MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce1520e70cc0387f6f8ef4b9018c0a761a46d5c8aaac9e97371be1c4fd0ab4fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	ce1520e70cc0387f6f8ef4b9018c0a761a46d5c8aaac9e97371be1c4fd0ab4fd
SHA3-384 hash:	fbbb5ea3b74cc88a0d4ff3868eee003a897e308f4092bd27780aa2cc930767d1ee82218c78d296104d3a9b37667ba699
SHA1 hash:	4087e10268fcbde9a92687d12591cd451e08c808
MD5 hash:	a88c9e19ac28b27933cdb0123049b2e7
humanhash:	nebraska-high-foxtrot-quiet
File name:	SecuriteInfo.com.W32.AIDetectNet.01.12032.24599
Download:	download sample
Signature	Formbook Create hunting rule
File size:	715'264 bytes
First seen:	2022-08-15 16:49:28 UTC
Last seen:	2022-08-15 17:32:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:o0sw3buFocjPY4X6qD98eTJwO7YYQFFmki9bF9g/2aNIMmuSo+j+4WuPQuaLsOx7:3k9gMMmuP+j+pxuZOLluJcgLif
TLSH	T1D6E4CEAF7D8E8806CC250772ECD9008467F27EA27602DADF6DD73182D5723DD4698E86
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

325

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.12032.24599

Verdict:

Malicious activity

Analysis date:

2022-08-15 16:50:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2d1251b5-6de8-4e46-8173-b151b264dcc1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/298799/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.12032.24599.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62fa7947493dc2f89c992e4b/reports/0ae9226f-11b0-4e11-a80f-bcf361e9be34/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3e3ca8c7-cca6-4a51-ad62-1bc39c282c7f

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1051728

Signature

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ce1520e70cc0387f6f8ef4b9018c0a761a46d5c8aaac9e97371be1c4fd0ab4fd/

Threat name:

ByteCode-MSIL.Trojan.Zmutzy

Status:

Malicious

First seen:

2022-08-15 16:50:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zyksbzymya4h634o6s4qddakoynenvoivkwj5fzxdpq4j7ikwt6q._file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/220815-vb9rradcdr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

cd5cfe42e055ba2f26c5648c97217b3987501bdd2dfbb6c09f3db9e53a46c15f

MD5 hash:

f5519efc6141f89ce4c83c6819ebbecb

SHA1 hash:

8378ae148fe347d03f1e207c4632ddd4079dd70c

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/a7d8380d-12ff-4490-86f5-f3853c8d2385/

Parent samples :

0051c8ac0af126b3df90ec0a431103ea022ace0b947beb2284e9afe2864fa5f1
c93722fc0998cd76a5fcb6959aecc687e3162f620cfbfea06e73f76384109590
ce1520e70cc0387f6f8ef4b9018c0a761a46d5c8aaac9e97371be1c4fd0ab4fd
52d59ef429b603cbce2bf34aeb7f11e28b70dc0d6617186f498a08c17666f282
0ceecaf15bb07d225f39e2bb3e1d403db71fd9daea4771783271cc06e7137608

SH256 hash:

bc627b52506eeed47d0f0e7dc3b391ecf9ee3bfce0ebc0032d246f4ea256a2a4

MD5 hash:

b7c92e2003443e4c22981690bf76ed9d

SHA1 hash:

95f793be20335fa5b934720fd74d42f3c6ad90bf

Link:

https://www.unpac.me/results/a7d8380d-12ff-4490-86f5-f3853c8d2385/

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/a7d8380d-12ff-4490-86f5-f3853c8d2385/

SH256 hash:

1b72d49a5e3db7a7a157408ac93240c7e0316ed7f6ddd10befc1af7e4bf7f68c

MD5 hash:

9c1436a35d82492bd09b6d65e4eaf94a

SHA1 hash:

2177711310aef753f821b881a4ee7f64f3bc9ef8

Link:

https://www.unpac.me/results/a7d8380d-12ff-4490-86f5-f3853c8d2385/

SH256 hash:

84af68b0a89b4960c1b798ed3663b3e2b290364339702f34fd76196d34e2a7a2

MD5 hash:

1c6f99f746cd7b0877845469a0b43eec

SHA1 hash:

117c8d2d119a1fb693767a0cffd160a75b21c775

Link:

https://www.unpac.me/results/a7d8380d-12ff-4490-86f5-f3853c8d2385/

SH256 hash:

ce1520e70cc0387f6f8ef4b9018c0a761a46d5c8aaac9e97371be1c4fd0ab4fd

MD5 hash:

a88c9e19ac28b27933cdb0123049b2e7

SHA1 hash:

4087e10268fcbde9a92687d12591cd451e08c808

Link:

https://www.unpac.me/results/a7d8380d-12ff-4490-86f5-f3853c8d2385/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ce1520e70cc0387f6f8ef4b9018c0a761a46d5c8aaac9e97371be1c4fd0ab4fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/298799/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample