a6f-112f-4764-8dac-f42e0475966a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/297538/
Detection(s):
Win.Trojan.Fragtor-9955199-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28490/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug overlay packed wacatac
Link:
https://www.filescan.io/uploads/62f345e19013ab2e3d027a4e/reports/efa24bb4-72f3-414c-9404-8f6d34c893c0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c5368f5d-5122-4280-8db7-964210a6dd01
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1049023
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae5114c5da2a6df0df3bde9a6c57f8eefb71cf78fc94aeb1f710bb77030e42b5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-08-10 05:45:16 UTC
File Type:
PE (Exe)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vzirjro2fjw7bxz332ngyv7y535xdt3y7skk5mpxcc5xoayoik2q._file
Verdict:
malicious
Similar samples:
093b41e7ab70e8ae0c8fd76032d9399764583bb820cbfbc39048cb3a6a7822d9
Formbook
1884157c40c3b403fb72cbf146d6efc48e58fa23dc43584bd82a40d2b8f01a7c
Formbook
5b3273f09ad5782f7a310f93799361caa312624ab75e7a09c445af4422ce467a
Formbook
7d85c6c8abf4c9f2fa6c4528991979d5cbedefc73ec3ce83c04a4839b50c9555
Formbook
bff8133e208561975ab26abbe89fbd8f190fe90de2b118c570141441db99218e
Formbook
c48fc2c8b85e661ca57eb2d83a705cb79e032866a1ae0a657a5a5a008bc25413
Formbook
e1cb5853335ddce9913c64d88415c6f40197a5dcd0c4d085cc1f1a650959bc66
Formbook
+ 274 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/220810-gfqmsaeafm/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Unpacked files
SH256 hash:
4c5877bb5b1d9bfb4494e3290addaede1fa47d13308a3f23091f79beb760b63a
MD5 hash:
59884413c46fa4b0ab80d97a9d8627cc
SHA1 hash:
533f67408a03b1716c41fba23475fd9254ff72ea
Link:
https://www.unpac.me/results/24b7d756-1347-47b5-ac21-efd1c870b888/
SH256 hash:
eb7cde150e87d0c6116bce0374f5bae9b9ffc3ce7d44469fe9631a7830034116
MD5 hash:
55da4a897873075e01b0c1480e697965
SHA1 hash:
f2e0904586efd2795c116fea0ef531e44445eba1
Link:
https://www.unpac.me/results/24b7d756-1347-47b5-ac21-efd1c870b888/
SH256 hash:
ae5114c5da2a6df0df3bde9a6c57f8eefb71cf78fc94aeb1f710bb77030e42b5
MD5 hash:
793148d6d3fbd4a07f2c8cbbd850c5d6
SHA1 hash:
4c69658a49721567b7701cd0ff38671552cb9e99
Link:
https://www.unpac.me/results/24b7d756-1347-47b5-ac21-efd1c870b888/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ae5114c5da2a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/ae5114c5da2a6df0df3bde9a6c57f8eefb71cf78fc94aeb1f710bb77030e42b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe ae5114c5da2a6df0df3bde9a6c57f8eefb71cf78fc94aeb1f710bb77030e42b5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/297538/

Comments