MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dc7b855d0ec804e93846a45b3d6b8b58b35e5314149bc57fae5e0623f79fe91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0dc7b855d0ec804e93846a45b3d6b8b58b35e5314149bc57fae5e0623f79fe91
SHA3-384 hash: c90a89cc738990afa0da6b362461a377e3d8ad6d95e2257be817150179e8a04065a5c33e3ad601432bbf9eeac371c5e0
SHA1 hash: 19cac4a0dcd7c1dde0c6151ddc76aa1dad51728a
MD5 hash: 5f3fb711292d09ddab06d5cf78cbd982
humanhash: stream-friend-michigan-purple
File name:ekli siparis.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:504'320 bytes
First seen:2022-05-23 16:56:54 UTC
Last seen:2022-05-30 07:04:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:iIobSSZI9T3RVIJ89ZJBHL548wLptolyMcR6:aeSZI9bogpuLptolyp8
Threatray 8'309 similar samples on MalwareBazaar
TLSH T11FB4021B1BD6A0FAD1BC9A31F7F824E540F6975F1910639BC48553E8FB0A747B6028A3
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe FormBook geo TUR

Intelligence

File Origin
# of uploads :
4
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
ekli siparis.exe
Verdict:
Malicious activity
Analysis date:
2022-05-23 19:49:52 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/dbb4b243-354d-4121-a5eb-9b3bffe0904b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273819/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Launching a process
Creating a file
Сreating synchronization primitives
Creating a file in the %temp% directory
Sending a custom TCP request
Creating a process from a recently created file
Moving of the original file
Unauthorized injection to a recently created process
Enabling autorun
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/628bbd08370bb1455cc10a14/reports/cd0555a8-c43a-464b-8049-dabdea56e5d9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/615ce9cd-26b4-4822-97a3-8ca430f0c09f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1000057
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Drops PE files to the startup folder
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 632554 Sample: ekli siparis.exe Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 52 www.moneytaoism.com 2->52 54 www-bing-com.dual-a-0001.a-msedge.net 2->54 56 2 other IPs or domains 2->56 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 6 other signatures 2->68 10 ekli siparis.exe 4 2->10         started        signatures3 process4 file5 48 C:\Users\user\...\ekli siparis.exe.log, ASCII 10->48 dropped 82 Moves itself to temp directory 10->82 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->84 14 java.exe 5 10->14         started        18 cmd.exe 1 10->18         started        signatures6 process7 file8 50 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 14->50 dropped 86 Exploit detected, runtime environment starts unknown processes 14->86 88 Exploit detected, runtime environment dropped PE file 14->88 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->90 20 cmd.exe 3 14->20         started        92 Uses ping.exe to sleep 18->92 94 Drops PE files to the startup folder 18->94 96 Uses ping.exe to check the status of other devices and networks 18->96 24 reg.exe 1 1 18->24         started        26 PING.EXE 1 18->26         started        29 conhost.exe 18->29         started        signatures9 process10 dnsIp11 44 C:\Users\user\AppData\Roaming\...\java.exe, PE32 20->44 dropped 46 C:\Users\user\...\java.exe:Zone.Identifier, ASCII 20->46 dropped 70 Uses ping.exe to sleep 20->70 31 java.exe 2 20->31         started        34 PING.EXE 1 20->34         started        37 conhost.exe 20->37         started        39 PING.EXE 1 20->39         started        72 Creates an undocumented autostart registry key 24->72 60 127.0.0.1 unknown unknown 26->60 file12 signatures13 process14 dnsIp15 98 Writes to foreign memory regions 31->98 100 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->100 102 Injects a PE file into a foreign processes 31->102 41 AddInProcess32.exe 31->41         started        58 192.168.2.1 unknown unknown 34->58 signatures16 process17 signatures18 74 Modifies the context of a thread in another process (thread injection) 41->74 76 Maps a DLL or memory area into another process 41->76 78 Tries to detect virtualization through RDTSC time measurements 41->78 80 Queues an APC in another process (thread injection) 41->80
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0dc7b855d0ec804e93846a45b3d6b8b58b35e5314149bc57fae5e0623f79fe91/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-23 07:15:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
26 of 41 (63.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bxd3qvoq5sae5e4enjc3hvvywwftlzjrife3yv724xqgep3z72iq._file
Verdict:
malicious
Similar samples:
142dc674a687ade3bc56e2e78f0a6dc0603d81f176f8a9d794d909b6839bcc5b
Formbook
1db2ec499c11b096c4a468a878a9e6bb791183ca2156eb2e8c233fd7b172b607
Formbook
26255a564473b658bd77619f08223a2a22c42eee8ec43c41b0fbe2335f20ef27
Formbook
4f48ef3036b8e2b724cbf9ec618f35baf7cb5e2017dc5fae4825659a28b58e68
Formbook
5097eef9cd2b1f85668e22ebde907be34789547fcff62d3e04fdfea467e82a20
Formbook
67e030c1c7dd08138eb1d6a12a4d652c4a304f22db556afce411c32a23bddf23
Formbook
ae275aba1d935bd3045e9cd3f258b72636e6759506e183423341a992faf47f80
Formbook
db130f1177379a6c6fc9a87eba59870115f8888d6737f76aba9ea77346d0006c
Formbook
eee3d70ef0eb418264c10075b901845b097297613637892efb77aecb236c5e11
Formbook
f335b6b5f38613739f83571c9a86e602154644199fcd0c2f83f3bce64fbd0b0f
Formbook
+ 8'299 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220523-vf9bsabaan/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
08ffa2b4e6e3f4b4b40825417359ce61c915ff986ed57109bec9d9456059b753
MD5 hash:
ab1c1507616700a6a652d49fa35e4ad3
SHA1 hash:
b39566a2c4d09cc0c3cf59c65cbadd5de01007d2
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/f41548c0-13cf-4f79-813f-f9e29f02b37a/
Parent samples :
ef45348963373f501b165e141423164651c1663584ac33299e93912529b1553b
0dc7b855d0ec804e93846a45b3d6b8b58b35e5314149bc57fae5e0623f79fe91
945c8e963c5602d97a9ff4de62a374a23149cd32c5271804535e00746d8a6db9
SH256 hash:
c0be9b5cd44890ba4b8ef2d96cde84541bbcde7247a90e30b0e42fa2964853a5
MD5 hash:
111f57c483d27d8fc75ba32c4b4735c4
SHA1 hash:
99f826371014d4e8bc7b1d68043c2a5c08993db6
Link:
https://www.unpac.me/results/f41548c0-13cf-4f79-813f-f9e29f02b37a/
SH256 hash:
0dc7b855d0ec804e93846a45b3d6b8b58b35e5314149bc57fae5e0623f79fe91
MD5 hash:
5f3fb711292d09ddab06d5cf78cbd982
SHA1 hash:
19cac4a0dcd7c1dde0c6151ddc76aa1dad51728a
Link:
https://www.unpac.me/results/f41548c0-13cf-4f79-813f-f9e29f02b37a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/0dc7b855d0ec804e93846a45b3d6b8b58b35e5314149bc57fae5e0623f79fe91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273819/

Comments