MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cee15feb69864e35edc6d39487656a0a2679c76348cd621de043d0242c3f25e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cee15feb69864e35edc6d39487656a0a2679c76348cd621de043d0242c3f25e4
SHA3-384 hash: e6a96f7e419d1dfe1a36e0a6e6fcc8e594e494d62e9636cb912b5afbe3d9bf79df4745e0f5d92fc0d32e0e271830954b
SHA1 hash: 79c711aade039b366f6ea05b679123f6d881f516
MD5 hash: e863b09d9da462ae2004147228ddfc87
humanhash: avocado-video-alabama-maryland
File name:e863b09d9da462ae2004147228ddfc87.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:247'607 bytes
First seen:2022-02-08 08:20:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:owJLZKhaS5ZbQTkpXnrJDz9CIKKZ8bKj+remcRwrbQ:FZKkWbtnrJPMIKKSbW+rlMSbQ
Threatray 12'887 similar samples on MalwareBazaar
TLSH T11B34139AA1D385BAD6831CB07AB7D62FF3F9A10503900B5F379F5E9E183034795086E5
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/237856/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62022807c79b424d7207cbdc/reports/6fd43ae5-f80f-49d8-a2d0-c79fbea616c5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/85157645-1d36-4a49-9bfb-e0a6e0fe1909
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/935922
Behaviour
Behavior Graph:
n/a
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cee15feb69864e35edc6d39487656a0a2679c76348cd621de043d0242c3f25e4/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-02-08 05:53:29 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0d42799a7602de1d76ef3b39ceff5075b95dd1e3891332987d525a07ef5c5f0f
Formbook
0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780
Formbook
13d4188437fd7caf662393052ef82808bf70cdb5e31fcc2f162ad2dffad377aa
Formbook
4c1916f66fa05e3ce6bfc378af5ca0afb182fc1f5b866e8f5b86eaf0c1300015
Formbook
4d1ac5962b58c0bf6386b85fc1c2029efb0c8d5ccf0054733795eec1ea8b3291
Formbook
9de751536a55984df4e0686ff47bbe5553906d4b2e2559d7afc019fcb7d4eb4a
Formbook
adf7fa31e3f65111c002c0cd54c049a05c2327a7d9956f41aa7c7f0f069d4263
Formbook
b1e2238ed835357f061456c7a38d0620cef8b78f0e1a9856133cc5b2805e0ed1
Formbook
da99d68a728c3a14d186c03c30b551914fe57073f231d334be7955131cb5f921
Formbook
+ 12'877 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:t9hh loader persistence rat
Link:
https://tria.ge/reports/220208-j81dsseggp/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Xloader Payload
Xloader
Unpacked files
SH256 hash:
4fa3801e33e00605f222c044c24eba271d489d0a34b5d1992ae4c83fe45145f1
MD5 hash:
081774e95d5c26b68797d0e9cfb9148e
SHA1 hash:
30c09bf7752a917b3e4baec02a3fa1a8a35c9e69
Link:
https://www.unpac.me/results/c58e21eb-60d4-447b-a7de-27cae116b305/
SH256 hash:
cee15feb69864e35edc6d39487656a0a2679c76348cd621de043d0242c3f25e4
MD5 hash:
e863b09d9da462ae2004147228ddfc87
SHA1 hash:
79c711aade039b366f6ea05b679123f6d881f516
Link:
https://www.unpac.me/results/c58e21eb-60d4-447b-a7de-27cae116b305/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe cee15feb69864e35edc6d39487656a0a2679c76348cd621de043d0242c3f25e4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2033765/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/237856/

Comments