MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc8fab47732be49333428c71d3c6dfa04663cb9bb2bc388f0dbb2c303e067150. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc8fab47732be49333428c71d3c6dfa04663cb9bb2bc388f0dbb2c303e067150
SHA3-384 hash: 818c91b7cb06fed03f388b1d4b924f2d56485cb46b7334f35518ecff2024389d78822eb80427f9e089f361436cf6d40d
SHA1 hash: 5e99544e1a88fc6fb601ca28fccb168f5c53ef9d
MD5 hash: 2303cddd86181ded5023331ecc15ef5a
humanhash: magnesium-undress-social-princess
File name:New Inquiry.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:811'520 bytes
First seen:2022-10-03 13:21:13 UTC
Last seen:2022-10-04 10:03:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:atvX3E3BtLtcLw6bXQnyiwxc/OyYDtxA/x/qrzlVic8ZBs:atvX3E3BtLtcjxW/lYDw/srzkZB
TLSH T12F05CF261AFA5B0BD165A3FC90D1C2B197A99C15F163C38B6FCA5CDFB08AB118750B13
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316111/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Launching a process
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
azorult packed
Link:
https://www.filescan.io/uploads/633ae1fb0d3d21420cca44bb/reports/4fdcf538-e712-4a79-8a73-f64b011a21c2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/159111c5-c28d-4390-85fd-141301f5dc54
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1082489
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cc8fab47732be49333428c71d3c6dfa04663cb9bb2bc388f0dbb2c303e067150/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-01 08:51:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zsh2wr3tfpsjgm2crry5hrw7ubdghs43wk6drdynxmwdapqgofia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:r83r rat spyware stealer trojan
Link:
https://tria.ge/reports/221003-ql79fshac6/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2bf36564-ba5d-4dbb-8916-3a61d934b964
Unpacked files
SH256 hash:
87450a9582b6c3dc190d5994101541e3e724299f37f77e6d3aa97a9a52f06475
MD5 hash:
848aa9ed8ecd57df81cda08602488407
SHA1 hash:
f6656bbfa9b64526fa12aa5ccb3d78c10f8c07d5
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/0f9a56a2-0bd9-46a7-8b9e-7a3b8902777a/
Parent samples :
80321be28c272c05b337728c4098daf4ed9906160441c5cbcb57ca184d823a07
065b61d4c2dab941887441c1bd0c9028cb3f8bdaa3639f376e2dd5845c3984a4
cc8fab47732be49333428c71d3c6dfa04663cb9bb2bc388f0dbb2c303e067150
832ba5363bd145bbcc01871bf79726fe7d4cfe90d9f93d9cca64598887c91d38
3d9766bbf57730b0aa1d3d43a8ce30d7f7b0798b82f32d235a06af5cdbb6ab6c
3eca58af30a24d1b5697c4079be161499ec28e5ec399738619c640633b6d1781
SH256 hash:
ee9bbe8057d0c02d75ab7fee9bf71a0a687d091d7f7655018a94e8e9e9637a75
MD5 hash:
2f82a989a039d4ada0c6c1084f090991
SHA1 hash:
bb13280fb51da99e2cf266150498291afd25ab11
Link:
https://www.unpac.me/results/0f9a56a2-0bd9-46a7-8b9e-7a3b8902777a/
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/0f9a56a2-0bd9-46a7-8b9e-7a3b8902777a/
SH256 hash:
5784c2fb7b778aadcb1768e0773de20a819ac4ec2c4bfc3122d5bf25a1b54001
MD5 hash:
2de7f5cc789805a0cfbfd42c09353651
SHA1 hash:
68e70579c4db3f221ba83927c7bc0e02d179488b
Link:
https://www.unpac.me/results/0f9a56a2-0bd9-46a7-8b9e-7a3b8902777a/
SH256 hash:
93efb7f86d93fcdadedb4840baac849b523efb269aa79317495d58af04c80fab
MD5 hash:
f60a5d6de49d960c8edb655ec96faa74
SHA1 hash:
56bdf5a3eff52382231156ad9ed0850ec31d2749
Link:
https://www.unpac.me/results/0f9a56a2-0bd9-46a7-8b9e-7a3b8902777a/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/0f9a56a2-0bd9-46a7-8b9e-7a3b8902777a/
SH256 hash:
cc8fab47732be49333428c71d3c6dfa04663cb9bb2bc388f0dbb2c303e067150
MD5 hash:
2303cddd86181ded5023331ecc15ef5a
SHA1 hash:
5e99544e1a88fc6fb601ca28fccb168f5c53ef9d
Link:
https://www.unpac.me/results/0f9a56a2-0bd9-46a7-8b9e-7a3b8902777a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/cc8fab47732be49333428c71d3c6dfa04663cb9bb2bc388f0dbb2c303e067150

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/316111/

Comments