MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce5200f83fa5cb0f31b93edbfbc372e3d93bc71450f77ba705b452ca523e24e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	ce5200f83fa5cb0f31b93edbfbc372e3d93bc71450f77ba705b452ca523e24e5
SHA3-384 hash:	476b3d64638730f0b7b7c72a7f1aa03467fcc535375bf9d0959fef3ab54e7b92b1bd709b3b6c6a389f3e6be5b5d727f3
SHA1 hash:	42521533146be0b9a72682d450ef6f168c9f4aae
MD5 hash:	c9bd9f624a71fbfafd2f09d361ec3082
humanhash:	edward-shade-florida-mars
File name:	SecuriteInfo.com.Scr.Malcodegdn30.14128.26302
Download:	download sample
Signature	Formbook Create hunting rule
File size:	513'536 bytes
First seen:	2021-09-10 04:41:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:VHtx898Xtyk4DbF53e0IUFL6HcdJBaSSK2yVpi56K+gH7LcqIJzeApVa:JcG8dJBK6P2+MoqaV
Threatray	9'170 similar samples on MalwareBazaar
TLSH	T1C1B4AE243DEB5129F173AFB55AE4B5929B6FB6333A87E41D1441038A0623B40FE9163F
dhash icon	022c5b52a6a456a9 (8 x Formbook, 7 x AgentTesla, 3 x Loki)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Scr.Malcodegdn30.14128.26302

Verdict:

Malicious activity

Analysis date:

2021-09-10 04:43:37 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/56a9c798-3f31-4486-a4f7-f86deee40523

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/186757/

Detection(s):

SecuriteInfo.com.Scr.Malcodegdn30.14128.26302.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2632d405-e4b7-4d72-ba88-109349d4f91f

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/848554

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/ce5200f83fa5cb0f31b93edbfbc372e3d93bc71450f77ba705b452ca523e24e5/

Threat name:

ByteCode-MSIL.Trojan.Phonzy

Status:

Malicious

First seen:

2021-09-10 04:42:08 UTC

AV detection:

9 of 45 (20.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zzjab6b7uxfq6mnzh3n7xq3s4pmtxryukd3xxjyfwrjmuur6etsq._file

Verdict:

malicious

Label(s):

formbook

Formbook

1b4d3e69b4e2e533522d48f27a0137e34b92b01e36d348c12f0df4371ed7d573

Formbook

2239e9738b2618a22115aa25c1016a01ffabd0bfe9a405f3b87cfb5cd9f42458

Formbook

23937d5a0c43160688d1f164a4fa52d777661d61a00fdee79d96d8fbc25cac6d

Formbook

56c952ead09765292ab4e2db9739943884289c6de37028db2489cd12a46b97f8

Formbook

61de0ac2005f1345bfb72a35e04d02e41d981e6ffa23944d3b1cae93be22856b

Formbook

9a2b8fc3a21d660a2d8526bd1816b1304d60046e26c6d33553701d3883a6d31c

Formbook

9e6337dac3988159b730ab99e0dfe6f8afcb2cfeea67dd8f98df32b836675bed

Formbook

b875a5e660e0e64042fc182c3739d6916568132cf1cc2f8919abe516ac4cf534

Formbook

ba02b1ff767d07fbcd13529b70ce92a08238ef31bdfc4058b23023fc8176d26b

Formbook

+ 9'160 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:n58i loader rat

Link:

https://tria.ge/reports/210910-fbpdgscchm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.biosonicmicrocurrent.com/n58i/

Unpacked files

SH256 hash:

440e5a69d686468780ebd1717a66132f9ff7b50a264b6cfaef36feca05b8fa4d

MD5 hash:

4b5b3556701e15dd7e506ee16abb8b20

SHA1 hash:

d5a5a806a8b8ab544681d7afec1dcee1e9837af8

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/c9d2c4f0-2513-450e-9389-5efe69ffef5e/

Parent samples :

61de0ac2005f1345bfb72a35e04d02e41d981e6ffa23944d3b1cae93be22856b
ce5200f83fa5cb0f31b93edbfbc372e3d93bc71450f77ba705b452ca523e24e5
acf3df7da4bdf99226ab8574e15d1145e46e28605afdf660f1fb19b1d061c386
b194903f2fb1231113b2cffdd6cf47e25d4d9f99675654f70865b1f3d0a9160c

SH256 hash:

ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587

MD5 hash:

43ababb6b0a02907aad43084f12b10d9

SHA1 hash:

b60ba705891d5a666d64300181b475a46714ffa8

Link:

https://www.unpac.me/results/c9d2c4f0-2513-450e-9389-5efe69ffef5e/

SH256 hash:

2227846e16fa832e86b5612695af06e80f546130e15fe71e7b81c9d619028b04

MD5 hash:

53c32ed283501281794e46043b777b6d

SHA1 hash:

7aff9bddc4bbe24c6b8b3bb1ae118d458392a660

Link:

https://www.unpac.me/results/c9d2c4f0-2513-450e-9389-5efe69ffef5e/

SH256 hash:

ce5200f83fa5cb0f31b93edbfbc372e3d93bc71450f77ba705b452ca523e24e5

MD5 hash:

c9bd9f624a71fbfafd2f09d361ec3082

SHA1 hash:

42521533146be0b9a72682d450ef6f168c9f4aae

Link:

https://www.unpac.me/results/c9d2c4f0-2513-450e-9389-5efe69ffef5e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/ce5200f83fa5cb0f31b93edbfbc372e3d93bc71450f77ba705b452ca523e24e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/186757/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample