MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca
SHA3-384 hash: cfef0e80077d2c971539593c8e1ce4544e33caefc92b77df451d035ced4a12e35b3066af62b3faf6480b61f9ef1a446a
SHA1 hash: 4d250b0dcf899a48ea668343fef7e724c58fc6a3
MD5 hash: 60822680920de27aed07c2352674f05c
humanhash: gee-twelve-mars-victor
File name:60822680920de27aed07c2352674f05c
Download: download sample
Signature Formbook
Create hunting rule
File size:608'768 bytes
First seen:2023-07-04 07:12:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:QmlBwdW5vk/j4it8ygmgLotNhzT4j2vwvYRTf6/AP1ckphDX:T6dW58/DtMLotr06ovi1ckphr
TLSH T1AAD4593C18BC5E23C170D6B68FD5C461F558D5EB32A28F3663C39A954A1E90229CBE3D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 7cecdc3c2676b8dc (1 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
5d392bce63c065860ea2dc900e862c49
Verdict:
Malicious activity
Analysis date:
2023-07-04 04:04:37 UTC
Tags:
exploit cve-2017-11882 loader formbook xloader
Link:
https://app.any.run/tasks/1789e782-6505-4f56-9754-13f26d1310a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/406285/
Detection(s):
SecuriteInfo.com.Variant.Ser.Lazy.4486.9452.26199.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a process with a hidden window
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/64a3c67f2299d26882649957/reports/36d70e2c-f407-4d4b-8549-e7ca51e3031f/overview
Verdict:
Malicious
Labled as:
Ser.Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d943dfc7-a535-4d7a-b0f8-e8a359866d27
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1266412
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1266412 Sample: dY1ZRDSLib.exe Startdate: 04/07/2023 Architecture: WINDOWS Score: 100 35 www.majecticblingzjewelz.com 2->35 37 majecticblingzjewelz.com 2->37 45 Snort IDS alert for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 53 6 other signatures 2->53 11 dY1ZRDSLib.exe 4 2->11         started        signatures3 51 System process connects to network (likely due to code injection or exploit) 35->51 process4 file5 33 C:\Users\user\AppData\...\dY1ZRDSLib.exe.log, ASCII 11->33 dropped 63 Adds a directory exclusion to Windows Defender 11->63 65 Tries to detect virtualization through RDTSC time measurements 11->65 15 dY1ZRDSLib.exe 11->15         started        18 powershell.exe 17 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 20 explorer.exe 1 1 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 39 td-ccm-168-233.wixdns.net 34.117.168.233, 49700, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 20->39 41 www.yaboleyuvip9.com 20->41 43 4 other IPs or domains 20->43 55 System process connects to network (likely due to code injection or exploit) 20->55 26 svchost.exe 20->26         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 26->57 59 Maps a DLL or memory area into another process 26->59 61 Tries to detect virtualization through RDTSC time measurements 26->61 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-04 06:35:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zpoqd46vz4g2cy677t7lplez3y36stblgrtwgdouwcnmms6sq3fa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mf6w rat spyware stealer trojan
Link:
https://tria.ge/reports/230704-h13zaabd98/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
93bf910294296262548b8c72f27559f7a53ac661a2408aa027895152ce159246
MD5 hash:
e01ab77d24d1ad06fa9010a4209a204f
SHA1 hash:
e8114cefafa35c6d55fe3d2c6b6046c4b81ca254
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/37146fa5-0176-49fe-9774-66d574c1377b/
Parent samples :
cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca
037e60b0e473203e85de83344c643623b519c8b47279f9e6c0b74201ece7483f
c64ca90a3608e3edaaf04f3289f58d018f2e6301409665820d92c61130784d23
e165bef062d93e5a4fd31d8f369fd8144d2158b5c8dcb85be3e06826cb5f81e6
f5faa1f9d476120a03f1a187f2f9814adf698fa9c0123ed44a2b5ce9ad8055bd
571890d2bedd6cc0cdf6cccc2e6fc4e19c7489adc30328c24d21e3631d24661e
SH256 hash:
e8dcf4a845711d133ec7a59456903a4f900ecc818973ff0b30b0404fdf4507ca
MD5 hash:
49055511ea2fac99e305981a9a591d93
SHA1 hash:
df2cb7b787b3dbe4a6e1c02380da37596640a44e
Link:
https://www.unpac.me/results/37146fa5-0176-49fe-9774-66d574c1377b/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/37146fa5-0176-49fe-9774-66d574c1377b/
SH256 hash:
e4930df88789eff1f7e22f5001a11a9608b6160cbc08db907923cca072fb0756
MD5 hash:
fb0e9424b95d5b19f4c682aff3616804
SHA1 hash:
49e72ca12488a3064b6be340d8eb47d3c7ad4c08
Link:
https://www.unpac.me/results/37146fa5-0176-49fe-9774-66d574c1377b/
SH256 hash:
93bf910294296262548b8c72f27559f7a53ac661a2408aa027895152ce159246
MD5 hash:
e01ab77d24d1ad06fa9010a4209a204f
SHA1 hash:
e8114cefafa35c6d55fe3d2c6b6046c4b81ca254
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/37146fa5-0176-49fe-9774-66d574c1377b/
Parent samples :
cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca
037e60b0e473203e85de83344c643623b519c8b47279f9e6c0b74201ece7483f
c64ca90a3608e3edaaf04f3289f58d018f2e6301409665820d92c61130784d23
e165bef062d93e5a4fd31d8f369fd8144d2158b5c8dcb85be3e06826cb5f81e6
f5faa1f9d476120a03f1a187f2f9814adf698fa9c0123ed44a2b5ce9ad8055bd
571890d2bedd6cc0cdf6cccc2e6fc4e19c7489adc30328c24d21e3631d24661e
SH256 hash:
e8dcf4a845711d133ec7a59456903a4f900ecc818973ff0b30b0404fdf4507ca
MD5 hash:
49055511ea2fac99e305981a9a591d93
SHA1 hash:
df2cb7b787b3dbe4a6e1c02380da37596640a44e
Link:
https://www.unpac.me/results/37146fa5-0176-49fe-9774-66d574c1377b/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/37146fa5-0176-49fe-9774-66d574c1377b/
SH256 hash:
e4930df88789eff1f7e22f5001a11a9608b6160cbc08db907923cca072fb0756
MD5 hash:
fb0e9424b95d5b19f4c682aff3616804
SHA1 hash:
49e72ca12488a3064b6be340d8eb47d3c7ad4c08
Link:
https://www.unpac.me/results/37146fa5-0176-49fe-9774-66d574c1377b/
SH256 hash:
93bf910294296262548b8c72f27559f7a53ac661a2408aa027895152ce159246
MD5 hash:
e01ab77d24d1ad06fa9010a4209a204f
SHA1 hash:
e8114cefafa35c6d55fe3d2c6b6046c4b81ca254
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/37146fa5-0176-49fe-9774-66d574c1377b/
Parent samples :
cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca
037e60b0e473203e85de83344c643623b519c8b47279f9e6c0b74201ece7483f
c64ca90a3608e3edaaf04f3289f58d018f2e6301409665820d92c61130784d23
e165bef062d93e5a4fd31d8f369fd8144d2158b5c8dcb85be3e06826cb5f81e6
f5faa1f9d476120a03f1a187f2f9814adf698fa9c0123ed44a2b5ce9ad8055bd
571890d2bedd6cc0cdf6cccc2e6fc4e19c7489adc30328c24d21e3631d24661e
SH256 hash:
e8dcf4a845711d133ec7a59456903a4f900ecc818973ff0b30b0404fdf4507ca
MD5 hash:
49055511ea2fac99e305981a9a591d93
SHA1 hash:
df2cb7b787b3dbe4a6e1c02380da37596640a44e
Link:
https://www.unpac.me/results/37146fa5-0176-49fe-9774-66d574c1377b/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/37146fa5-0176-49fe-9774-66d574c1377b/
SH256 hash:
e4930df88789eff1f7e22f5001a11a9608b6160cbc08db907923cca072fb0756
MD5 hash:
fb0e9424b95d5b19f4c682aff3616804
SHA1 hash:
49e72ca12488a3064b6be340d8eb47d3c7ad4c08
Link:
https://www.unpac.me/results/37146fa5-0176-49fe-9774-66d574c1377b/
SH256 hash:
93bf910294296262548b8c72f27559f7a53ac661a2408aa027895152ce159246
MD5 hash:
e01ab77d24d1ad06fa9010a4209a204f
SHA1 hash:
e8114cefafa35c6d55fe3d2c6b6046c4b81ca254
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/37146fa5-0176-49fe-9774-66d574c1377b/
Parent samples :
cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca
037e60b0e473203e85de83344c643623b519c8b47279f9e6c0b74201ece7483f
c64ca90a3608e3edaaf04f3289f58d018f2e6301409665820d92c61130784d23
e165bef062d93e5a4fd31d8f369fd8144d2158b5c8dcb85be3e06826cb5f81e6
f5faa1f9d476120a03f1a187f2f9814adf698fa9c0123ed44a2b5ce9ad8055bd
571890d2bedd6cc0cdf6cccc2e6fc4e19c7489adc30328c24d21e3631d24661e
SH256 hash:
e8dcf4a845711d133ec7a59456903a4f900ecc818973ff0b30b0404fdf4507ca
MD5 hash:
49055511ea2fac99e305981a9a591d93
SHA1 hash:
df2cb7b787b3dbe4a6e1c02380da37596640a44e
Link:
https://www.unpac.me/results/37146fa5-0176-49fe-9774-66d574c1377b/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/37146fa5-0176-49fe-9774-66d574c1377b/
SH256 hash:
e4930df88789eff1f7e22f5001a11a9608b6160cbc08db907923cca072fb0756
MD5 hash:
fb0e9424b95d5b19f4c682aff3616804
SHA1 hash:
49e72ca12488a3064b6be340d8eb47d3c7ad4c08
Link:
https://www.unpac.me/results/37146fa5-0176-49fe-9774-66d574c1377b/
SH256 hash:
cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca
MD5 hash:
60822680920de27aed07c2352674f05c
SHA1 hash:
4d250b0dcf899a48ea668343fef7e724c58fc6a3
Link:
https://www.unpac.me/results/37146fa5-0176-49fe-9774-66d574c1377b/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cbdd01f3d5cf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2676319/
Cape
Cape
https://www.capesandbox.com/analysis/406285/

Comments


Avatar
zbet commented on 2023-07-04 07:13:00 UTC

url : hxxp://185.246.220.60/mazx.exe