MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7c2c67469229933e03fe2186b865bc18c315e498b369d74c000c64255cd495e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	b7c2c67469229933e03fe2186b865bc18c315e498b369d74c000c64255cd495e
SHA3-384 hash:	4fbd90f71babbd246c808112e882eae7d382033649f9580d2aed2e35dedb2d75a0c2b31dc796fc79e20115c7b7e9dd07
SHA1 hash:	2dcc8a986ac3d8ef2db2b4f029d5ea6b5e8c25f7
MD5 hash:	54326c193800ac78407da899e591e86d
humanhash:	chicken-gee-zebra-snake
File name:	SecuriteInfo.com.Trojan.Loader.1550.15395.29676
Download:	download sample
Signature	Formbook Alert Create hunting rule
File size:	456'074 bytes
First seen:	2023-09-29 13:32:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 39 x GuLoader, 22 x RemcosRAT)
ssdeep	12288:nnPdTrcon3RgV0GkxqFsQRv7eXXyOyYO6xdN:nPd5BgVRxaQRz2wYOo
Threatray	54 similar samples on MalwareBazaar
TLSH	T1B2A4CFCDEB1194E0EC2252B1297DDD77476B9C2E6858298929C77E373C62093303B99B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c4c0ccc8ccf4d4fc (23 x NetWire, 14 x AveMariaRAT, 11 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

304

Origin country :

FR

Vendor Threat Intelligence

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/452002/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.Loader.1550.15395.29676.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Unauthorized injection to a recently created process by context flags manipulation

Dragonfly

Gathering data

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

control lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/6516d20f43cd377b1ea15e76/reports/e294c3ea-0f61-4679-b752-b61d6304534f/overview

Hybrid Analysis Malware

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/b7c2c67469229933e03fe2186b865bc18c315e498b369d74c000c64255cd495e

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Formbook

Malware family:

Formbook

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f999b69f-8442-4703-922d-454248754b86

Joe Sandbox FormBook, NSISDropper

Result

Threat name:

FormBook, NSISDropper

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1316624

Signature

Antivirus / Scanner detection for submitted sample

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b7c2c67469229933e03fe2186b865bc18c315e498b369d74c000c64255cd495e/

ReversingLabs TitaniumCloud Win32.Trojan.Zusy

Threat name:

Win32.Trojan.Zusy

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-09-29 12:46:13 UTC

File Type:

PE (Exe)

Extracted files:

3

AV detection:

19 of 38 (50.00%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w7bmm5djekmthyb74imgxbs3yggdcxsjrm3j25gaaddeevonjfpa._file

Threatray formbook

Verdict:

malicious

Label(s):

formbook

Alert

Create hunting rule

Similar samples:

1afbaaa3bed4cf1ea7975f019b5eac1faf75f78c4f727b32d3e88429ec64feee

Formbook

1f9a84f1b9a2d6e91efcf84470f260e867ac8c2a6c42109ceae024d9f370cd8f

Formbook

2578a3ee6e570cfe5821bbaaf172268ede5fba895d1b4be52df244e73e066bdd

Formbook

50f83575bd53ca54e6cccc82a0c6e2cf51947f2af2284701916e87500271e0e1

Formbook

5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9

Formbook

6145a479519c1eedf80ef5cfd3ad3bb8c0bb90079316c1ef254d26839a51716e

Formbook

b47036189825426c6e368fd21594aaba8dbdcf573464d2939f99da44c9874b97

Formbook

bc890782390a43bb02de2a7f6d6bbc1f05cceed4e6277f3f36719edb14cb5067

Formbook

f23c197a08df004d0646c8588e588d3ae064368a208f4679718c0c8995161362

Formbook

+ 44 additional samples on MalwareBazaar

Hatching Triage Malicious

Result

Malware family:

n/a

Score:

  8/10

Tags:

n/a

Link:

https://tria.ge/reports/230929-qthnrsce48/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

UnpacMe 2

Unpacked files

SH256 hash:

ed75599ad63df996500549167d925a9d7006bb2b9fb9925bc4d493c3f89d6a1e

MD5 hash:

d8d8e3631fd12e22c8fe833db8c264c0

SHA1 hash:

b9a0bc8f9f8bce7c32faf372883ba1961a593ed9

Link:

https://www.unpac.me/results/26ed18a6-03f7-4ab5-8781-86288f3c5ede/

SH256 hash:

b7c2c67469229933e03fe2186b865bc18c315e498b369d74c000c64255cd495e

MD5 hash:

54326c193800ac78407da899e591e86d

SHA1 hash:

2dcc8a986ac3d8ef2db2b4f029d5ea6b5e8c25f7

Link:

https://www.unpac.me/results/26ed18a6-03f7-4ab5-8781-86288f3c5ede/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b7c2c6746922/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b7c2c67469229933e03fe2186b865bc18c315e498b369d74c000c64255cd495e

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe b7c2c67469229933e03fe2186b865bc18c315e498b369d74c000c64255cd495e

(this sample)

  

URLhaus

https://urlhaus.abuse.ch/url/2715006/

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/452002/