MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfd0a18e7de8110fe285486bebb1b1671d09cf95dc73494e6ee37da0297751fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfd0a18e7de8110fe285486bebb1b1671d09cf95dc73494e6ee37da0297751fe
SHA3-384 hash: 3c2ff3ab684a72f2676f943c46fd02bdb83fe126ddfdba5f444e6ea8c9632afd201456c0fff3beaf1b01312a615812dc
SHA1 hash: 0716e6d33c4f55b982a096d4c58b299189b654ff
MD5 hash: 565085120a91704ae7629caa9d916986
humanhash: robin-six-undress-october
File name:file.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'084'342 bytes
First seen:2024-05-18 18:33:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4dc3fe6326749d7464f4c796c8662bb3 (4 x AgentTesla, 2 x Formbook, 1 x XWorm)
ssdeep 12288:Db29RJAr+1PI44rcWBvJBTA71nQtF/RN2o31DfcCY0hsx8qlOnOh8ot7:DCzFIJtBvrc0/3CCNsu8OnOhLt7
TLSH T14335BF87A1B934E5D5F780788502A12FF271787BCB14A7AF36E009562B13AE16F3DB41
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cfd0a18e7de8110fe285486bebb1b1671d09cf95dc73494e6ee37da0297751fe.exe
Verdict:
Malicious activity
Analysis date:
2024-05-18 19:04:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9fdbdb2f-ee4a-4899-9959-a500cfdc3887

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint overlay packed
Link:
https://www.filescan.io/uploads/6648f4a13313f70f0afeef2d/reports/0ade4805-3a45-453c-b7f7-327c3ff5ef52/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/cfd0a18e7de8110fe285486bebb1b1671d09cf95dc73494e6ee37da0297751fe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b3c06dce-f650-459e-b08a-2079f7540e94
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1443830
Signature
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1443830 Sample: file.exe Startdate: 18/05/2024 Architecture: WINDOWS Score: 100 75 www.azureabyss.xyz 2->75 77 www.teddycorner.com 2->77 79 20 other IPs or domains 2->79 95 Malicious sample detected (through community Yara rule) 2->95 97 Antivirus detection for URL or domain 2->97 99 Multi AV Scanner detection for submitted file 2->99 103 3 other signatures 2->103 11 file.exe 2 2->11         started        14 iexplore.exe 2->14         started        16 svchost.exe 2->16         started        19 iexplore.exe 2->19         started        signatures3 101 Performs DNS queries to domains with low reputation 75->101 process4 dnsIp5 121 Very long command line found 11->121 123 Encrypted powershell cmdline option found 11->123 21 powershell.exe 15 11->21         started        24 conhost.exe 11->24         started        26 iexplore.exe 73 109 14->26         started        73 127.0.0.1 unknown unknown 16->73 28 iexplore.exe 19->28         started        signatures6 process7 signatures8 107 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->107 109 Writes to foreign memory regions 21->109 111 Injects a PE file into a foreign processes 21->111 30 iexplore.exe 21->30         started        33 WerFault.exe 20 16 21->33         started        35 conhost.exe 21->35         started        43 3 other processes 21->43 37 ie_to_edge_stub.exe 26->37         started        39 iexplore.exe 27 79 26->39         started        41 ssvagent.exe 26->41         started        45 2 other processes 26->45 process9 signatures10 125 Maps a DLL or memory area into another process 30->125 47 iaVNVfEqrPdlApTSwYz.exe 30->47 injected 50 msedge.exe 37->50         started        53 ie_to_edge_stub.exe 39->53         started        55 ssvagent.exe 39->55         started        process11 dnsIp12 127 Found direct / indirect Syscall (likely to bypass EDR) 47->127 57 upnpcont.exe 1 13 47->57         started        81 239.255.255.250 unknown Reserved 50->81 60 msedge.exe 50->60         started        63 msedge.exe 50->63         started        65 msedge.exe 50->65         started        signatures13 process14 dnsIp15 113 Tries to steal Mail credentials (via file / registry access) 57->113 115 Tries to harvest and steal browser information (history, passwords, etc) 57->115 117 Modifies the context of a thread in another process (thread injection) 57->117 119 2 other signatures 57->119 67 iaVNVfEqrPdlApTSwYz.exe 57->67 injected 71 firefox.exe 57->71         started        89 clients2.googleusercontent.com 60->89 91 googlehosted.l.googleusercontent.com 142.250.185.193, 443, 49730 GOOGLEUS United States 60->91 93 4 other IPs or domains 60->93 signatures16 process17 dnsIp18 83 www.azureabyss.xyz 162.0.222.196, 49786, 49787, 49788 ACPCA Canada 67->83 85 parkingpage.namecheap.com 91.195.240.19, 49721, 49765, 49766 SEDO-ASDE Germany 67->85 87 7 other IPs or domains 67->87 105 Found direct / indirect Syscall (likely to bypass EDR) 67->105 signatures19
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cfd0a18e7de8110fe285486bebb1b1671d09cf95dc73494e6ee37da0297751fe
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cfd0a18e7de8110fe285486bebb1b1671d09cf95dc73494e6ee37da0297751fe/
Threat name:
Win64.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2024-05-17 18:10:36 UTC
File Type:
PE+ (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z7ikddt55aiq7yufjbv6xmnrm4oqtt4v3rzustto4n62aklxkh7a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
execution
Link:
https://tria.ge/reports/240518-w7r29ahg87/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Unpacked files
SH256 hash:
cfd0a18e7de8110fe285486bebb1b1671d09cf95dc73494e6ee37da0297751fe
MD5 hash:
565085120a91704ae7629caa9d916986
SHA1 hash:
0716e6d33c4f55b982a096d4c58b299189b654ff
Link:
https://www.unpac.me/results/433f4300-0e33-42a9-849b-babcd12cdbd8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cfd0a18e7de8110fe285486bebb1b1671d09cf95dc73494e6ee37da0297751fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::GetTempPathA

Comments