MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cce06a9b5a5b4b53d7491b4497a7991e00f83f4f7630394954d6d816f5d53d4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cce06a9b5a5b4b53d7491b4497a7991e00f83f4f7630394954d6d816f5d53d4f
SHA3-384 hash: 9cb8f1a1aafcd40f91ffb790a09937395bdf64b0c939918fb8173feac59c961b3ddecaec13888053d38058d84c973c58
SHA1 hash: 0aa34a8c292bfc350268fd730358f75313362d43
MD5 hash: 84913605647689eae55c82a19bdd722a
humanhash: shade-lamp-sad-california
File name:cce06a9b5a5b4b53d7491b4497a7991e00f83f4f7630394954d6d816f5d53d4f
Download: download sample
Signature Formbook
Create hunting rule
File size:760'832 bytes
First seen:2022-09-21 23:34:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:z/X04/geT3lwo3mfZXIHYN0YrJWlylSx1Wdh65YHn58a87ng24Ie9H6aALRAh:TX04/GtIHOE
Threatray 16'344 similar samples on MalwareBazaar
TLSH T1FEF47CAC759472FEC823D972DDA81D64AA9274B75B0F420B945306BCCD8D897EF180B3
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cce06a9b5a5b4b53d7491b4497a7991e00f83f4f7630394954d6d816f5d53d4f
Verdict:
Malicious activity
Analysis date:
2022-09-21 23:36:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/19a99892-b2a6-4e76-bb11-56ecbb98674b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312135/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.43571.3379.30466.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
83%
Tags:
packed
Link:
https://www.filescan.io/uploads/632ba022b333b2ec6b4013ed/reports/de0f743d-5b83-400b-b01e-c01df2162a5d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bb289509-cf66-45ea-b39e-3c1623e8db70
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1074920
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cce06a9b5a5b4b53d7491b4497a7991e00f83f4f7630394954d6d816f5d53d4f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-06 05:53:03 UTC
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ztqgvg22lnfvhv2jdncjpj4zdyapqp2poyydssku23mbn5ovhvhq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
15eb688bffed96b0b324724e48b258dc6c6deb76d71310b26b01e1e12f26108c
Formbook
240af737f08b41b9fb0b540653951b5b9b7c4459ad86a88e1ee33918f757f573
Formbook
3ca280d2c5ee9398048047d72c785b1927a7a09c1d4a637737b1d3902587f948
Formbook
4eecf4c73d1d4ce4d43ecd6b4d1d3e9c5ea8a310b2cb45e9bf16847863febf4f
Formbook
66e023153783841c82581216957c689782313b971b270bf48f1ec3bc1885d3e4
Formbook
78d04244289fe215008b2c7d8937813b740228e5b60092287346e66e29c8182d
Formbook
7ca3b28aa32d6b9bd972c430c47691db7212f9fd7b713c3ff2fab8b10a0bd66a
Formbook
7f0d2570e95993562f659f45e635df91b3155a8c220bc1b859f1cf838bb66278
Formbook
96c459f3f71ca66620515448f8dfa12c67d8b3e020776c93ccda641cce782ad6
Formbook
c5aaaf40148a7d8bd30681af759e7e922c491404610c1691d3ce7d1c1b849bcd
Formbook
+ 16'334 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:fuyb rat spyware stealer trojan
Link:
https://tria.ge/reports/220921-3kzl5shce6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1357ea9f-dc8b-4fe4-8730-89880066cd06
Unpacked files
SH256 hash:
76bc58f2daf5ab7ceb9d078b34d2f98af8bf132f6bfdd3504c674130f9cd395f
MD5 hash:
03d3138a3f82726c0799442bc1e11915
SHA1 hash:
83f2660d788d8e5ff893f2fad1bca622e19abda3
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/59737e26-7001-440a-a124-7872c11661e8/
Parent samples :
240af737f08b41b9fb0b540653951b5b9b7c4459ad86a88e1ee33918f757f573
6315c1e9f163a6c5ebc4105abca670bc5b4a1d22e971d57e2983a3a4b8fbaeab
cce06a9b5a5b4b53d7491b4497a7991e00f83f4f7630394954d6d816f5d53d4f
502faf9dc689a2307ed18c77d6c3c12d6f5a095500d8c977fc7e97c3676de81b
6675306091a31aea5c6588128363e949b41e10471c8a7de466c51e4eddc2f193
d67d567455ea293358fbbea1d0fed5b957a5a53b7d2a8dd9ad569102c2dc343f
db0d06fa07ee8e6e77913e27ddfcd29639bc382b68a75c86c4a6e2f5b4781530
SH256 hash:
a464bac990b64a3213cc695f03a1e8b9ce0854f2a4f817a5754db670fa07b4ef
MD5 hash:
17223cf10af8f309dbe151b626d4ae64
SHA1 hash:
dd4fd5beef95a34c0809ca54ed58eb26ac1c3b76
Link:
https://www.unpac.me/results/59737e26-7001-440a-a124-7872c11661e8/
SH256 hash:
3d8563b1131dd979c68d1c28ed7a81e16c009cb6dbafb80f01c112200f0c1b39
MD5 hash:
59132f8bf8db0ad4b22f5d6f7f32ff24
SHA1 hash:
d430dee9fb1576190a1879ebd636eef5cd74b57e
Link:
https://www.unpac.me/results/59737e26-7001-440a-a124-7872c11661e8/
SH256 hash:
4f80ddfe49b270f801ab44aa899153bbe2a0fb93abed0f9fc992f74ff6ab4fde
MD5 hash:
f4ba8570299eabf8fe2d02cc1dc0606a
SHA1 hash:
5d7add32313074f5a1e9b4ab379298dee8b6217e
Link:
https://www.unpac.me/results/59737e26-7001-440a-a124-7872c11661e8/
SH256 hash:
cce06a9b5a5b4b53d7491b4497a7991e00f83f4f7630394954d6d816f5d53d4f
MD5 hash:
84913605647689eae55c82a19bdd722a
SHA1 hash:
0aa34a8c292bfc350268fd730358f75313362d43
Link:
https://www.unpac.me/results/59737e26-7001-440a-a124-7872c11661e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/cce06a9b5a5b4b53d7491b4497a7991e00f83f4f7630394954d6d816f5d53d4f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/312135/

Comments