MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc7c4b67efaf2c64832f761f13add3e07be896c62d1cd5f36d7751592318f7b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc7c4b67efaf2c64832f761f13add3e07be896c62d1cd5f36d7751592318f7b8
SHA3-384 hash: bcbcbbeb067de76046f9b0e4f6f53c7f063a2dd43f02340420974e48dbd7900f7bc0fdf48bb5faaa76152b7c669c4162
SHA1 hash: ee8343173eae416f453195bcffd19d6c13e28f20
MD5 hash: 056c930ffe67767fa06b22221ba82987
humanhash: mountain-fix-steak-iowa
File name:cc7c4b67efaf2c64832f761f13add3e07be896c62d1cd5f36d7751592318f7b8
Download: download sample
Signature Formbook
Create hunting rule
File size:673'280 bytes
First seen:2023-12-08 13:49:48 UTC
Last seen:2023-12-08 15:19:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:BTCQmbCpaf1yTb5I47yxErf2J0Yo+ME8UfTRcq+YQkwr1P2:BCf1KBuxk1Y82+YxwBu
TLSH T111E4221475C8A8EBE52A82BA0C5074111BBE7E072520EEAC4DC175DC99B6B528733EDF
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 32ceaeaeb2968eea (8 x SnakeKeylogger, 7 x AgentTesla, 6 x Formbook)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/463638/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65731f0d3636548f37431642/reports/cbb34a21-714b-49b8-aaa3-0c2ef398d97e/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/cc7c4b67efaf2c64832f761f13add3e07be896c62d1cd5f36d7751592318f7b8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/abbdd492-e375-4d25-b2d4-67c9de8579de
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1356285
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1356285 Sample: zyyeYPRpdm.exe Startdate: 08/12/2023 Architecture: WINDOWS Score: 100 32 www.rubbrit.xyz 2->32 34 www.16zipai.xyz 2->34 36 17 other IPs or domains 2->36 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 52 6 other signatures 2->52 10 zyyeYPRpdm.exe 3 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 34->50 process4 signatures5 62 Injects a PE file into a foreign processes 10->62 13 zyyeYPRpdm.exe 10->13         started        16 zyyeYPRpdm.exe 10->16         started        18 zyyeYPRpdm.exe 10->18         started        20 zyyeYPRpdm.exe 10->20         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 22 mLTiEOXvVOTEkHMH.exe 13->22 injected process8 process9 24 odbcconf.exe 13 22->24         started        signatures10 54 Tries to steal Mail credentials (via file / registry access) 24->54 56 Tries to harvest and steal browser information (history, passwords, etc) 24->56 58 Writes to foreign memory regions 24->58 60 3 other signatures 24->60 27 mLTiEOXvVOTEkHMH.exe 24->27 injected 30 firefox.exe 24->30         started        process11 dnsIp12 38 www.93acsgo3.com 109.234.38.122, 49767, 49768, 80 VDSINA-ASRU Russian Federation 27->38 40 www.executivestagiaire.com 74.220.199.6, 49731, 49732, 49733 UNIFIEDLAYER-AS-1US United States 27->40 42 12 other IPs or domains 27->42
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cc7c4b67efaf2c64832f761f13add3e07be896c62d1cd5f36d7751592318f7b8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc7c4b67efaf2c64832f761f13add3e07be896c62d1cd5f36d7751592318f7b8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-28 03:31:24 UTC
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zr6ewz7pv4wgjazpoyprhlot4b56rfwgfuonl43no5ivsiyy664a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231208-q5b1csbfh4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
77ab8f0455c55011ce04e2c4228ff804c6fb6b3a2148becb140531ad9fe950da
MD5 hash:
ac1672534538508df4949ef2d28d3e08
SHA1 hash:
2bce89225660d62af41adcd7d76b03d7c057c2ba
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/da66b3b0-1524-4893-bcec-d97341ba908d/
Parent samples :
e37b7ab55a181fa8e716b4694e85736075ce0d67b7b3aa024d7fcc7f65f1e0fb
cc7c4b67efaf2c64832f761f13add3e07be896c62d1cd5f36d7751592318f7b8
SH256 hash:
11909279b5fa9edebcd0824b677d68176d332ae49f273a22d4b01782fea6fc80
MD5 hash:
335040de04cc59c79151ab2f9dcd55db
SHA1 hash:
e4d44b755d3697bb62d9fca2c3e64e5cfafa3f69
Link:
https://www.unpac.me/results/da66b3b0-1524-4893-bcec-d97341ba908d/
SH256 hash:
797e57bd74a68f7b4808a213f5c319ee4f4b023bc73088175d4393dfee9fe329
MD5 hash:
3c927935fbd608e7628cc2c5ad7d52fd
SHA1 hash:
ee0c880c0614ac960fd641f7d479233584aed1d8
Link:
https://www.unpac.me/results/da66b3b0-1524-4893-bcec-d97341ba908d/
SH256 hash:
f5a8f5ded618fd3989fa98a3c2d87c4853d6e10ecb1313cd5ddd7df375336b31
MD5 hash:
243f9990bb7d68a3f6e4d3999800da5b
SHA1 hash:
ba555175d12f19f6288a3574738bcd6c8b747e3b
Link:
https://www.unpac.me/results/da66b3b0-1524-4893-bcec-d97341ba908d/
SH256 hash:
e00d9000bd01a2b1b219af9c040fa7109c1da61d870fbc57ca37a62e1c98c6af
MD5 hash:
330311fc29f3a031942284718ea3cf36
SHA1 hash:
a064f44c7640c6b282f9ccb856155db153b5e4fd
Link:
https://www.unpac.me/results/da66b3b0-1524-4893-bcec-d97341ba908d/
SH256 hash:
0c5d3be130c3d4e94f28faf5bea47f11138fd9120abaaf9a89f2749190f05885
MD5 hash:
902cb35968d085ffb8f281450681f4db
SHA1 hash:
f029f2ef2d79d5d3612519e57f707b1d10977bd8
Link:
https://www.unpac.me/results/da66b3b0-1524-4893-bcec-d97341ba908d/
SH256 hash:
de7dd44ec59fd92b49d56dde998cadb335d2b5eb840fd20ba7624e08f4262d03
MD5 hash:
6195c6cd8093907fa4dbfe489e24eeb5
SHA1 hash:
e9f831f1c3524b4d344e4e526ec685f0ec0bce29
Link:
https://www.unpac.me/results/da66b3b0-1524-4893-bcec-d97341ba908d/
SH256 hash:
0f2faa36a12f63935a87b08e9f2d5936451360e9b658ae8854e689d3f5353228
MD5 hash:
547272a7a4f93071bcd3a0c0b142e166
SHA1 hash:
dd3c31e083cdcd229912f392fdc69f61a1850d5f
Link:
https://www.unpac.me/results/da66b3b0-1524-4893-bcec-d97341ba908d/
SH256 hash:
38a61d9e8de6eea29f0a3c05ad4d83ed29d4ec02b33c17fec9140405049b7949
MD5 hash:
a094d36ac0427cbc22605d6300f01a3a
SHA1 hash:
85cfbc4adb1473845f5e292be8ed7fdb4d96b162
Link:
https://www.unpac.me/results/da66b3b0-1524-4893-bcec-d97341ba908d/
SH256 hash:
082c925e602881d2a9a27c7c1f67f4aab0f10e572565e2f3e1cfbe9b3214db7f
MD5 hash:
3992f914201e159ed230978a85885100
SHA1 hash:
4692468f1b3ad1ac8044a77216f7ca437563c13b
Link:
https://www.unpac.me/results/da66b3b0-1524-4893-bcec-d97341ba908d/
SH256 hash:
521cd6b0783c157c4ee6e4b5826f4b152b2c03a3eb4b08f6493558b77119e00c
MD5 hash:
995c90cf92ad5ed5e96d89bcecfb6c87
SHA1 hash:
250377247d5f198f3d3a1f5df0fc288d01987f03
Link:
https://www.unpac.me/results/da66b3b0-1524-4893-bcec-d97341ba908d/
SH256 hash:
cc7c4b67efaf2c64832f761f13add3e07be896c62d1cd5f36d7751592318f7b8
MD5 hash:
056c930ffe67767fa06b22221ba82987
SHA1 hash:
ee8343173eae416f453195bcffd19d6c13e28f20
Link:
https://www.unpac.me/results/da66b3b0-1524-4893-bcec-d97341ba908d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/cc7c4b67efaf2c64832f761f13add3e07be896c62d1cd5f36d7751592318f7b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/463638/

Comments