MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc2cebcda95cb3a39ad6b08289fe3764635bf8bd69a372c05f0140665b57b55a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc2cebcda95cb3a39ad6b08289fe3764635bf8bd69a372c05f0140665b57b55a
SHA3-384 hash: 7ac9c4d39ecd186a6135b67e51edb1775c4328ffd3884f2c5500787f943a38843eb00f21c67d3a83cdafab3736f06a9c
SHA1 hash: f68e64b59c4f114f749954c87a05632dccabd5e1
MD5 hash: 05eac7eef493ea01e4c5375bb339bd7c
humanhash: beer-harry-angel-nine
File name:05eac7eef493ea01e4c5375bb339bd7c
Download: download sample
Signature FormBook
Create hunting rule
File size:942'080 bytes
First seen:2022-03-23 08:23:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 051bfffb3a6ca0b186f872b7bd3540b2 (1 x FormBook)
ssdeep 24576:Oam2dDVshRly2WDh3i8liw71y0gnbSlSIdcQia6n6YhdAxVcFZpiOJDnVinKHCPy:OajyPly2WDh3i8liw7rgnbSlSIcv6Yhs
TLSH T1F315BF67B2A12837C12326384D5B5AB4993ABE103D74EA467FF91D4C5FF9A0178283C7
File icon (PE):PE icon
dhash icon 7cf4b6ae8cd0e8f0 (4 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/255550/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.27240.16065.10316.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/10768/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger packed
Link:
https://www.filescan.io/uploads/623ad94eb94fb38cb4d7ade9/reports/a702e994-f78a-4bdf-9554-6140b94ad812/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e448edb2-c7b6-4323-a784-0cc17b5691e1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962734
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc2cebcda95cb3a39ad6b08289fe3764635bf8bd69a372c05f0140665b57b55a/
Threat name:
Win32.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 01:38:15 UTC
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7qwoxtnjlsz2hgwwwcbit7rxmrrvx6f5ngrxfqc7afagmw2xwvna._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:h93d persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220323-kaxexsegdj/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
ca2ce40cb878ee57a487ee26e86a6d5be9996171f32d8eea12f19f974bd6dcb8
MD5 hash:
1f2c2df0c24a74f49c5b37a45a92f826
SHA1 hash:
915f340b525a5e4cd5f3aa380c747a925ad1732d
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/d9bfca04-ba65-4213-907d-545f493a637b/
Parent samples :
8f6c3613cdccfdb0d7fd02b33e0afc8c13c640d305b2fdc3319135a18e3ca73c
496a9fb5d6f7b03a1dff59806fe6b74faf6755a903e82d99980769d0890f2730
6171e04c14e21039e5d518ea5b1129a09ac09d23f8c8169da89ba5fc7e816a35
fb8a339c0426e7443a8a557a8db6745d4510abe1086a0ecad45493bbcab97fca
4ed75b8466a537951e39fcf6a8a024701d41c6ff3be98153dcc81dbff6a75756
f443e1a292f282bb4eefcb9072d2ad429fd5d10983732f8c0b23b1f607e63314
1359549cb60ef5ca5fca53dcc5a47d9552fd5e24afe09ef563f18051417fc4ac
df451e4553398ff8f82e6f516f7bd9b04fb8ea925612f2ab95b98284abb228f7
63f565a5108d757c36e565bd6f4d2ea6410445569d0ecbc70b9c33ba4115f0f8
00d73f1d61efc0d907030191c3953dd239de9aded5c6cc4029262127ce1e209e
fc2cebcda95cb3a39ad6b08289fe3764635bf8bd69a372c05f0140665b57b55a
566804eeaa9725faf35958d6bd0c12ec0715950881d260b6815618fc399f74c5
10cec299494a6aa98989e015fb80ffa0262912a4c2f52d57222fd4e9277e59cb
4860d96e25e9ffa5a288ee4ab81dbda67a521786b2abd2b7a91a3b37e863fe58
a1e618daaaa3133d466df43f3b43ff6b095deb8d2c010f5e35e592800eebc87b
f58399e122dc517bb6594d46903c8ea5f3a913feab06e3038f4a78760bb63ce6
88f2a0b582807e7cb8dce67a8bd81760c0f7f2e6329062c256cb7fe7ec7f3221
a6ccc05556ccbb60a723a57a8a584cc150e2f4819ef7b11c76e947e84dff0e10
a9a86b379236a699c4a6da12df755787d31a8c318e0fb79bfd240896a61f2a51
ba08e639ff6481a49493f7b2c7f5e56500960a32970e29cfdcec98689a3e3451
f29af471bd6ae227e1937769b3bc2341a5906732374a25137ab6d8715bedc874
6a870d79774d97f41d243d912d16c0079b923c64931ad7a93fbf303b0427ee36
4e4e661714c95139dea6c17509411aabe685fa5feada011a232fef5c04244aaf
a6bafb2bb8dc44d9fff66e3301c27fe77c36dde8d0a8a5c95779b2b8770c33f8
fb67e8ad570d57edca0baa8f47ce75a50eedb5df3af97cd141aeb508b8409f3e
a0d70aef1803b9aad25507304eaba337c45d2474dcddd5e52bcb1095087775c7
8f5f58b0b0e95605ad5e5324a75277d25590a13dd9b4e0fb05505b815833a2db
805a169b8f08ee6d903d5ea86178a1e50e65ae3c51a91085227b0e77c04efbea
cb8a598ca7d108efe4e56865bd748cb586b06c2667e5118ffbc22dff3f741648
f4a406b6b21db8b516e579643929b753453ebb4604cc799ec69f712fd7ba42d9
8dfee94c273148e304ce65b2174c1bcf211e31b9fb7074bb03069c831a4b119a
db5a12184d9b6acdf484a88b3e65aa9435f8a9d7eda48418aef2d028b98913d4
54ca735ff5fee6b29cc940ecb074e3b58c24ad834fee7cfbe56e78a04aa8e085
1521b3679443397b8a953666ff6e81b4650a4c3e731bd0ae5c057a29cd238332
e9e0c366653836804dbd66fa13dc4909cb186a2117764679e1e46f29dc9500bc
bf7843608d1b1c3fee60bf8fd4a9410047c8ef059ed1e55e018da081670159c5
01e55c453fc19c5df2c53fa3e1ddf9bc8f8af5ed23d361f3bc30df2e913072a1
a3792b703dde1aa5a935183c6696ce91cdea54579e9045b55848df91e6b312f9
d3bc2b767f795b5fc0859a8a5d3efacb8150a9c272d89701c164d3f703e15ba1
63fef1355c2426329defba3c5fc037b68085c45196ab8bd7ff2991b5dcfc80c0
1e7717a2d798ca288276e378b76ee35a7cdd11e0d32ed32f33670163a08c390c
9d42b1b9280301d54b45752d046405be7e1a632de78723aa46cb20c1cc43c801
204e96b879210c8e42455d3670b69e7c2408bb65324b8243346803ef24af6f9d
1755742f318f26db4bd9a258426cf22e90b27c2dd67e67fcf662659bce8847f0
927dde2c104b2a0d38a5d8c01f2aa5a16a049a19ce3e644a5adedfd670286e57
464fb0b39e6e803f8e032a0380fa66babe20032affda8b5dbf0f8fd687526443
e2c591e76cb0e5c7e5883a4180c2d7286a4a80a5c3c83c062a8f666e0764c1dd
66be852b20b6210134ace4c51802bc9fe3aba2ef95ecb31940066a11dfe57c34
e11e9572f2bc772cb5858c427326c4408520d1eb0f62ed2c9069c3c3dc710a01
f94b77c7de3e47949556c797e2fac84ada108a52ea67a57d9658fe9cc149b148
9380f842781eeb483f61572a8a327221cddc6402ce15807dd6746c31d40c3bb4
56958cbd9007cf88fbf7bbe0ab8cdd745af7c3cb43f495cf12ef37cace388bcb
710092a3d3733568c12c36e742da685e70ac3aeb9a851974c6b07a3d5f1d74c7
b90122d45b3e426cdf4343cc47fd486e67d4d2fe861f6a686f4d29919a327ed3
ed26cf7c1e212b911017851bdd62dbddd9ebeaabc1a7c39a85780cfe2159a66b
15a3f360c7768d11c783c454207c4a278c0855091901dbc985074a8e3b0c68b7
652eb4b75ead907220dc496b91ae07adbbe0e542f6765dfb57c802cdf4ecf23c
6458542795cc0a40d4ab238e2be5fb15546d5ca38e52d1f9c7d4157dca27679a
736a64dd3a9f74117c2e3ed828599c5aa5844146cf75b3a67d7c775bee0df90c
8a032d84d6da1a5b4afb83c4b9cd9be1fbebb29f3933a09eedc5955c899b1fbf
c16b9319edf591f4b75c3b69e09451de772816ed5a7915c9112bb8dd14e4aea3
e9b9b1c8e972c4882a540641d04979d3c7d6c762ee64707a1a2b147d06a43326
bff9f8e4fb678a405e05a729c9649fb5097ecb4c4a02a87ace28401ad22072fc
ab6089eaf0b6e157fd74eb677bdd1e457cbbe9cc1b97699dc7e8dab7989eab2b
99e39ef9a5267ed9790fbef614fa3a0054025c1cb866295e9e320bc95b128280
SH256 hash:
d5fa5f9b88bce00918cc6918ead95dd7b1c2798b2718ad157281b9675adc6a59
MD5 hash:
d0eb5aca9c37bea95cc61e77cb2983f0
SHA1 hash:
b38c227daa870f8f2823309b7175e7f3fc548793
Link:
https://www.unpac.me/results/d9bfca04-ba65-4213-907d-545f493a637b/
SH256 hash:
fc2cebcda95cb3a39ad6b08289fe3764635bf8bd69a372c05f0140665b57b55a
MD5 hash:
05eac7eef493ea01e4c5375bb339bd7c
SHA1 hash:
f68e64b59c4f114f749954c87a05632dccabd5e1
Link:
https://www.unpac.me/results/d9bfca04-ba65-4213-907d-545f493a637b/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fc2cebcda95c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc2cebcda95cb3a39ad6b08289fe3764635bf8bd69a372c05f0140665b57b55a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FormBook

Executable exe fc2cebcda95cb3a39ad6b08289fe3764635bf8bd69a372c05f0140665b57b55a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2111927/
Cape
Cape
https://www.capesandbox.com/analysis/255550/

Comments


Avatar
zbet commented on 2022-03-23 08:23:31 UTC

url : hxxp://103.125.190.201/cloud__to_drive/csrss.exe