MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecb66b3c2799764e4b3a10e4197fe47f1fe3f60ab10ad1c76733d712fb674873. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	ecb66b3c2799764e4b3a10e4197fe47f1fe3f60ab10ad1c76733d712fb674873
SHA3-384 hash:	be6948eafd18ff3a56e6af3534eb2785cdb6cd4cf5aca5ed22fbbcec11ca90491a4013b8b5832da31c00696eab746c74
SHA1 hash:	43998fbc1977c9a96d797ae78096187474a3de0c
MD5 hash:	514c4902edd3b52db3447d7a677580ac
humanhash:	minnesota-leopard-pasta-early
File name:	Shipping docs.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	1'046'528 bytes
First seen:	2020-07-15 13:35:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:qAi2DJIvvde9nJYxDJIvvde9nJY5rJaKlWvQEQvDl/P5:rIv0nJYDIv0nJYZJaUWCJX5
Threatray	5'302 similar samples on MalwareBazaar
TLSH	C0255B821145227DE168F0FAE20710AAEA05EC3EE1D069B66679F7168574E33CDC5FEC
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

112

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/26018/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Possible injection to a system process

Unauthorized injection to a system process

Deleting of the original file

Unauthorized injection to a browser process

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/ecb66b3c2799764e4b3a10e4197fe47f1fe3f60ab10ad1c76733d712fb674873/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-15 01:40:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

5

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5s3gwpbhtf3e4sz2cdsbs77ep4p6h5qkwefndr3hgplrf63hjbzq._file

Verdict:

malicious

Similar samples:

33c7844de9677b2c4be5d2a81442404c46ed64d8e0f11214005aee8b7dd2c9be

489d3efd8b97c389697e1851b7c4351b28725dca02d2550b2c4e3770d747bc97

82a761b4157d1fa4e99dbf36c0f30935b19a1dd9875e330d81a70877aa07bc8a

8b6267e9733bf74cb555493e85cfe2391d3ca07a94d054421b0bb76a1d892a7c

a9089afb7795019bd9b1a2395b387a6c9957d499f10ff2929bf8d65c9913f453

afc658f07e5da5c8071754e973e37fb7712e1f13a5a23a6baf440cd35e60fd76

b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634

cc84debcfc3e30a4b682bb53e028acb0a75d56607ab25b2418797f65a7e6efb7

cd48e7228ffe8ca44b77d71d3fabd0d77b07a7c6cae4239ea83568389c20731d

d7083f1007834bbc16f0b6d2ee0e1e2b9e79a04af2a2e21f2d2682c9dff939eb

+ 5'292 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200715-kwxsd116ze/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Suspicious use of SetThreadContext

Deletes itself

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/26018/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample