MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce844a8fbd6db8142fff6b159a970d1f6156dda1dd758828e5e8755ab7a922cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 22 File information Comments 1

SHA256 hash:	ce844a8fbd6db8142fff6b159a970d1f6156dda1dd758828e5e8755ab7a922cb
SHA3-384 hash:	ede14c355146561434723fb7412ccc698c82fcd6b75215c28c6333ead8ac1298c733c8de21a09955e331b95c0e6469aa
SHA1 hash:	9a17615211b658fffe30d1edf9a12c946b991830
MD5 hash:	28527ceca95ca154ef0830e7e1d12cca
humanhash:	whiskey-pluto-fifteen-stream
File name:	28527ceca95ca154ef0830e7e1d12cca
Download:	download sample
Signature	Formbook Create hunting rule
File size:	873'472 bytes
First seen:	2024-02-14 12:16:29 UTC
Last seen:	2024-02-14 14:31:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:zer5d/+wFA88xSTXO/z6vh4VauT4ooMu:A//vA88xSrO+vXuUD
Threatray	581 similar samples on MalwareBazaar
TLSH	T1C805AD14B7F91609F2FF0B7BB5B1102686BAFE167D42C71E19515A9E0C22B80CDA1B73
TrID	30.2% (.EXE) Win64 Executable (generic) (10523/12/4) 18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 14.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.9% (.EXE) Win32 Executable (generic) (4504/4/1) 5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

311

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

c58f153aeb6597d18899c08977d121ae63235244dd77fef1a0241d9012715e96.doc

Verdict:

Malicious activity

Analysis date:

2024-02-14 09:47:07 UTC

Tags:

formbook stealer spyware

Link:

https://app.any.run/tasks/6370880e-0d72-480c-8c7c-f53cc16e3025

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/476125/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2669.19284.89.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypto lolbin packed remote

Link:

https://www.filescan.io/uploads/65ccaf40f3eb3349c33fc2ed/reports/91e22af1-ce7f-45e4-b4b1-984e67a06e8f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ce844a8fbd6db8142fff6b159a970d1f6156dda1dd758828e5e8755ab7a922cb

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d81fd4e3-670c-41a3-9550-74bb40a82262

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1392103

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ce844a8fbd6db8142fff6b159a970d1f6156dda1dd758828e5e8755ab7a922cb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ce844a8fbd6db8142fff6b159a970d1f6156dda1dd758828e5e8755ab7a922cb/

Threat name:

ByteCode-MSIL.Trojan.Remcos

Status:

Malicious

First seen:

2024-02-14 12:17:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z2cevd55nw4bil77nmkzvfynd5qvnxnb3v2yqkhf5b2vvn5jelfq._file

Verdict:

malicious

Label(s):

formbook

Formbook

68d274fefca7e97cd103190760443388f373e8799b430e9ecb24a194376d6a0f

Formbook

991c49a8668592960e79a55c4a5d6383e127f531489b6a5b72e01e54df6df9d7

Formbook

ab710aa679cf2c5853f83141301255dc80f7bd7b1e612894c76c3cf36b1e018f

Formbook

c58f153aeb6597d18899c08977d121ae63235244dd77fef1a0241d9012715e96

Formbook

e6a462349a069f73fc1c7e22d000946aa4309482a8babcab333aec8b4883fe76

Formbook

ea0d508838824f307834ad0175e5c033295b29ee52c79e1aaaa43c4cd3453d34

Formbook

+ 571 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/240214-pf13hsbb68/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

c3891e71226078653a65ad92cfb4b4604ae06e6f45237e8fd3d003c74d127493

MD5 hash:

988e9403c5379e9dd79c3a8a7bcec1ae

SHA1 hash:

f2cf6cfd34aef492277b0ffb4060f33a02e4f4d3

Link:

https://www.unpac.me/results/e6edcddf-79ef-4093-a5a6-146334bdf5b8/

SH256 hash:

4052f1af8249f1ce8832e0e5027877087432dd1cd74decfc3c7f14b1c37ce0aa

MD5 hash:

1e2cb46bc2a6b386166df3293c3b39e9

SHA1 hash:

4efac2ede03b483dcb93cfd6838dcf59bd35ff3f

Link:

https://www.unpac.me/results/e6edcddf-79ef-4093-a5a6-146334bdf5b8/

SH256 hash:

45c7b64a55dca23ee1239649e03a7c361813dbcfc2a0817b0d8e94c907d6ed4b

MD5 hash:

fb1bc19121c4e190d83672bc71b493f0

SHA1 hash:

c3488b969ba578e28ee360be24b6416425a224a0

Link:

https://www.unpac.me/results/e6edcddf-79ef-4093-a5a6-146334bdf5b8/

SH256 hash:

cc380f6485ff122f45942cf6dd6297e3b8b161248d69be9dd98317e519e5bc89

MD5 hash:

dc86c6c5f4b38a3feaed31987384e1e0

SHA1 hash:

bbf974e1d331887f59ea84661938502c7e6092c1

Link:

https://www.unpac.me/results/e6edcddf-79ef-4093-a5a6-146334bdf5b8/

SH256 hash:

ce844a8fbd6db8142fff6b159a970d1f6156dda1dd758828e5e8755ab7a922cb

MD5 hash:

28527ceca95ca154ef0830e7e1d12cca

SHA1 hash:

9a17615211b658fffe30d1edf9a12c946b991830

Link:

https://www.unpac.me/results/e6edcddf-79ef-4093-a5a6-146334bdf5b8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ce844a8fbd6d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ce844a8fbd6db8142fff6b159a970d1f6156dda1dd758828e5e8755ab7a922cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Formbook Create hunting rule
Author:	kevoreilly
Description:	Formbook Payload

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe ce844a8fbd6db8142fff6b159a970d1f6156dda1dd758828e5e8755ab7a922cb

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2761115/

Cape

https://www.capesandbox.com/analysis/476125/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2024-02-14 12:16:30 UTC

url : hxxps://universalmovies.top/pages/binzx.exe