MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7b18628cd2f25508290da77b3ad685ecc1d0e80edc5940dd4773b8dbe037209. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7b18628cd2f25508290da77b3ad685ecc1d0e80edc5940dd4773b8dbe037209
SHA3-384 hash: 22f02318f4b741490f9bfcdf72a5f30111a4794dd464ea75e4edb6a4e1c0084c55ae1f3c04c61fdacf035a5bc4d91576
SHA1 hash: 1ceaa61430265756c400dbf2200a2afc27621ec0
MD5 hash: 8532bd3de99a6a70c19aa6bd007d5faa
humanhash: freddie-nebraska-video-stairway
File name:04042023_dekont.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:617'984 bytes
First seen:2023-04-05 18:32:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:p17XXh/IFO9BWAdnsHkpb/7UXZN95A+2CkM/kh7m6n0RJICxG:f7nh/0ahdQkpbQNHAQk1y6g2kG
Threatray 1'038 similar samples on MalwareBazaar
TLSH T1C3D412057BA8D73BC93C4BF5D863304993F1E62A7066E79A8DC064F50E3776488A19E3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe FormBook geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
04042023_dekont.exe
Verdict:
Malicious activity
Analysis date:
2023-04-05 18:34:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1aaadfdb-b91f-4ea7-ad25-79b934885ddd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/380427/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.10051.12933.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/642dbee27dc0445b23891ef4/reports/30c0d5b4-4e86-4de1-a650-7c5616a919bf/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c7b18628cd2f25508290da77b3ad685ecc1d0e80edc5940dd4773b8dbe037209
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/776a4cec-235d-4e54-8089-b2246b313e74
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1209183
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 842100 Sample: 04042023_dekont.exe Startdate: 05/04/2023 Architecture: WINDOWS Score: 96 41 Malicious sample detected (through community Yara rule) 2->41 43 Sigma detected: Scheduled temp file as task from temp location 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 2 other signatures 2->47 7 04042023_dekont.exe 7 2->7         started        11 vGnDsffFnaT.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\vGnDsffFnaT.exe, PE32 7->33 dropped 35 C:\Users\...\vGnDsffFnaT.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp9454.tmp, XML 7->37 dropped 39 C:\Users\user\...\04042023_dekont.exe.log, ASCII 7->39 dropped 49 Uses schtasks.exe or at.exe to add and modify task schedules 7->49 51 Adds a directory exclusion to Windows Defender 7->51 13 powershell.exe 21 7->13         started        15 schtasks.exe 1 7->15         started        17 04042023_dekont.exe 7->17         started        53 Multi AV Scanner detection for dropped file 11->53 55 Machine Learning detection for dropped file 11->55 57 Injects a PE file into a foreign processes 11->57 19 schtasks.exe 1 11->19         started        21 vGnDsffFnaT.exe 11->21         started        23 vGnDsffFnaT.exe 11->23         started        25 vGnDsffFnaT.exe 11->25         started        signatures5 process6 process7 27 conhost.exe 13->27         started        29 conhost.exe 15->29         started        31 conhost.exe 19->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7b18628cd2f25508290da77b3ad685ecc1d0e80edc5940dd4773b8dbe037209/
Threat name:
ByteCode-MSIL.Trojan.RemLoader
Create hunting rule
Status:
Malicious
First seen:
2023-04-04 12:17:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y6yymkgnf4svbauq3j33hllil3gb2dua5xczidouo45y3pqdoieq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
11327f3b5123a0f6325b9370d4321bddc00ef1619f6da209503ae1370b24121e
Formbook
1497a90052656ff479232e10d12fb56c3129754e7546538a11e365da74cd15da
Formbook
21721ca445cf51608c363f704dcf8c552aa966239914d5810aca2e642981335b
Formbook
778782d68c349fbb021a749f1370c2446c19cd3a64e7891c84c55ddf834f2e02
Formbook
a1f4604ea58dce5c513639a0929b6e130783a85873bec08ab0e5b061736dd086
Formbook
c077e2a20dd5984363120b91f3fb09983a586d86ddb401ba4414919ec023adc2
Formbook
d98a67065568b317f933edad5c1f2700d1178ece2bc52e511cdf81b9cf2552eb
Formbook
e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a
Formbook
e0f2298d191750e9e605b5038f70b14e1bbb1091bed8e8e94837e3dbf35bfdc1
Formbook
eb3414abcb87814b1f26bed72e45682051e7b4cd712d30038ef5d45ea8ec3187
Formbook
+ 1'028 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230405-w67fjsgg33/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
d85e729c62684bdc5f34613b012f30c0ca59f45c43531eb7a5fbc04ec68f7e93
MD5 hash:
d40976db99bc249211fd127a5844a55b
SHA1 hash:
cc36f5f5418764df2f1a28acc089d31a5e73f3dc
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/6ce1bcd4-d3e0-431a-a6fd-2505bef7cf28/
Parent samples :
2b25388d41f694e67f7a237681dffe91afa258adbec617a6c203ba6fc0f6ae88
c7b18628cd2f25508290da77b3ad685ecc1d0e80edc5940dd4773b8dbe037209
281905755d85f44072ff82b42789ad01d144ef1ed016cba569bcb73d3e98ee49
354c8752e895e413f243d8893cb1ba53c61d35c7e44233dfc59b85e382ec3c9b
SH256 hash:
78c2ddf3d7708086beb5ea57c40cc9f583f53bb38902a6ed8f9f57be3033700c
MD5 hash:
29338e689fca5831fb926f1361c098ed
SHA1 hash:
35dbf3f881074b6dffe491df0a77eebf0f7f3d55
Link:
https://www.unpac.me/results/6ce1bcd4-d3e0-431a-a6fd-2505bef7cf28/
SH256 hash:
ec20bb2cbb58ecec077f62b366079bc73cb5c0d52d7bcfe72a8f11b47f533226
MD5 hash:
564d7c8847feac6d94fdcd1cb9aa5b5e
SHA1 hash:
ec180922fbe20ff2f08f67f3bf0021d13d970f2a
Link:
https://www.unpac.me/results/6ce1bcd4-d3e0-431a-a6fd-2505bef7cf28/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/6ce1bcd4-d3e0-431a-a6fd-2505bef7cf28/
SH256 hash:
5c363ca603cd052db748dc695ee9e70add0ec0c9bf58e0ba7f0bf1d93a30d760
MD5 hash:
f1f205b58cd1c03d182f7d9f04cd5c3e
SHA1 hash:
32f8a7a9d95e8864c9f6814c59e0c551ffbb62c2
Link:
https://www.unpac.me/results/6ce1bcd4-d3e0-431a-a6fd-2505bef7cf28/
SH256 hash:
8c75f846ea7641e51e32c4c862d1dffaa28f0a001476c6a24f477225a0a25c76
MD5 hash:
4b7228ca033950cc5b21978a43f3611d
SHA1 hash:
0c1378dab9502be85d2453443ec8e835506dd2b6
Link:
https://www.unpac.me/results/6ce1bcd4-d3e0-431a-a6fd-2505bef7cf28/
SH256 hash:
c7b18628cd2f25508290da77b3ad685ecc1d0e80edc5940dd4773b8dbe037209
MD5 hash:
8532bd3de99a6a70c19aa6bd007d5faa
SHA1 hash:
1ceaa61430265756c400dbf2200a2afc27621ec0
Link:
https://www.unpac.me/results/6ce1bcd4-d3e0-431a-a6fd-2505bef7cf28/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c7b18628cd2f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7b18628cd2f25508290da77b3ad685ecc1d0e80edc5940dd4773b8dbe037209

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c7b18628cd2f25508290da77b3ad685ecc1d0e80edc5940dd4773b8dbe037209

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/380427/

Comments