MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc6c4cd27c628048d24a8292860cbbcf1269415aaee1366edf99a34ae7933cbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	cc6c4cd27c628048d24a8292860cbbcf1269415aaee1366edf99a34ae7933cbb
SHA3-384 hash:	18f09c8e9c897d55e4f6f1a1e2e8e04d7ad0b9f23aaa130dbf9a470ae1b04f87e71561f5b2f0f99c18ab672e7d9c53a4
SHA1 hash:	e492d358412b5d15ed3077eb398403f9c1486419
MD5 hash:	aaac927b306949aafaa170b900ed7749
humanhash:	uranus-lamp-lemon-helium
File name:	13.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'416'672 bytes
First seen:	2022-05-10 19:44:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9de116a58a6964e888a644a836e6e83f (15 x RedLineStealer, 1 x Formbook, 1 x TVRat)
ssdeep	24576:iy1+hmo8gqbjIXRlQLa2bWGppsv/asEFXFpQBoPFZO3fQccZU1R87i0QYzaYN2LM:Yhroj4X2Wypsv/OBFzOv9cZU1R8VKYN/
Threatray	75 similar samples on MalwareBazaar
TLSH	T1EE657CA39301931BE393303681DC9E35711616303A6F7C9767105AAADB3B3D16A39F9B
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	JaffaCakes118
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

271

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

CheatArena.zip

Verdict:

Malicious activity

Analysis date:

2022-05-10 19:31:28 UTC

Tags:

evasion

Link:

https://app.any.run/tasks/309beb7d-e41f-40c3-8e44-8f52f55dde35

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/269534/

Detection(s):

Win.Packed.Lazy-9942169-0

Win.Packed.Generickdz-9945531-0

Win.Packed.Generickdz-9947449-0

Win.Packed.Fragtor-9949429-0

Win.Packed.Fragtor-9949849-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Creating a window

Sending a custom TCP request

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/17028/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe greyware overlay packed

Link:

https://www.filescan.io/uploads/627ac09dbe0219041a8f2311/reports/34f8de23-62b1-4318-8aa6-055d639c3530/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AZORult

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a15f43cf-e38c-43e7-9738-9944b3323c6e

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/991391

Signature

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cc6c4cd27c628048d24a8292860cbbcf1269415aaee1366edf99a34ae7933cbb/

Threat name:

Win32.Infostealer.Reline

Status:

Malicious

First seen:

2022-05-10 19:34:24 UTC

File Type:

PE (Exe)

AV detection:

14 of 41 (34.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zrwezut4mkaeruskqkjimdf3z4jgsqk2v3qtm3w7tgruvz4ths5q._file

Verdict:

malicious

Formbook

99b4df04fc5236a12bcf96a4c6ec797b2555189915050d7a0a1704f4f69ab770

Formbook

a6ca5523fce6a4a43964319c35ecb868186465309e9226ab07c158519a5ef6f9

Formbook

b6a3b9630a6ed8f626b7fdc083c73a03c57923c1055314bacaa49031c5fa6ae3

Formbook

cde7e237d3724ede32827c724793cd1e44f041b020a49a5188df9f0f0a92a722

Formbook

d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6

Formbook

+ 65 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/220510-yfveeabdhp/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Unpacked files

SH256 hash:

221218e88a34c015bb0030c46de5b2765d0c9fd45fe34b093db183245f040ac3

MD5 hash:

57133e2ee71eefa871f08a221c4090a2

SHA1 hash:

4600ae50d94fa70dfc1fc582ef236bbc48ff0ab3

Link:

https://www.unpac.me/results/0cd2bcfd-bdd0-4ae3-955d-bd2932708d11/

SH256 hash:

cc6c4cd27c628048d24a8292860cbbcf1269415aaee1366edf99a34ae7933cbb

MD5 hash:

aaac927b306949aafaa170b900ed7749

SHA1 hash:

e492d358412b5d15ed3077eb398403f9c1486419

Link:

https://www.unpac.me/results/0cd2bcfd-bdd0-4ae3-955d-bd2932708d11/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cc6c4cd27c62/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.88

Link:

https://yomi.yoroi.company/submissions/cc6c4cd27c628048d24a8292860cbbcf1269415aaee1366edf99a34ae7933cbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/269534/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample