MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cef04e7e00436485beb0f0626d6df480635184bb9bc1a20920490eaed6e45fa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cef04e7e00436485beb0f0626d6df480635184bb9bc1a20920490eaed6e45fa2
SHA3-384 hash: 3ca8cc0dd18b1c1234fba02e491ca5ca15b104d415f2a7c28e5294fd6e66e6465f0375fe90e2a1ac32e21df2f7e920b7
SHA1 hash: c4225e8703cc8e8ccc895d5ef4fd533e7418a829
MD5 hash: d0be0d015a31597a578384f47f659ee3
humanhash: paris-uranus-yankee-apart
File name:cef04e7e00436485beb0f0626d6df480635184bb9bc1a20920490eaed6e45fa2
Download: download sample
Signature Formbook
Create hunting rule
File size:186'368 bytes
First seen:2023-03-07 12:40:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:s7jB5SkLbpr9NvdCF8tdiuB6MaIUIEoR5IRMaFi6nRH9grGlAJayO+KagW:Y1kQFJN1LdUS5Eu5IRM+V9grXayO
Threatray 2'328 similar samples on MalwareBazaar
TLSH T1DA0412494E4B710AF631AA7DB3A73DDC5570B73C1749C5A84CEC982D205863CA89EA3B
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cef04e7e00436485beb0f0626d6df480635184bb9bc1a20920490eaed6e45fa2
Verdict:
No threats detected
Analysis date:
2023-03-07 12:40:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/39142a94-c057-4d08-9e08-ab3b7ccb92bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372239/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed razy xloader
Link:
https://www.filescan.io/uploads/640730df38520b6ce9ed2d34/reports/7807b22b-c216-4957-8efe-f3859e5f3b81/overview
Verdict:
Malicious
Labled as:
Ser.Razy.Generic
Link:
https://www.hybrid-analysis.com/sample/cef04e7e00436485beb0f0626d6df480635184bb9bc1a20920490eaed6e45fa2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0aa05b3-49e1-45fb-9236-c5b87ac4e3a2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1188565
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 821440 Sample: Jbl3swmXWN.exe Startdate: 07/03/2023 Architecture: WINDOWS Score: 100 18 www.hayuterce.com 2->18 26 Multi AV Scanner detection for domain / URL 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Antivirus detection for URL or domain 2->30 32 4 other signatures 2->32 8 Jbl3swmXWN.exe 2->8         started        signatures3 process4 signatures5 34 Modifies the context of a thread in another process (thread injection) 8->34 36 Maps a DLL or memory area into another process 8->36 38 Sample uses process hollowing technique 8->38 40 Queues an APC in another process (thread injection) 8->40 11 explorer.exe 1 1 8->11 injected process6 dnsIp7 20 www.arizonafilm.org 45.79.19.196, 49715, 80 LINODE-APLinodeLLCUS United States 11->20 22 www.howtowingames.site 199.59.243.222, 49718, 49719, 80 BODIS-NJUS United States 11->22 24 3 other IPs or domains 11->24 42 System process connects to network (likely due to code injection or exploit) 11->42 44 Uses netstat to query active network connections and open ports 11->44 15 NETSTAT.EXE 13 11->15         started        signatures8 process9 signatures10 46 Tries to steal Mail credentials (via file / registry access) 15->46 48 Tries to harvest and steal browser information (history, passwords, etc) 15->48 50 Modifies the context of a thread in another process (thread injection) 15->50 52 Maps a DLL or memory area into another process 15->52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cef04e7e00436485beb0f0626d6df480635184bb9bc1a20920490eaed6e45fa2/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-03-07 12:48:52 UTC
File Type:
PE (Exe)
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z3ye47qainsilpvq6brg23puqbrvdbf3tpa2ecjajehk5vxel6ra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2382a65e62ea823df4d480c958ba0df9712521d74cbf85327f1279c6729f4797
Formbook
2c20e13c644886b403df4ba49657c0d032eb34655b7f7d46aeffcf9fdfc9c1e0
Formbook
2c93f13378494ff49e5b0d019538efd6c35d3c745bbcf9fe6e28688133d3f76f
Formbook
317af501cb3f40775e821990fbbb2018ca7b652cd7c2cb2c3db10a5020f6e568
Formbook
5718c580c8854ea0d8785b26989e890c56f9e5fb9a58a0f1debc4bf71d869a9b
Formbook
69870e2a61815839fdc55f251a07c89580dc6c1725f850288c4dc190c08b7175
Formbook
86741510935fc30581a17848b7d391461c8aa3c749fd8c7998682c637f7486c0
Formbook
c30a52af8e6fdb816ad1efea8ad00af616202cdd9df1fccaa85d744da35f65e1
Formbook
d7891c230103e0424c00cb31edfe25873433c901bd999772d9ab9013ba1e1da0
Formbook
dff25372f8a0a3b43b9de36be64239d4cb3c722b95d416cd48b44c734689d20c
Formbook
+ 2'318 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230307-pwrtsahd51/
Behaviour
Suspicious behavior: EnumeratesProcesses
Unpacked files
SH256 hash:
b22abab54242aa0fcd22fa71a9750cd24fc2f746f8366b01e2d85ad0fc928fa4
MD5 hash:
71115f77fccc47b6f74b35691aae1986
SHA1 hash:
bc9803fa41fbd22890628087c6a6bd328b5df59b
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/0580c8d2-7adc-44d0-b4ff-df2a3b54d9c3/
SH256 hash:
cef04e7e00436485beb0f0626d6df480635184bb9bc1a20920490eaed6e45fa2
MD5 hash:
d0be0d015a31597a578384f47f659ee3
SHA1 hash:
c4225e8703cc8e8ccc895d5ef4fd533e7418a829
Link:
https://www.unpac.me/results/0580c8d2-7adc-44d0-b4ff-df2a3b54d9c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/cef04e7e00436485beb0f0626d6df480635184bb9bc1a20920490eaed6e45fa2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372239/

Comments