MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ced900f9ec05901373c3ae09a06b3ef5ef958764f1fc551590b5f2a820f115a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	ced900f9ec05901373c3ae09a06b3ef5ef958764f1fc551590b5f2a820f115a1
SHA3-384 hash:	0acd0cb780e712fb6d7d854945cbaef5a15e89171770d3e09632017a53b10bc86f78690f338f46c27ce4104de3574032
SHA1 hash:	7230e7f3bcb4e57d73fedf3c0d85067e95761323
MD5 hash:	f7b5a24637b27abfd5809a27997ea31d
humanhash:	mars-blossom-steak-bravo
File name:	SecuriteInfo.com.Variant.Strictor.272734.30355.11938
Download:	download sample
Signature	Formbook Create hunting rule
File size:	697'344 bytes
First seen:	2022-05-23 16:41:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:ii+Y9LG4kiVo8Bg+fK6NQrFECIPHSzqCG4NuOMHUSQSLLXE9D:ijY9y+Zg+fK6qru6WCG4NuO1SQSLLID
Threatray	15'817 similar samples on MalwareBazaar
TLSH	T187E4F0E0E550D21BEDB68AB08035EA34A2755ED8A0F1E54E55D4B8A337F329F10B3C97
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	514444594d55516d (3 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

289

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Strictor.272734.30355.11938

Verdict:

Malicious activity

Analysis date:

2022-05-23 20:57:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/655393c7-3bf2-4062-a7dd-504f703dc37e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/273801/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/628bb99a0be8a16da4e7dd23/reports/86b5cf1a-21aa-48be-923e-427c64c3925d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b577219e-efe7-42e4-b45d-313d592ddc0b

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1000037

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/ced900f9ec05901373c3ae09a06b3ef5ef958764f1fc551590b5f2a820f115a1/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-05-23 11:17:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z3mqb6pmawibg46dvye2a2z66xxzlb3e6h6fkfmqwxzkqihrcwqq._file

Verdict:

malicious

Label(s):

formbook

Formbook

67435ee3c6fd3d272c004256f34020df37fb93fd33c18720053b9d2c1bb19b67

Formbook

71bad0685e5b2447a8dcdc960ee2930ad5ec4910d5d449040fb52cb9754df2a2

Formbook

898b47cb2e4d16a7325de16aae14c3c66894467ece923e706c186ee9ab75799b

Formbook

af9d760cb99f11e3c067147897227817455fb9cea10e5db1b08dd582ca795a5e

Formbook

ba3eb6491a8a4953418407379da280e591d403f2ada5f3ac941bcfaab1951418

Formbook

c0e6b0b4e80d36f0872fe01ed20cc5a6d17083f6d11ff93cc5ccc841dd43aa33

Formbook

c9ce6cdd55466893068a0f0b4f6b0ea2e96ca3f7d55f818bda2205985037ac0a

Formbook

e649ef1ecf0e0daefe140fa78271435271c8d55607f8365ddef4d94b66bfdfdd

Formbook

+ 15'807 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:gfge loader rat

Link:

https://tria.ge/reports/220523-t7ncysadhm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Unpacked files

SH256 hash:

b7f01ac14350b7644caff31902dd801757ec7c468dadb86f0283329635140064

MD5 hash:

c35e0f7b3802d97501727c57d9054d9c

SHA1 hash:

72809a3885a155339ac93cf750ac05d367d89c5c

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/dc7306e1-040c-4655-a0d9-f22cfac3243a/

Parent samples :

a997b6a541b763d9a2efe9e00e5d06facbe23471bbca2b19f30c8126c93bc101
c0e6b0b4e80d36f0872fe01ed20cc5a6d17083f6d11ff93cc5ccc841dd43aa33
abb7b79496780a03680d3406348b02a7418a75260a97ad3a63a9c0d11d030488
c9ce6cdd55466893068a0f0b4f6b0ea2e96ca3f7d55f818bda2205985037ac0a
ced900f9ec05901373c3ae09a06b3ef5ef958764f1fc551590b5f2a820f115a1
3946f3036e103af4caf04607d09ead4968fc0240881596f5e95db307f260d898

SH256 hash:

3ccf62991ac8ae2d178e665d6718c974ebe45e4c3864c274ec8284f7900139d1

MD5 hash:

73cdcd73736f225bfe54789b52b1e904

SHA1 hash:

c65832ca96467c761ec6b2f31a8c83471e97fb45

Link:

https://www.unpac.me/results/dc7306e1-040c-4655-a0d9-f22cfac3243a/

SH256 hash:

96f477fa541d89b6c28265294fdbf763cde349089c9ea647a7be0ae74fac3c0e

MD5 hash:

015eaf3da2d821a7879764b54d6d1798

SHA1 hash:

ab5d8a4b868574dac9ff584598fb74b3cacc8f97

Link:

https://www.unpac.me/results/dc7306e1-040c-4655-a0d9-f22cfac3243a/

SH256 hash:

fdd10fb67e6276b3d848c92d4686f56b2ecbea1d629795a241ca6306a2f62d55

MD5 hash:

f20fd214bbda1a459a3eb415eec86017

SHA1 hash:

c658f61e4f308a69a4509649439814166c655e84

Link:

https://www.unpac.me/results/dc7306e1-040c-4655-a0d9-f22cfac3243a/

SH256 hash:

5d42a7784a897b4a58b56d748687d3b822d7a5f14c4deb8fa856c31a4c5e210a

MD5 hash:

a1a6638c4f51e7d4d56a8d638814717e

SHA1 hash:

534ad1cd5fe168e691a382da9f1abcd69b64bb97

Link:

https://www.unpac.me/results/dc7306e1-040c-4655-a0d9-f22cfac3243a/

SH256 hash:

fe94b240f3d8b6aefd55a35e99169e55bc2b69f352dd32706a07c67c42554cb8

MD5 hash:

ed6c156cde97234e9183168b2dd26bae

SHA1 hash:

ee17e1cea45787013989537b46ecee4d43c640d0

Link:

https://www.unpac.me/results/dc7306e1-040c-4655-a0d9-f22cfac3243a/

SH256 hash:

ced900f9ec05901373c3ae09a06b3ef5ef958764f1fc551590b5f2a820f115a1

MD5 hash:

f7b5a24637b27abfd5809a27997ea31d

SHA1 hash:

7230e7f3bcb4e57d73fedf3c0d85067e95761323

Link:

https://www.unpac.me/results/dc7306e1-040c-4655-a0d9-f22cfac3243a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/ced900f9ec05901373c3ae09a06b3ef5ef958764f1fc551590b5f2a820f115a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/273801/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample