MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcdc9c84c2d743794b07d4cff425214fa4466f3698e88d36cd6956531303ab1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 16 File information Comments

SHA256 hash:	fcdc9c84c2d743794b07d4cff425214fa4466f3698e88d36cd6956531303ab1f
SHA3-384 hash:	96bb73470f85af0b2f80f93f408548e6a8d1427b04868acace40e4c6d3f6711965de825f9432964cb321171c5a143e5b
SHA1 hash:	6c2a1128f45a0c7f2b57ad2772a906084799cfba
MD5 hash:	feb438764e46ae7e7ac29ed3db4193f8
humanhash:	blossom-uranus-kentucky-angel
File name:	SecuriteInfo.com.Trojan.Inject4.59820.22477.20906
Download:	download sample
Signature	Formbook Create hunting rule
File size:	642'048 bytes
First seen:	2023-10-31 19:25:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:l8t69yqLdc+5836KMdirnDmA6mBfk93Uutx8+6vZ6t2fe7+JdS4K:A6X5cs83TME+BrpUuNPt+e7GdVK
Threatray	32 similar samples on MalwareBazaar
TLSH	T135D423407AFD1707C77DA7F949224100A3BA565E5676CB4D3CC862CE4DE3B280A62F9B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c4c6a2202e223684 (12 x AgentTesla, 8 x Formbook, 2 x Loki)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

405

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/457447/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.59820.22477.20906.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/654154cf7462628255569b80/reports/8c8a2343-5329-41ca-9fe6-a0de5ea0c251/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/fcdc9c84c2d743794b07d4cff425214fa4466f3698e88d36cd6956531303ab1f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2457b4ed-76ed-47d8-a7a2-a19f05a49ca9

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1335066

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus detection for URL or domain

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fcdc9c84c2d743794b07d4cff425214fa4466f3698e88d36cd6956531303ab1f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fcdc9c84c2d743794b07d4cff425214fa4466f3698e88d36cd6956531303ab1f/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2023-10-30 08:35:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7tojzbgc25bxssyh2th7ijjbj6sem3zwtdui2nwnnflfgeydvmpq._file

Verdict:

malicious

Label(s):

formbook

Formbook

08f858c188cfd3e620b156b53c1a9fb49d67445ffc6b5c004f87a93f44aa15a2

Formbook

3f98f70b03b079fcf00f40d8819a849513f391eca65c7a3424687138924c60a9

Formbook

7d1d279985060889c0213cae4ae9b4e8fecabc7c021b076d6034fdaaa1d903ae

Formbook

82e2999475b441f03d417b5ee9df2615ec04693e11c15fd5f6c1e444293b85e9

Formbook

8f05551c8ddd819665aef513ec44d4f0d3f905fe9d8eca05e2d7857606f132f4

Formbook

e4b2f31e7c9fb2df6cf161898f23653c49d758f8f733e5910b99f3fd998569e0

Formbook

e8a820b07074384be7c1ffd4f07a230ebce48a21f24a67ed1c0572a6570b2410

Formbook

fa75be54659c7ffd8f59a49687c1ddf79c333861043831395b0fb10b87401f7d

Formbook

+ 22 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231031-x5hw8sch4y/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Unpacked files

SH256 hash:

040ebacdf0891552a5a175b21e5bd647ee9db167565e025a18bba0d5cbc892b5

MD5 hash:

de9e427377706d0135c4320ade02240a

SHA1 hash:

f9d15efffc83e78c6ce05e6120ef1aa5bb873859

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/966dace4-ff58-4c97-bdf8-78bce3ddd2f2/

Parent samples :

7d1d279985060889c0213cae4ae9b4e8fecabc7c021b076d6034fdaaa1d903ae
fcdc9c84c2d743794b07d4cff425214fa4466f3698e88d36cd6956531303ab1f
c213ee22a5995544b5e65e22ee4fc7084d165f5c0d1037d773dd4e44ccffc686
866793fb3e5da0b352d26f37db6deaa73b598019a29c0434da5a805c12fda095
2772267437ac2a4a39e1c4893788b420e3eafd75c0517c3d8bb58516c8e2b196

SH256 hash:

0ba1122a32e87e976c3c1076bc93d38b8da59635dd7541bbbe393cd6b76170ee

MD5 hash:

114a8ee279e136584a12827ac26ede30

SHA1 hash:

72a7bed5b5e5c5a69a5570772d22418bbe55e9f9

Link:

https://www.unpac.me/results/966dace4-ff58-4c97-bdf8-78bce3ddd2f2/

SH256 hash:

52500663bd47ee6907cfb7518d21d12d8ee702bea0f9cc223ab4f3ad611f3a81

MD5 hash:

8b520466c80f5380cb9ca98e2d7e253a

SHA1 hash:

9499cdcd3d1ac0967fa47b23a1fcc68ec4eacfae

Link:

https://www.unpac.me/results/966dace4-ff58-4c97-bdf8-78bce3ddd2f2/

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/966dace4-ff58-4c97-bdf8-78bce3ddd2f2/

SH256 hash:

50dc658b4a37648aa2f1f5253330faba58acf7fb10bb45a46679c3c69fc6fe88

MD5 hash:

3a05b221e0ac6c9b635e8760835722bc

SHA1 hash:

888b24c1eea0e3bb63500e81e22365e55a08601a

Link:

https://www.unpac.me/results/966dace4-ff58-4c97-bdf8-78bce3ddd2f2/

SH256 hash:

ba05154fcdf5647edce7ad83c696b919784b6302473bd457486cc21504b8f729

MD5 hash:

80148d85ca239bf6c340c9b2567321f5

SHA1 hash:

1a113fe9486d7bc1844c91ed23176c722876ca2e

Link:

https://www.unpac.me/results/966dace4-ff58-4c97-bdf8-78bce3ddd2f2/

SH256 hash:

f5a180f0f5d5274f93ae3920b042976e69426839205239dd56861394f86a6d45

MD5 hash:

2c69ce4fc21546569eea5f09393ac73c

SHA1 hash:

cdfdec2cf4a81ea66d70bddb3ea216245bcbabd3

Link:

https://www.unpac.me/results/966dace4-ff58-4c97-bdf8-78bce3ddd2f2/

SH256 hash:

a1c705df34166ab5ff7ce63af5e68119b8e940c3567fe72d02cffdc3b57677c5

MD5 hash:

9db8f8796f1aec4852533b5481f04fb2

SHA1 hash:

9e3dc6e786cc549a49b92a5d719118b5940d1f9b

Link:

https://www.unpac.me/results/966dace4-ff58-4c97-bdf8-78bce3ddd2f2/

SH256 hash:

b837c3a9769497c76efab05c3d856982e8b39a8a48b1405905141838c4c49a26

MD5 hash:

3f8310e95db2088ddba8c8345949bc04

SHA1 hash:

79609524234bbcc9779b840b6352cc3c57fba019

Link:

https://www.unpac.me/results/966dace4-ff58-4c97-bdf8-78bce3ddd2f2/

SH256 hash:

ef150c75dced43b34219f3d160ddab216c17fb9b92dc25b46af3a1f15355d1a8

MD5 hash:

f74adcd02d5e441ec1f647b1b0633b73

SHA1 hash:

5fed0da6d13c34a5eed58e90bfe3a01bdbe7b129

Link:

https://www.unpac.me/results/966dace4-ff58-4c97-bdf8-78bce3ddd2f2/

SH256 hash:

89ab9b7a8f086d32c868047706b729b6f92e3dc9a176cf7344db718595157174

MD5 hash:

0808dd1ba0a4da51d62cee2679e4bdb7

SHA1 hash:

417b6f2c69ce9ca321c736d25aee24461edef7bd

Link:

https://www.unpac.me/results/966dace4-ff58-4c97-bdf8-78bce3ddd2f2/

SH256 hash:

6f27fef1624bc2b201da8e48c3c3e5c53d69c2f20ac2bca9588d215dbea79f57

MD5 hash:

84a47e6dada904f3f71019483ba552fe

SHA1 hash:

0a39d39d6a2f835a9ba8b86aaac827b7bdf89de5

Link:

https://www.unpac.me/results/966dace4-ff58-4c97-bdf8-78bce3ddd2f2/

SH256 hash:

fcdc9c84c2d743794b07d4cff425214fa4466f3698e88d36cd6956531303ab1f

MD5 hash:

feb438764e46ae7e7ac29ed3db4193f8

SHA1 hash:

6c2a1128f45a0c7f2b57ad2772a906084799cfba

Link:

https://www.unpac.me/results/966dace4-ff58-4c97-bdf8-78bce3ddd2f2/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fcdc9c84c2d7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fcdc9c84c2d743794b07d4cff425214fa4466f3698e88d36cd6956531303ab1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/457447/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample