MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ef213730f8d967270ebb2edebb9086f266870c9146be06a38f5d36ce3f627c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ef213730f8d967270ebb2edebb9086f266870c9146be06a38f5d36ce3f627c1
SHA3-384 hash: d35c0484861fa4fda37923a73a1b9c1e4b48fa4275ceb6c563f82a316673e9a200f0ddbc2b219061d562dde8f956eecb
SHA1 hash: fee8b77fcc1037e65929d031a0788e3269ef869e
MD5 hash: eeb5ad78ea112b5deff59465cb1be3f6
humanhash: vegan-washington-alanine-maine
File name:eeb5ad78ea112b5deff59465cb1be3f6.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'002'496 bytes
First seen:2021-02-03 18:48:15 UTC
Last seen:2021-02-03 21:01:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:UI0UfUlUhD8Bf0Of4V3fMBHV7phPkvC9YgVTOc+hr:R0UFhQBf0c4VP617LPkvsYgV3
Threatray 3'770 similar samples on MalwareBazaar
TLSH 2625E06332445B76C83D9BBB052A44640BF3FC07F6A6C266BDA861BF05727509A27F13
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
eeb5ad78ea112b5deff59465cb1be3f6.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-03 19:17:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/955622a3-f343-4b26-a77a-2cd7b7f40141

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115437/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.524.6582.8191.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/598392
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 348231 Sample: 6eXBYoJuN9.exe Startdate: 03/02/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 10 other signatures 2->44 10 6eXBYoJuN9.exe 3 2->10         started        process3 file4 30 C:\Users\user\AppData\...\6eXBYoJuN9.exe.log, ASCII 10->30 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 6eXBYoJuN9.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 32 h678ui.com 182.16.15.253, 49756, 80 NETSEC-HKNETSECHK Hong Kong 17->32 34 innertwinearts.com 34.102.136.180, 49757, 80 GOOGLEUS United States 17->34 36 6 other IPs or domains 17->36 46 System process connects to network (likely due to code injection or exploit) 17->46 21 netsh.exe 17->21         started        24 autochk.exe 17->24         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 26 cmd.exe 1 21->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1ef213730f8d967270ebb2edebb9086f266870c9146be06a38f5d36ce3f627c1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-03 17:14:11 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d3zbg4yprwlhe4hlwlw6xoiin4tgq4gjcrv6a2ry6xjwzy7we7aq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
00acf6968d171803228a4f1450253321b344b28f0354ddf9c1c2264922413b06
Formbook
091f6c53a4f73bdac192e08bda0459f5e8af953a3c2b5cdee175677301a8cef5
Formbook
4e25af6dd433e9600d5126a7746496427f149a36682880785741a53159a6deb3
Formbook
5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19
Formbook
74e5237030f7b3dbbcdfd7f30bf3fd3e463cbe7d6253c8bd7a737b6aeab05b5a
Formbook
851353adb58e4070df07037da80543a4d67d6eceee20659fe9c5cb5ef4c1a344
Formbook
a0a65e80ca7f9fe9b5dbe136cf4a2b548df61516c223684f43b6701019fa3d17
Formbook
a806993bf26058dc6cbe82f305945d97dcf5b316115c672774950bcc0626a38d
Formbook
c9bc1c7f21e628959622a569b2a4221b8a4cbcc34f3d01684da97bea5cd9caf7
Formbook
ca179c01ce38a54fa4659496a086973f3fc99870230a725fc782c71453ac5f54
Formbook
+ 3'760 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210203-abmchp8v6e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.badstar.net/tmz/
Unpacked files
SH256 hash:
995a0fef02af161b6d4c0c9268c7b1d8e5ce15c298d05fefe6f4dac07a1a4f58
MD5 hash:
eec4f2e7408160fdaddfad262bc66b7f
SHA1 hash:
9c1c73f4dc3ac097fa1c558b6823a1329e8eb1e2
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c3dbfdde-fe4e-4124-a033-f8b11b91df27/
Parent samples :
ca179c01ce38a54fa4659496a086973f3fc99870230a725fc782c71453ac5f54
00acf6968d171803228a4f1450253321b344b28f0354ddf9c1c2264922413b06
a0a65e80ca7f9fe9b5dbe136cf4a2b548df61516c223684f43b6701019fa3d17
74e5237030f7b3dbbcdfd7f30bf3fd3e463cbe7d6253c8bd7a737b6aeab05b5a
1ef213730f8d967270ebb2edebb9086f266870c9146be06a38f5d36ce3f627c1
d5583f28c613411219bdb73b1c05505679f9d87cbb70f1ab9f35bd65a6e5d25a
SH256 hash:
ab057df3785f54407ea2f1e6353d179fc5bd2b06604208f18ab4b6c87d1ea8c1
MD5 hash:
9fa95dd61b5f422e2388b8c391bdc8dd
SHA1 hash:
b9e6c606067e6d4a058a05c45ab66833b337cbcb
Link:
https://www.unpac.me/results/c3dbfdde-fe4e-4124-a033-f8b11b91df27/
SH256 hash:
ffe4460c1b9f6f030a6f92de9805a80efcdfde514cea7fa3e32ac86bd01393c2
MD5 hash:
513b799cbcc47b13e67056d5c9ea9c55
SHA1 hash:
39ddbea6fe17172fc27c7b70ef5c2264b2fe73ed
Link:
https://www.unpac.me/results/c3dbfdde-fe4e-4124-a033-f8b11b91df27/
SH256 hash:
1ef213730f8d967270ebb2edebb9086f266870c9146be06a38f5d36ce3f627c1
MD5 hash:
eeb5ad78ea112b5deff59465cb1be3f6
SHA1 hash:
fee8b77fcc1037e65929d031a0788e3269ef869e
Link:
https://www.unpac.me/results/c3dbfdde-fe4e-4124-a033-f8b11b91df27/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ef213730f8d967270ebb2edebb9086f266870c9146be06a38f5d36ce3f627c1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 1ef213730f8d967270ebb2edebb9086f266870c9146be06a38f5d36ce3f627c1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/986161/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/115437/

Comments