MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc6fe888cfa26f47c4782b2a32ffd57a4440a3dc04aa7493332d5450a404794a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc6fe888cfa26f47c4782b2a32ffd57a4440a3dc04aa7493332d5450a404794a
SHA3-384 hash: 5323543a7cedafa4ee0b5683d7613fb7b8b24662bc1931a6b2dbffe76834acbdace8bbc5343ee65834e1c5ee504b46aa
SHA1 hash: 8a482356eaf5fe6b77325d2e4813ba46f804565f
MD5 hash: 86ef4963d0bd4ffe426cec3d217b1bbc
humanhash: massachusetts-three-delta-michigan
File name:enquiry - ENQ#16807.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:824'840 bytes
First seen:2024-05-28 07:03:03 UTC
Last seen:2024-05-28 07:24:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:S64y10HwlAzuo+Xlv8VwkYLQmPL1rmJjQztaV/+OS:SZy1GwlAzuocpHkkvPQJWtaV2OS
Threatray 182 similar samples on MalwareBazaar
TLSH T1E60512113264DF11EAB88BF2587426E16BB2766734B0F61C9CC2B4CC8969F909751B4F
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 00d0d070d0607000 (6 x AgentTesla, 6 x Formbook, 1 x RemcosRAT)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
303
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
enquiry - ENQ#16807.rar
Verdict:
Malicious activity
Analysis date:
2024-05-27 21:51:19 UTC
Tags:
formbook xloader stealer spyware
Link:
https://app.any.run/tasks/b2850ecb-e4c1-4e42-828d-193f87ce66e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.2937.21223.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=665581f03d0e5a324e7652ddwin7simulatehigh_evasion
Tags:
Encryption Network Static Swotter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cc6fe888cfa26f47c4782b2a32ffd57a4440a3dc04aa7493332d5450a404794a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f79cb3c-e11c-4dbf-ab84-29816e54b8f3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1448355
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448355 Sample: enquiry - ENQ#16807.exe Startdate: 28/05/2024 Architecture: WINDOWS Score: 100 28 www.ycwtch.co.uk 2->28 30 www.pricekaboom.com 2->30 32 21 other IPs or domains 2->32 42 Multi AV Scanner detection for domain / URL 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 8 other signatures 2->48 10 enquiry - ENQ#16807.exe 3 2->10         started        signatures3 process4 signatures5 60 Writes to foreign memory regions 10->60 62 Allocates memory in foreign processes 10->62 64 Injects a PE file into a foreign processes 10->64 13 RegSvcs.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 wYMibvumAdxOcqIjzvEweEKbcoay.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 iexpress.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 2 other signatures 19->56 22 wYMibvumAdxOcqIjzvEweEKbcoay.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 pricekaboom.com 185.31.240.240, 49763, 80 ZONEZoneMediaOUEE Estonia 22->34 36 www.0bi8.fun 107.151.241.58, 49769, 49770, 49771 VPSQUANUS United States 22->36 38 7 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cc6fe888cfa26f47c4782b2a32ffd57a4440a3dc04aa7493332d5450a404794a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc6fe888cfa26f47c4782b2a32ffd57a4440a3dc04aa7493332d5450a404794a/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-05-27 10:56:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zrx6rcgpujxuprdyfmvdf76vpjcebi64asvhjeztfvkfbjaepffa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19b86526b9c8b33ee230bba95c8a02fc47db4d230933c3ebcb6888e0dd344f77
Formbook
5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80
Formbook
7bd1f28dca456faabd6453611b7ddb2b8eb8ef18831edac7ecc4d4e81a82f820
Formbook
994c2c0d2e853b66344f28f6e25ad27fdf1e456f01f6f77aac29eb7a706bbf6d
Formbook
9d3e2f47c9e19eb3dd2ad6ff1b00ae5e7b429c4c997268a42b3f75c6d448090a
Formbook
d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0
Formbook
e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e
Formbook
+ 172 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240528-hvd3zabd88/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c121cc28-b4c2-4b4b-8014-4dd19dc77ea2
Unpacked files
SH256 hash:
28db43da3af01ec123ec09e679da5e49fd6d6263134b4128a82dcf74d1a613bb
MD5 hash:
bd70af299571dcd57b13952abcaafa97
SHA1 hash:
08936d61b4e9c04fea0c3d0de38a774a1f4a8830
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/92184a39-25ca-4c34-92d7-9c95a450d93b/
Parent samples :
5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80
84643c2b61b5ea0b8ac176dde19ba3f51c3c23fde7883b3674317dc33fb6456c
cc6fe888cfa26f47c4782b2a32ffd57a4440a3dc04aa7493332d5450a404794a
f970aa14ae9a128637c05f5d0772da9a82dde74dcc73b8f860ce3a11e16e1ea5
SH256 hash:
fb36e835b592e7d7dd9f21db0b12b7fb99eff4d83c981beb66dbe2527399d9e2
MD5 hash:
5eef95ef55462405da2c5f0934832828
SHA1 hash:
01e7d4b5cdf17f6a2098fba3e6674e3bd2edb716
Link:
https://www.unpac.me/results/92184a39-25ca-4c34-92d7-9c95a450d93b/
SH256 hash:
15f52fb1ccc646009675d70f018afe3e31e08adee0e4a7b61c54ae7189bb827a
MD5 hash:
0e3c501833ca2a0d060b7816ef98299e
SHA1 hash:
001e6869e22c95ae8a0e8e6184e19fbc264d04e4
Link:
https://www.unpac.me/results/92184a39-25ca-4c34-92d7-9c95a450d93b/
SH256 hash:
4ed3b0a80feebddd6441815ea99334d7eab55813713a9aa2953412b767405bb8
MD5 hash:
e472f83fa7fb92da892e8ebda9d92112
SHA1 hash:
af8477c3b9530134042aed375122d395d91879e8
Link:
https://www.unpac.me/results/92184a39-25ca-4c34-92d7-9c95a450d93b/
SH256 hash:
447e9978cab5493081a564f218035ab29432d51d117d321f37e59950eb1bd527
MD5 hash:
353cd513e93b5a3718761bfafb7e423e
SHA1 hash:
5ef08e02810daf8b2f9216b57837f2919896efa8
Link:
https://www.unpac.me/results/92184a39-25ca-4c34-92d7-9c95a450d93b/
SH256 hash:
32c209f2a6369f5bd203a36263a9c243947f0e61da9ef0de068ad1117a9108f0
MD5 hash:
8d1fa59e56a1e6a12aa52f40c4890050
SHA1 hash:
2064eb9d04cb6ca22390df04ec7c214a5642b3ae
Link:
https://www.unpac.me/results/92184a39-25ca-4c34-92d7-9c95a450d93b/
SH256 hash:
c3a1f38b673766bb4d3db6b718a782738f03b682426170f58566cb17015fce0f
MD5 hash:
17db6511ed3be71388de199f7fd66587
SHA1 hash:
f0dc5da49b0524f39928087e3a92021e9503018f
Link:
https://www.unpac.me/results/92184a39-25ca-4c34-92d7-9c95a450d93b/
SH256 hash:
fb6b2f7b196ffdb39fa9a7c80291eb2a0d0eb702444d258d55d01b19baeb1c64
MD5 hash:
6ab59c266308e8b98f8e5ee72ecdecb8
SHA1 hash:
cb1d7286f94c7e3d94799d16f261172891a76160
Link:
https://www.unpac.me/results/92184a39-25ca-4c34-92d7-9c95a450d93b/
SH256 hash:
2df3a3dd7c7bb67784e552f3243ff96c6e569ff25728d9589816ad54c0ac58e0
MD5 hash:
f370f32b07db54b32f50a931e07fc418
SHA1 hash:
a2ac4db17e6dbc4c37ff4d1eba9b2ec77d20b47e
Link:
https://www.unpac.me/results/92184a39-25ca-4c34-92d7-9c95a450d93b/
SH256 hash:
89d6844e632f653e1065c241afee7dc38dfa0f2fa5b42d2d4ace83924bd50ff0
MD5 hash:
1af25e359b37f57c8f05810acfa328b0
SHA1 hash:
968ac15add82226719348a5cabdc65facebca900
Link:
https://www.unpac.me/results/92184a39-25ca-4c34-92d7-9c95a450d93b/
SH256 hash:
f4513a870c84927bc1acf729db59388348b174d5fb2dab664f6ad5953de35922
MD5 hash:
51305c6774310b48d9340840933ae94b
SHA1 hash:
8b24267e72e239a5d814d25c0a37c36909bcd86c
Link:
https://www.unpac.me/results/92184a39-25ca-4c34-92d7-9c95a450d93b/
SH256 hash:
f5243f1a8f299369446cebf23f76901ab7c2f7e57607373c49889c6099a2120f
MD5 hash:
05d13d67675a887d5e485424aa5b3db7
SHA1 hash:
6eab0bacade75cef62d39e1876ad52af49751e7c
Link:
https://www.unpac.me/results/92184a39-25ca-4c34-92d7-9c95a450d93b/
SH256 hash:
cc6fe888cfa26f47c4782b2a32ffd57a4440a3dc04aa7493332d5450a404794a
MD5 hash:
86ef4963d0bd4ffe426cec3d217b1bbc
SHA1 hash:
8a482356eaf5fe6b77325d2e4813ba46f804565f
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/92184a39-25ca-4c34-92d7-9c95a450d93b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cc6fe888cfa2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc6fe888cfa26f47c4782b2a32ffd57a4440a3dc04aa7493332d5450a404794a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe cc6fe888cfa26f47c4782b2a32ffd57a4440a3dc04aa7493332d5450a404794a

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments