MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df6b6e0bb2608090041418454eeb4966932d5c34ec50ab3d44e5b57a4e44c3a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df6b6e0bb2608090041418454eeb4966932d5c34ec50ab3d44e5b57a4e44c3a0
SHA3-384 hash: 35338cf7c8204cd94c91fa5dc477ed0b166f77af98c3d56884d16fde48516fb88df3abdab3534c47f1880b1acf21e8a3
SHA1 hash: e5b3aa8f967f1a2dd578c190b1a413be1c5856f4
MD5 hash: a3d13abc14518a7e4893b93b3068d730
humanhash: beer-sink-yankee-april
File name:czzA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:708'608 bytes
First seen:2023-02-02 18:10:39 UTC
Last seen:2023-02-02 19:41:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:hOOcQSyntDRcud3l3oCVwd62RM0Txzx9KqWeh3ih9HXA:IJSmuF3//oxFBYTQ
TLSH T1B9E412D9826CCA7BD66543FF64F4A4056BB20A7BF061E70C0EAEA4D4C48F7001955BEB
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adm1n_usa32
Tags:exe FormBook


Avatar
adm1n_usa32
low detection

Intelligence

File Origin
# of uploads :
2
# of downloads :
182
Origin country :
US US
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
czzA.exe
Verdict:
Malicious activity
Analysis date:
2023-02-02 18:08:27 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/5b6d2996-f926-4aac-b81d-c8278ea89f4d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/359614/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65252043.316.8497.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63dbfcb51c9cbf7d62556a47/reports/72f476cd-1233-456b-a00f-1f7f99b0cd74/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2a55e028-1d4a-4700-bd70-a606ff126c55
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1164497
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Deletes itself after installation
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 797268 Sample: czzA.exe Startdate: 02/02/2023 Architecture: WINDOWS Score: 100 29 www.toporsche.online 2->29 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 4 other signatures 2->43 9 czzA.exe 4 2->9         started        signatures3 process4 file5 27 C:\Users\user\AppData\Local\...\czzA.exe.log, ASCII 9->27 dropped 55 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->55 57 Adds a directory exclusion to Windows Defender 9->57 13 czzA.exe 9->13         started        16 powershell.exe 21 9->16         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 13->59 61 Maps a DLL or memory area into another process 13->61 63 Sample uses process hollowing technique 13->63 65 Queues an APC in another process (thread injection) 13->65 18 explorer.exe 4 6 13->18 injected 22 conhost.exe 16->22         started        process9 dnsIp10 31 gy.adsfzcvx.com 154.210.212.94, 49706, 49707, 49708 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->31 33 www.xn--e1agleejmg.xn--p1ai 92.53.96.222, 49703, 49704, 49705 TIMEWEB-ASRU Russian Federation 18->33 35 8 other IPs or domains 18->35 45 System process connects to network (likely due to code injection or exploit) 18->45 24 chkdsk.exe 13 18->24         started        signatures11 process12 signatures13 47 Tries to steal Mail credentials (via file / registry access) 24->47 49 Tries to harvest and steal browser information (history, passwords, etc) 24->49 51 Deletes itself after installation 24->51 53 2 other signatures 24->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df6b6e0bb2608090041418454eeb4966932d5c34ec50ab3d44e5b57a4e44c3a0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-30 22:16:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
23 of 39 (58.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=35vw4c5smcajabaudbcu522jm2js2xbu5rikwpke4w2xutseyoqa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/230202-wskpmadb7y/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
914db53b4be9e469fbe9e94f95b4c1ed88df4025dc0d2641259bdcad110477c4
MD5 hash:
a732f3d55b1fc0e0b319d31829cd657f
SHA1 hash:
73373a6da128009ffee44a2d5cd0597439cb08ce
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/7bf56721-c70f-4483-901e-286f652d8d73/
Parent samples :
df6b6e0bb2608090041418454eeb4966932d5c34ec50ab3d44e5b57a4e44c3a0
c4be26f16b500a69a26c344c7840ac5aee9fa4f32cca050924a848019ed29bbd
0a3fb57d9fdcf594a55f48fe4853fc37ae7c05d15d710cc902a23b5cccf6c377
4a5ee921941ba55cd069a52fc95732b78f4c430a28236c3bd752ac350e4ffa79
SH256 hash:
48ef4cbc1eb08b441aadc5b48bf8f771a21266dbe15bff565f3cf2cbabb88c23
MD5 hash:
f658a00606e144bf215929b3118761b9
SHA1 hash:
58c7098fdce103c098179a71c7ee7594ed50a480
Link:
https://www.unpac.me/results/7bf56721-c70f-4483-901e-286f652d8d73/
SH256 hash:
178cc7474b323b0ae6b3095ff67127726530d9d44be5cb58ba7315ef3a1199ad
MD5 hash:
159af9cf7f94d64c8120c80268965306
SHA1 hash:
fb41ab37af2c83e96d97e9cd066f90e72d4887ea
Link:
https://www.unpac.me/results/7bf56721-c70f-4483-901e-286f652d8d73/
SH256 hash:
ab2f8dbc2b147528cecac6ea1a8886951c424be0b2026743b39d97f0cbabb04c
MD5 hash:
77ab42f4bbbf4565846eb8953192d71f
SHA1 hash:
3c662c756cc31867c0473716a74e777a65ced550
Link:
https://www.unpac.me/results/7bf56721-c70f-4483-901e-286f652d8d73/
SH256 hash:
63862bd68093805492f14388d650f884b4a5765c684a1ad563a5c9b3ee959c62
MD5 hash:
a65da077438c172b0f8ed6f4f7d95775
SHA1 hash:
1b292c750482bdf9c8a58a9ff548892f9662e85e
Link:
https://www.unpac.me/results/7bf56721-c70f-4483-901e-286f652d8d73/
SH256 hash:
fcfc4d9e7f7f9d6c81791f52701951f0df34de6d790af8e73d1f9128d8eb560e
MD5 hash:
284561925360dfebcb05e2ecec94ffc1
SHA1 hash:
06caba0697ae2ea766530e2bf5e572bdf36c6462
Link:
https://www.unpac.me/results/7bf56721-c70f-4483-901e-286f652d8d73/
SH256 hash:
df6b6e0bb2608090041418454eeb4966932d5c34ec50ab3d44e5b57a4e44c3a0
MD5 hash:
a3d13abc14518a7e4893b93b3068d730
SHA1 hash:
e5b3aa8f967f1a2dd578c190b1a413be1c5856f4
Link:
https://www.unpac.me/results/7bf56721-c70f-4483-901e-286f652d8d73/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/df6b6e0bb260/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df6b6e0bb2608090041418454eeb4966932d5c34ec50ab3d44e5b57a4e44c3a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/359614/

Comments