MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc74e95443838d54168e736be39859926097fd7da7606b6ef4d8bfb794303eff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc74e95443838d54168e736be39859926097fd7da7606b6ef4d8bfb794303eff
SHA3-384 hash: 756ddb00d16f1da3f414f172fe2d9d1657c157affe4b6edee3b9e7eb35b5beb5cf038f7c9ec25677d8d61b231387528e
SHA1 hash: a02e19ef7cea7ef5cdc7ecb05146e9b509df80ce
MD5 hash: f328f1d6c69059f08f15ab3dc8695639
humanhash: burger-december-quebec-failed
File name:41570002689_20220814_05352297_HesapOzeti.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:873'984 bytes
First seen:2023-10-03 18:19:38 UTC
Last seen:2023-10-03 18:38:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:uX7Ax5uPybFZxVHjvGeniSqFk51dh3fn9Y:uXMxA+JNGPAvh3f9
Threatray 51 similar samples on MalwareBazaar
TLSH T1D905F005326C81E8D52E87BE52CA48B553BE0C173974E94F6E263CEB3BF13914582F99
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e0f0f0d4f4f092cc (12 x AgentTesla, 3 x Formbook, 3 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe FormBook geo TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
307
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a process with a hidden window
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/651c5b6140343f27c671634f/reports/a30d372f-0db7-4e82-9093-dab9cc30238e/overview
Verdict:
Malicious
Labled as:
TrojanS.C5A2F73F
Link:
https://www.hybrid-analysis.com/sample/cc74e95443838d54168e736be39859926097fd7da7606b6ef4d8bfb794303eff
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6078f69e-62a3-4a91-8337-0113adffb798
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318954
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc74e95443838d54168e736be39859926097fd7da7606b6ef4d8bfb794303eff/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 07:57:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
19 of 36 (52.78%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zr2osvcdqogvifuoonv6hgczsjqjp7l5u5qgw3xu3c73pfbqh37q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
09b328e48038594af6d79eb256d8fd6de1252725026f511bc1d0fcf7440a21fa
Formbook
0dbd5fe8345cdb46f5611862dc31279c99cd60bb4931e6d924f34e84519f35b8
Formbook
2ea01def771f0e57b541d4819dd9a543c5adb3a4452c6f5c03eac2c49c542bfa
Formbook
3e940bd501847e7bf60b525599626211d32f705d7c616584629a5dc0206bc52d
Formbook
467c52a90f7d13e15318cd8c68ccd3483f7de5c728d1137916b1f440aa1e10c9
Formbook
616936befc6956ed76300f793de7f3954a102733b534b020060168cf711e53a9
Formbook
7b798cee09b1e65922731c0ac1ddc080ce0560fe68a01c70e19bcc1bb59cd047
Formbook
a3e03018e2dba7a61cd424c3b09864decf28815e7a3d84187f68ebaa395de908
Formbook
cecee88a7617e74a94da62a630b47509785f2d0dd45bae200fba376915eff317
Formbook
efb834b38792a7c5f000b0683aa6fb5999fd2c0d6dfda9ba417f990fbe1041b5
Formbook
+ 41 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231003-wyr1wseg5y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
e9cfda5e815e0cc4abd0bd1b033a456d99a7c12e6809a4cd90a6aa066269dcba
MD5 hash:
7e10d04f96e992dc2ac2c238033637bc
SHA1 hash:
0dcb97db75c11256f6f0f374e19fad6ddb4f65db
Link:
https://www.unpac.me/results/429d012d-218b-4bc8-a6e4-040c7b631f50/
SH256 hash:
38c1d2972e8b84a9e097bf1d12eb2e8244153339251a75089528b04fa5ccceba
MD5 hash:
9033e643ae1e93313db43ca0d1bf2744
SHA1 hash:
93f83c5845344fce7967327ba064ae47ea7a9ad7
Link:
https://www.unpac.me/results/429d012d-218b-4bc8-a6e4-040c7b631f50/
SH256 hash:
4b636d457ecb53eb5655954a05532711a59f21788b1f32819837ae8bafad54a5
MD5 hash:
987e705d86c34d2c3680e215db5dd718
SHA1 hash:
33ccc24e0b6f2ae69534cffd35835cb5c6a4b80e
Link:
https://www.unpac.me/results/429d012d-218b-4bc8-a6e4-040c7b631f50/
SH256 hash:
898fd150509dca25c9f9fe8c71606928e03e4d554ee4ddcf77a36727f606114e
MD5 hash:
d613ffef62740adbb78bca0b19e3fcf3
SHA1 hash:
2dbcdd6c89b2373b5f2821fc3e07a59a8fc9242c
Link:
https://www.unpac.me/results/429d012d-218b-4bc8-a6e4-040c7b631f50/
SH256 hash:
cc74e95443838d54168e736be39859926097fd7da7606b6ef4d8bfb794303eff
MD5 hash:
f328f1d6c69059f08f15ab3dc8695639
SHA1 hash:
a02e19ef7cea7ef5cdc7ecb05146e9b509df80ce
Link:
https://www.unpac.me/results/429d012d-218b-4bc8-a6e4-040c7b631f50/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc74e95443838d54168e736be39859926097fd7da7606b6ef4d8bfb794303eff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe cc74e95443838d54168e736be39859926097fd7da7606b6ef4d8bfb794303eff

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments