MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd5d9b007cb1b71e7c70071c5f8ca17d4a994cdedbeae383de55345cceec10c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd5d9b007cb1b71e7c70071c5f8ca17d4a994cdedbeae383de55345cceec10c0
SHA3-384 hash: 89d500fcd2ecc1fad88099d8a72904cd5905b0257b4492424daf54db6f7e895c310de4f35af758fab1c31f87e9722727
SHA1 hash: 4ade82db0e3762a754df784e1174741776b77b79
MD5 hash: 488a92e53724b14f114bf642ef01a598
humanhash: kansas-blue-bacon-bakerloo
File name:cd5d9b007cb1b71e7c70071c5f8ca17d4a994cdedbeae383de55345cceec10c0
Download: download sample
Signature Formbook
Create hunting rule
File size:852'480 bytes
First seen:2022-10-10 10:59:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:Of5dQ0pNedvv+JlebXrI1/J+YDQ4XXA0BOp9DIXZzRb:Of56AoWke+H4XwaO8X
Threatray 15'935 similar samples on MalwareBazaar
TLSH T10C05C05426268A0BCD69B674DDD1E3702FA86DD4436FC24F08DC3DBBF23B2586DA1261
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318325/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.FQW.gen.Eldorado.32289.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook
Link:
https://www.filescan.io/uploads/6343fb341ddf36bcc3f438cb/reports/343306a7-337b-49d5-bc59-89d62e04aa29/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/393c9270-f5d3-43c0-8ecc-fa572004f87b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1086813
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 719370 Sample: FEI9BuaEmY.exe Startdate: 10/10/2022 Architecture: WINDOWS Score: 100 53 www.chooseawish.com 2->53 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 65 Sigma detected: Scheduled temp file as task from temp location 2->65 67 6 other signatures 2->67 9 FEI9BuaEmY.exe 7 2->9         started        13 mWXyHZOFFcR.exe 5 2->13         started        signatures3 process4 file5 45 C:\Users\user\AppData\...\mWXyHZOFFcR.exe, PE32 9->45 dropped 47 C:\Users\...\mWXyHZOFFcR.exe:Zone.Identifier, ASCII 9->47 dropped 49 C:\Users\user\AppData\Local\...\tmp5E1C.tmp, XML 9->49 dropped 51 C:\Users\user\AppData\...\FEI9BuaEmY.exe.log, ASCII 9->51 dropped 77 Uses schtasks.exe or at.exe to add and modify task schedules 9->77 79 Adds a directory exclusion to Windows Defender 9->79 81 Injects a PE file into a foreign processes 9->81 15 FEI9BuaEmY.exe 9->15         started        18 powershell.exe 21 9->18         started        20 schtasks.exe 1 9->20         started        83 Multi AV Scanner detection for dropped file 13->83 22 mWXyHZOFFcR.exe 13->22         started        24 schtasks.exe 1 13->24         started        26 mWXyHZOFFcR.exe 13->26         started        28 2 other processes 13->28 signatures6 process7 signatures8 85 Modifies the context of a thread in another process (thread injection) 15->85 87 Maps a DLL or memory area into another process 15->87 89 Sample uses process hollowing technique 15->89 91 Queues an APC in another process (thread injection) 15->91 30 explorer.exe 15->30 injected 34 conhost.exe 18->34         started        36 conhost.exe 20->36         started        38 conhost.exe 24->38         started        process9 dnsIp10 55 negocioendigital.com 66.206.10.106, 49709, 49710, 49711 HVC-ASUS United States 30->55 57 yourcustommattress.co.uk 66.235.200.146, 49706, 49707, 49708 CLOUDFLARENETUS United States 30->57 59 5 other IPs or domains 30->59 93 System process connects to network (likely due to code injection or exploit) 30->93 95 Uses netsh to modify the Windows network and firewall settings 30->95 40 systray.exe 13 30->40         started        43 netsh.exe 30->43         started        signatures11 process12 signatures13 69 Tries to steal Mail credentials (via file / registry access) 40->69 71 Tries to harvest and steal browser information (history, passwords, etc) 40->71 73 Modifies the context of a thread in another process (thread injection) 40->73 75 Maps a DLL or memory area into another process 40->75
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cd5d9b007cb1b71e7c70071c5f8ca17d4a994cdedbeae383de55345cceec10c0/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-09-20 03:05:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
22 of 26 (84.62%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zvozwad4wg3r47dqa4of7dfbpvfjstg63pvoha66ku2fztxmcdaa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2e6b14e41b3f871355635c7427cb1531a9b61a37e137f90a590d21eab7648f2f
Formbook
3eca58af30a24d1b5697c4079be161499ec28e5ec399738619c640633b6d1781
Formbook
603b9ff5f2450d74e36a1102c2376268b08224658f5b1dfa26d3e53636a76660
Formbook
649e67dfa9829d849ab0e2e5dd9c40702dbb89cf5a8a02ad111c5f2df79c411f
Formbook
721eee38b9c975862181aac88a3b7ff58666f4eae5db7b8b3eaf37d13fa4eb16
Formbook
91c69e984e53cc30d77e21fcb1a44044fff62368ee2740f04b3b26bfb82f2967
Formbook
b3a18bdc77b3fdfddbb70867d97fafeaaba9397c308e4b41bf54531f579d809b
Formbook
d0c9d5f00d0620b708926f4a582f1d6ff405710c9533adfeaa9847c1f1f382d3
Formbook
d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb
Formbook
+ 15'925 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:8awd rat spyware stealer trojan
Link:
https://tria.ge/reports/221010-m3z3mabee3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/473aa7d1-df32-463a-a508-ee85c7fc2d32
Unpacked files
SH256 hash:
346505816d8b3652927f0e2a3ed83f610c5487e74701d4f3ecc5bcc1b376489b
MD5 hash:
6a0e94ba72394a4c89cd9b1426ad7637
SHA1 hash:
e4fc7f7a1f1c22c2e1192157244d5f432800af2a
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/1d6334b3-f6b2-4d8f-8781-572f8f90c6e0/
Parent samples :
7f87195f503e68e7521d1db1c919144b3aa2d50b1700559e5d764fe6552aa40c
e588202f702d09da848372402afa5056ad34ef721195a231e0bca2d948ccab2d
8f209a35d7bc34d76bb661302ebd621ee13b3c53c332959383fa0ddabb389e2e
cd5d9b007cb1b71e7c70071c5f8ca17d4a994cdedbeae383de55345cceec10c0
SH256 hash:
393b6bb93ea0a6a33a65e3c3bc37a04f2232154770091228e4068a19e808425e
MD5 hash:
ed31639be4b4cb526a9a70a3f69ee6f5
SHA1 hash:
dbb28f69f0d9237bb216e84a150718658ba27528
Link:
https://www.unpac.me/results/1d6334b3-f6b2-4d8f-8781-572f8f90c6e0/
SH256 hash:
0afcd35a1bc8398425550d1ecf4228ebd46fc4b34fcc6aa65a25216fa34eb151
MD5 hash:
ac2a6f3cb2478bd9b07e79ece032b18e
SHA1 hash:
8a81e000da7e2386592dd6933ecb76d091b6bcae
Link:
https://www.unpac.me/results/1d6334b3-f6b2-4d8f-8781-572f8f90c6e0/
SH256 hash:
6c80cd11160a6bab08fc00c3de523a29598e70945664fe9960ab1aa51eee63d2
MD5 hash:
04fdc47b2cdd2bab38b98380f766a47f
SHA1 hash:
4a9cfd220f15464baa451abd879ebf456253204d
Link:
https://www.unpac.me/results/1d6334b3-f6b2-4d8f-8781-572f8f90c6e0/
SH256 hash:
44c50087cbd9a86677ff5b898c1ad52abf5f25297179a174edcc8b81dec967fc
MD5 hash:
d012ba9057bf67c7f29871326f2af919
SHA1 hash:
1d5b8b512b37f0e1900496b578117082929654c7
Link:
https://www.unpac.me/results/1d6334b3-f6b2-4d8f-8781-572f8f90c6e0/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/1d6334b3-f6b2-4d8f-8781-572f8f90c6e0/
SH256 hash:
cd5d9b007cb1b71e7c70071c5f8ca17d4a994cdedbeae383de55345cceec10c0
MD5 hash:
488a92e53724b14f114bf642ef01a598
SHA1 hash:
4ade82db0e3762a754df784e1174741776b77b79
Link:
https://www.unpac.me/results/1d6334b3-f6b2-4d8f-8781-572f8f90c6e0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd5d9b007cb1b71e7c70071c5f8ca17d4a994cdedbeae383de55345cceec10c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318325/

Comments