MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ebc903ca6847352aaac87d7f904fe4009c4b7b7acc9b629e5610c0f04dac4ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ebc903ca6847352aaac87d7f904fe4009c4b7b7acc9b629e5610c0f04dac4ef
SHA3-384 hash: 693b6489c81e9d35d2185149663074934e84fa109b57b1c0f509f526faf1bc18b117ab2e3eca1d71750de5e2bfa2f088
SHA1 hash: e6c22b3242244cb8000df3b26529c5f24b76be57
MD5 hash: 05e4aeecf11a890bfc365ccce931065b
humanhash: mississippi-beryllium-earth-king
File name:svc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:481'792 bytes
First seen:2020-07-09 18:32:25 UTC
Last seen:2020-07-10 06:30:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:ISU+Hg8Tk3nk0jskko0kkTmZj7U+Hg8Tk3nk0jskko0kkTmZjakPLBMNxwVdrd4T:RUB57UB5aQ1kxwzSfqVA
Threatray 5'280 similar samples on MalwareBazaar
TLSH C9A4BFFE32585357C419B07A856AC23943703D17A051E256BBCDFF8B34F2FA7802A59A
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: ngay6.localdomain
Sending IP: 45.127.62.200
From: Patrizia Piovan <import-export@kaltek.it>
Subject: Urgent order-07820
Attachment: New order.xlsm

FormBook payload URL:
http://sagc.be/svc.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24065/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9ebc903ca6847352aaac87d7f904fe4009c4b7b7acc9b629e5610c0f04dac4ef/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 18:34:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
Formbook
4fc6cac9d7547036158bc3aa8be06f2a6be57eabc406abf3a39c2cacb5f410b8
Formbook
8606768cb758ba8379659f65220250ebc1c491dabd668e7f98663571419cadf2
Formbook
8909f47d9db9c66a8ee7b08cf9dad1551e905d48b76f4c3a2acf926c26752ee7
Formbook
9daa8e87928b88143b9482b989764524754c86d142027ccaad1fc452f52c1765
Formbook
b1ab330d8407adbc0731fd66b869bca53515ccf732d1ad498515e5e04f993de4
Formbook
bb44a88339e83bc2ecbd06edef1acf6c54e66c4c4922005a67c27f970f717075
Formbook
bb973839df53081c969a7e6647bdfc2d3090b43b496fe8e2244a51a604264112
Formbook
da2466ff48f9de5fc946f2c90063f1deb996b01aa93950f51996e888fa93652d
Formbook
eb6567e1510a2fbe48c640daf96b0301df0e969b09d3bbd8cd2093e91963efb1
Formbook
+ 5'270 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200709-b821vg2hda/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Excel file xlsm 148a026124126abf74c390c69fbd0bcebce06b600c6a35630cdce29a85a765fc

Formbook

Executable exe 9ebc903ca6847352aaac87d7f904fe4009c4b7b7acc9b629e5610c0f04dac4ef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/410596/
  
Dropped by
MD5 2433e76542036ab53b138a98eeda548a
  
Dropped by
SHA256 148a026124126abf74c390c69fbd0bcebce06b600c6a35630cdce29a85a765fc
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/24065/

Comments