MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcdb1cf55758eba1f5a2af93e137ce0bf004969e59419c576b2781f80659da55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcdb1cf55758eba1f5a2af93e137ce0bf004969e59419c576b2781f80659da55
SHA3-384 hash: ac0d5c8ed34e949345bb95b761686e248279361a4fc5ed10ba390037643a8b0c7162ec40a44784a99594113ecff2dde4
SHA1 hash: 934123a61f8233ce0aa97d5f8ccf20175ec1ac6c
MD5 hash: c48651c93cc9133fa76bc9933c2cb98b
humanhash: snake-leopard-dakota-uncle
File name:SecuriteInfo.com.Trojan.Olock.1.8558.10592
Download: download sample
Signature Formbook
Create hunting rule
File size:727'040 bytes
First seen:2022-07-13 18:35:36 UTC
Last seen:2022-07-15 03:12:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Dzjy7m1ges+d8LOap7s/OsBRTjbGMcjdHBi6PHXNjsertFuVv4Os:D/Fs+qK/OIR3b56/JseJGQOs
Threatray 15'266 similar samples on MalwareBazaar
TLSH T108F4231573A99A5BCBCDD2F9D0684200337AA331A752FBCE5E8291F055C37A0D9258F7
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Olock.1.8558.10592
Verdict:
Malicious activity
Analysis date:
2022-07-13 18:46:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2ee27578-090a-4865-90f0-a3bdc04ae867

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/287670/
Detection(s):
SecuriteInfo.com.Trojan.Olock.1.8558.10592.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62cf109a8dab2096b995284a/reports/b7191a8d-5afe-4228-84c2-a64043b3cbcc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c0bac7f4-7c7b-49d9-8014-572cc1f05cbd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1030493
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bcdb1cf55758eba1f5a2af93e137ce0bf004969e59419c576b2781f80659da55/
Threat name:
ByteCode-MSIL.Trojan.Wacapew
Create hunting rule
Status:
Malicious
First seen:
2022-07-13 18:36:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xtnrz5kxldv2d5ncv6j6cn6obpyajfu6lfazyv3le6a7qbsz3jkq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1877648fdaaeb4d9cc21527eb8c3d5609b41333d886f73837a4fd3a2116d9973
Formbook
25349b2c8f2818db5174e1a60ca9c589ea76d90fd9422c9fb8d4f860caf9696a
Formbook
27ef35c90367b8bd42a5d68e93cd132c1ce8a7b0ba6a73e0447b016da8c4ddd6
Formbook
4d69d40bb281b4f3e23d1a12e060e7705b2b4ac67ede8ea6ec593d1a5991d960
Formbook
5065463a0daee4097021b36718a9a74eda255d717e2135c9715ac0781d60b7c2
Formbook
684782ca20359680b64b720ee81fbb5653fa3a13661c06c61c4a80af50fcdcb9
Formbook
87fb0ca5b0ebcc0dc80aeca8065b2e2bf1ec14cade124316227646bc59ad237c
Formbook
881a87731f1b93caf5f04a7eeced467b38132df018829f3757d30afa7186a714
Formbook
a8542b82f30bd1f1ac0fad9da2d06c9c0ee63d4a5b2e02534b7cbf97be882c0a
Formbook
f3fed1b0555a01cd3e481c2cd164f8cca01df0e461a0378fba8b7a1f53469a3d
Formbook
+ 15'256 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220713-w8wrtscee8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
e26fd77e5cfaecb8249352b9a5eb5bee56d603d313ea78c02146a801eddde39d
MD5 hash:
e7885349a3454e27ca2dce8c1df18ac9
SHA1 hash:
52460c4e9a8697f34cf05cae868a71033504af7a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/48e5bf6a-1168-4729-ad9c-f0f269fc16b4/
Parent samples :
4d69d40bb281b4f3e23d1a12e060e7705b2b4ac67ede8ea6ec593d1a5991d960
f3fed1b0555a01cd3e481c2cd164f8cca01df0e461a0378fba8b7a1f53469a3d
bcdb1cf55758eba1f5a2af93e137ce0bf004969e59419c576b2781f80659da55
ee24a04b1dfb099dba9c6ea59d5225ad4f9a626d622475f5a77f2d325ff260b8
cc241fc34501296b9d528cc1a58bee76407a68a811f26705d868c76f496981d3
d524deece8493db69c10101c080269bbac5054a3d5740d21d50d536753df0c9a
dea4c28b344a778b2d1e880d4d52a69e4fabd2c62657143368fddb8302dccaff
7aeb7b7c9709aa5f1ec6e42ee76aa4a9791999e5f838de009b86bc840a031eab
4ed7500498bf6e841d2089acf3ae49e8a9a29c67926c390ebcc1a36a17cd6329
SH256 hash:
ff46f0b0491f9e2ac967c3c35ba4d9da2b4524ff3e075574b89534bdb4ac3af1
MD5 hash:
22b4d23870a8b8c275b30fef62264538
SHA1 hash:
d44c0383cc563d1ba084668634d84d209e8fb858
Link:
https://www.unpac.me/results/48e5bf6a-1168-4729-ad9c-f0f269fc16b4/
SH256 hash:
fbe6e264532e7b349aba9fe79e33faf5f88a7b42ca698db2087857dd4256de01
MD5 hash:
a0e426e2fac345996c19c60fae3a3676
SHA1 hash:
8f3bf95e1b3e3fcaf889aa51abfa3c5aa03ea561
Link:
https://www.unpac.me/results/48e5bf6a-1168-4729-ad9c-f0f269fc16b4/
SH256 hash:
883b63ef84c6b1cc09687962beca56e4f4b7960df7c5459e29998befaa3ccf15
MD5 hash:
ecb3f27eb8279c51608c8ea8f8050655
SHA1 hash:
82385d75444ab5fccacf37e2746c7dce73faa7f3
Link:
https://www.unpac.me/results/48e5bf6a-1168-4729-ad9c-f0f269fc16b4/
SH256 hash:
ea801ddd1ea57f52ae69533038861744365d8d9c05c3a9c1190dba32d07dc6b6
MD5 hash:
4d0e9bfe94004ceb16e9b63c7c03067d
SHA1 hash:
05e3fb4119f85cc6b6543d8624191a7000d856cd
Link:
https://www.unpac.me/results/48e5bf6a-1168-4729-ad9c-f0f269fc16b4/
SH256 hash:
bcdb1cf55758eba1f5a2af93e137ce0bf004969e59419c576b2781f80659da55
MD5 hash:
c48651c93cc9133fa76bc9933c2cb98b
SHA1 hash:
934123a61f8233ce0aa97d5f8ccf20175ec1ac6c
Link:
https://www.unpac.me/results/48e5bf6a-1168-4729-ad9c-f0f269fc16b4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bcdb1cf55758/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/bcdb1cf55758eba1f5a2af93e137ce0bf004969e59419c576b2781f80659da55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe bcdb1cf55758eba1f5a2af93e137ce0bf004969e59419c576b2781f80659da55

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2256885/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/287670/

Comments