MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcc56c9c71af674705edbdd9352ee9de18ee733b26bbda73db83bbfcfba97a74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcc56c9c71af674705edbdd9352ee9de18ee733b26bbda73db83bbfcfba97a74
SHA3-384 hash: 7a8e2f3a3f27df66d47ae941b69d28ec0f618ce556d8dddc44001e94d6d036c8c2386d642f1749a36f8f5dd42f867e6c
SHA1 hash: f94a15719d167e7b2f4d690c1677888b2b0f28ba
MD5 hash: d1cfa7a6250a22df89fd8145f443d70b
humanhash: blossom-nuts-mike-fifteen
File name:Leveringsdokumenter.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:653'824 bytes
First seen:2021-12-03 16:11:03 UTC
Last seen:2021-12-06 14:54:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:uv4YqYWLZkVhzqir/dezFoYAsFQ9LUuVWvotOdVJ6E6+rpbqVL0xk6e96C2U/2aX:uXqn0qwdeZ808IbvjdVUB+2lzAKp
Threatray 12'228 similar samples on MalwareBazaar
TLSH T10AD4CF0179A8C097D63E0EB2E9A6E17011B47D9FE5C6D18F75C9BB6E30B2352005E72E
File icon (PE):PE icon
dhash icon 8084a48cbc8ce4f8 (44 x Formbook, 20 x AveMariaRAT, 11 x SnakeKeylogger)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Leveringsdokumenter.exe
Verdict:
Malicious activity
Analysis date:
2021-12-03 16:17:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/644c4ac0-61a6-4607-a159-6cdfbd64f347

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211087/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching a process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61aa4199fa72c81b5b099ba4/reports/8b023eda-a5c4-44bc-91c4-d70ab19082f2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/158b076f-57f3-47cf-99d4-f4fa49ceb019
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901045
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Early bird code injection technique detected
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 533521 Sample: Leveringsdokumenter.exe Startdate: 03/12/2021 Architecture: WINDOWS Score: 100 33 www.sxuseon.com 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 6 other signatures 2->41 9 Leveringsdokumenter.exe 3 2->9         started        signatures3 process4 file5 31 C:\Users\user\...\Leveringsdokumenter.exe.log, ASCII 9->31 dropped 49 Early bird code injection technique detected 9->49 51 Writes to foreign memory regions 9->51 53 Allocates memory in foreign processes 9->53 55 Injects a PE file into a foreign processes 9->55 13 vbc.exe 9->13         started        16 vbc.exe 9->16         started        18 explorer.exe 2 160 9->18         started        20 vbc.exe 9->20         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 13->57 59 Maps a DLL or memory area into another process 13->59 61 Sample uses process hollowing technique 13->61 63 Queues an APC in another process (thread injection) 13->63 22 explorer.exe 13->22 injected 65 Tries to detect virtualization through RDTSC time measurements 16->65 process9 process10 24 cmmon32.exe 22->24         started        27 autochk.exe 22->27         started        29 autofmt.exe 22->29         started        signatures11 43 Modifies the context of a thread in another process (thread injection) 24->43 45 Maps a DLL or memory area into another process 24->45 47 Tries to detect virtualization through RDTSC time measurements 24->47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dcc56c9c71af674705edbdd9352ee9de18ee733b26bbda73db83bbfcfba97a74/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-03 16:12:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3tcwzhdrv5tuobpnxxmtklxj3ymo44z3e255u463qo57z65jpj2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0e4457b67ffa5012b613997788d6993355a18568bdc30c4c2e76f8ec9313aa0b
Formbook
3b5e31e4b62087dfa7cac1a39c31896d25d465c971fe1db3e9a9271471ce416d
Formbook
570f6cf56c833b755dcf8618a0182d27fd9ac39a0ad4595ea9a774f346970b7b
Formbook
7384a61fc69ce24610f7c4658c2ef8786c4cdc5d6ad6b33d1a9f506d6b6388d3
Formbook
8ab0631733cbd75ee80236daf25af3a79d6c2471c2c5b3f354407f92101bea28
Formbook
b830b088dcc04db74fc8afbb16dcfff0134c405228be44df5d996a9a5b254bff
Formbook
c0064ec7925f6ba2b202bac90707efb73e2c843ad4c946a12fdf3c49be910fbc
Formbook
c6106fc0a5a8a0fb4a2245bd159b22ed22ec40840826b51b585f78f97f860be8
Formbook
+ 12'218 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:seqa loader rat
Link:
https://tria.ge/reports/211203-tmy9qabhh8/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.hybridsea.com/seqa/
Unpacked files
SH256 hash:
1eba3e6e55f4aa87ee88dad11183f808f00870bf6277e3ae19fb31400a1dbe5b
MD5 hash:
00b620728472aef2af115e0455930cf8
SHA1 hash:
649a4ad0f13a3176ea36b855c1b36fbce246446a
Link:
https://www.unpac.me/results/b6fcc125-6385-47a9-ab27-9d131ad75f2c/
SH256 hash:
a7773725790f5e006742af4cc09648198ae976ef923369cee448acaf4917e1a3
MD5 hash:
b5092f78dcb97488b2055ccd9a969418
SHA1 hash:
0d48ff7d867a93d3fb85ff5bea2df42602e6dbdc
Link:
https://www.unpac.me/results/b6fcc125-6385-47a9-ab27-9d131ad75f2c/
SH256 hash:
dcc56c9c71af674705edbdd9352ee9de18ee733b26bbda73db83bbfcfba97a74
MD5 hash:
d1cfa7a6250a22df89fd8145f443d70b
SHA1 hash:
f94a15719d167e7b2f4d690c1677888b2b0f28ba
Link:
https://www.unpac.me/results/b6fcc125-6385-47a9-ab27-9d131ad75f2c/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dcc56c9c71af/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/dcc56c9c71af674705edbdd9352ee9de18ee733b26bbda73db83bbfcfba97a74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe dcc56c9c71af674705edbdd9352ee9de18ee733b26bbda73db83bbfcfba97a74

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/211087/

Comments