MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdcf7dceec7c87b052fcab71f7cd3316b2eb1c61aac56cec27844bb679e84346. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	cdcf7dceec7c87b052fcab71f7cd3316b2eb1c61aac56cec27844bb679e84346
SHA3-384 hash:	a661049cd9a9f9fa58abfaafef1640e947f8f61c3fff0e904b8c879424196ae5aead05bc5c648f3f6e8cc9bc5bdf3287
SHA1 hash:	3ba8ba79fef8c360d076b8c2a8daa8de62d960a6
MD5 hash:	f61518bd5538db15ffb8b9c84aed2119
humanhash:	black-johnny-snake-skylark
File name:	scan_quoatation_2021-9299928928872662772.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	734'208 bytes
First seen:	2021-09-01 21:18:04 UTC
Last seen:	2021-09-05 08:49:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:lQBD8MwFEg+2FCL3rY7H6xJZ9LBhTc3LzXq:5XF3+2FCoShB5crq
Threatray	8'427 similar samples on MalwareBazaar
TLSH	T140F44D3E18FE23279176C7D5CBE08823F2D498AF3233A96567D743664316A4675C322E
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

scan_quoatation_2021-9299928928872662772.exe

Verdict:

Suspicious activity

Analysis date:

2021-09-01 21:20:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1106640b-8ed0-487b-849f-4bf4a242807a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/184578/

Detection(s):

SecuriteInfo.com.Trojan.Siggen15.4266.7252.27048.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1c1c1864-cfe2-4381-94a3-87574c2548d4

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/843661

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/cdcf7dceec7c87b052fcab71f7cd3316b2eb1c61aac56cec27844bb679e84346/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-09-01 21:17:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 45 (33.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zxhx3txmpsd3aux4vny7ptjtc2zowhdbvlcwz3bhqrf3m6piinda._file

Verdict:

malicious

Label(s):

formbook

Formbook

6120294360629da33cd6f897de16401325be12ae2cd9dcc03857de7e0b4f94e4

Formbook

7f6694752a3e50d4f811fb5c807f305ba5c4b422c3fa10468132575c6c2505b6

Formbook

8c415f3280483beadb4a6a4639221da3a1a16cc2bd74b6fd484a17ed4b83775e

Formbook

a43c9fb6ba3c066fc3c90c98240ac661d7458c08e9caeab886a88e80f4b70ba3

Formbook

c4d54739b1314f9b59d708502b3f8456d3612df58036c7e148366504a6f1f19e

Formbook

d80d29653891c1d84ba6b72e1eaafefd78700646859bcaa7ded2fc1e2fbafce4

Formbook

ecacac4e9f514e780ff7124b6fdd97251dcec9947d5815166b2b57d2a41ddf0e

Formbook

fc6028f1731d7c612c6a4b848df098cfaa7d3caac1a098c526d9eb24d46bd6c2

Formbook

+ 8'417 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:im8r rat spyware stealer trojan

Link:

https://tria.ge/reports/210901-km1srk58px/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.5201314.mobi/im8r/

Unpacked files

SH256 hash:

c32d28c6475b3b24cac8b0d3354394f483fe4274178a844edacba4d3d949771a

MD5 hash:

6870cef3364d1f55c265e632a7008005

SHA1 hash:

7e4dfbabd7ba8840c99060307888cec54d757ead

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/f214d23f-3506-4020-b7e2-e8e6c2d4203b/

Parent samples :

8c415f3280483beadb4a6a4639221da3a1a16cc2bd74b6fd484a17ed4b83775e
1e16b93c04940c45684dbdae5dd754b56235c72f5816af3955400371db5ef11a
cdcf7dceec7c87b052fcab71f7cd3316b2eb1c61aac56cec27844bb679e84346

SH256 hash:

c3b6af470cb550fbf26aa6072b1bcad572ed47e149aaf4aa247b2980678e45b8

MD5 hash:

8ef7e4ce7b6b9adb95e2bcb9818ea70d

SHA1 hash:

c27e1f6cf52e9d321f62f0091a07f9dfac571428

Link:

https://www.unpac.me/results/f214d23f-3506-4020-b7e2-e8e6c2d4203b/

SH256 hash:

81f9eac76804c02f5baaa34c91b5775f965a34ad7811218d9c24e50cb6d9a90c

MD5 hash:

bae511742374b721136acaa03b0c1fa0

SHA1 hash:

215c50455b01a78ea173bbb034ddbe4b452ea734

Link:

https://www.unpac.me/results/f214d23f-3506-4020-b7e2-e8e6c2d4203b/

SH256 hash:

cdcf7dceec7c87b052fcab71f7cd3316b2eb1c61aac56cec27844bb679e84346

MD5 hash:

f61518bd5538db15ffb8b9c84aed2119

SHA1 hash:

3ba8ba79fef8c360d076b8c2a8daa8de62d960a6

Link:

https://www.unpac.me/results/f214d23f-3506-4020-b7e2-e8e6c2d4203b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/cdcf7dceec7c87b052fcab71f7cd3316b2eb1c61aac56cec27844bb679e84346

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/184578/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample