MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1eebb3e709b273372a1edf1ef713c7cd68e90370251b4e15e5f5ec8a9328d816. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1eebb3e709b273372a1edf1ef713c7cd68e90370251b4e15e5f5ec8a9328d816
SHA3-384 hash: c927b1770e35aa91300826612aafe7be302a526eb4f4013346dcf33b326676d74cb3316607e599a1071dde4a3db9acde
SHA1 hash: d648ae466fee94e62e15c38191ad503a9dbc01ce
MD5 hash: 8694548e1a7a361550c7aa3a14d9a3f8
humanhash: hot-bulldog-nebraska-alaska
File name:Order inquiry 2020.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:623'104 bytes
First seen:2020-07-16 06:52:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'633 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:DkILYg9Ajx7hHOrVroBLXFR0ckiYmQgh+UDF3VBrOhTvZRr3JrFkNOpsWwyu0ppZ:DZeOrV0BLlXQSPDRjrCrLjPPwWim
Threatray 5'176 similar samples on MalwareBazaar
TLSH DFD439B2448D1472D1BA0734D65C25BE12B5BC911B92EA37E52237EB2477F60AC1CCBE
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26399/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Launching cmd.exe command interpreter
Possible injection to a system process
Enabling autorun with Startup directory
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1eebb3e709b273372a1edf1ef713c7cd68e90370251b4e15e5f5ec8a9328d816/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-14 16:43:18 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d3v3hzyjwjztokq634ppoe6hzvuosa3qeunu4fpf6xwivezi3ala._file
Verdict:
malicious
Similar samples:
0a3f320d6e46c364aae4b55f4853d8aff3d6a9d6117cb176b957c298e9184f29
FormBook
21327be564dca2dd0136871d257a99b68daf3a09af75a0fb947f65708f1df2b0
FormBook
387119236c9bd4c60215cab8efae3cdd16a0fe9906d83016b2dc8ee425fad40d
FormBook
577f1aaf7014272adaeffea243272a164641c90553f5d87e4dee03037b2b8a82
FormBook
7029f74bfaf5637a25dad61b7a7462141833886ac9637790d0fdaf7e72d84a3f
FormBook
a2d04087127197f6a4ae49039fbc2c2dc750ee0fe2d71965a7c675d556d362d3
FormBook
abb96fbc3e4b80337204e33d19134498c7eca75ba47390fe4df7939383515e6d
FormBook
afc658f07e5da5c8071754e973e37fb7712e1f13a5a23a6baf440cd35e60fd76
FormBook
b3df56321b7da5c5bbf1836d3d51a81840becd610d435f4b799b7565863329d1
FormBook
e4031bfc8a9e6268a0c5c85697424583fcf998bc75728a3b9b2f779879f167a4
FormBook
+ 5'166 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200716-natsswvwb6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe 1eebb3e709b273372a1edf1ef713c7cd68e90370251b4e15e5f5ec8a9328d816

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26399/

Comments