MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ebb56bf6705acae0ea5adbb5f46f6c46527493abcf1482af9b10981a4e4298d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	5ebb56bf6705acae0ea5adbb5f46f6c46527493abcf1482af9b10981a4e4298d
SHA3-384 hash:	8bc3639ccfe32ea396a4421e975a040a0a610f603ad33193afadbfc78c1ed723359c9c7f3408c78a153acb7a3674f4a4
SHA1 hash:	065eec0d3c6be932af05fbaef62f7fc5f858fd91
MD5 hash:	0e3246d3fd336f884d852f9a7c4dcc6b
humanhash:	juliet-music-california-ceiling
File name:	SecuriteInfo.com.Artemis0E3246D3FD33.29037
Download:	download sample
Signature	Formbook Create hunting rule
File size:	491'008 bytes
First seen:	2021-02-09 10:54:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:vZO/W/3TAYrT5lgpcB0rZ4pP7XArh2a0xqCMy119k+8s0Db:vA/W7XI4as13vns
Threatray	3'781 similar samples on MalwareBazaar
TLSH	DAA4ADDC726072EFC867D472DEA82CA4EA5174BB831F5203A12715EDAA0D897DF144F2
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

MT OCEAN STAR ISO 8217 2005.xlsx

Verdict:

Malicious activity

Analysis date:

2021-02-09 06:55:46 UTC

Tags:

encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer

Link:

https://app.any.run/tasks/9cad1938-b913-41c1-b0da-6fd6d11b162d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/116160/

Detection(s):

SecuriteInfo.com.Artemis0E3246D3FD33.29037.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/602842

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/5ebb56bf6705acae0ea5adbb5f46f6c46527493abcf1482af9b10981a4e4298d/

Threat name:

ByteCode-MSIL.Trojan.Ymacco

Status:

Malicious

First seen:

2021-02-09 07:32:58 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

0ae22d4877231b64b2e9e1252bbe8636ea43fe5692ca899733e715ccfc82e224

Formbook

1af16016b5773b6d22f0d0e5f93392e909d3505d22ef1cefb8127798de67760f

Formbook

28a122178f71a0ca434c0a957eb604f00c62255a49a38a07a3ca0e936112b069

Formbook

420f06103fac607a08bc7ff557201ffc5fc4f693aa52df9476171ed5398d8bf5

Formbook

5248643a130c832416245ea6b33ab3724a81c4e4a36b2ea424dd1a5fc1dd7ac2

Formbook

87d8ef6a4c6bf661d7957a62b9e8e9ea6627f80227f9ea88502bf601b94a960e

Formbook

b3420cc90cce972045db0377a5c383ce049652650946b0c84f27280a7dbd1e38

Formbook

e3a99ce882e0faa9a119c9a4d7f91368463f38f7cd20ae48528c267ac6a19968

Formbook

f53df4e1f9405d98a02cf34bedf2ee5df88437c130eb339eb6da9850f14ad443

Formbook

+ 3'771 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210209-glj5j8zbfa/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.aone223.com/67d/

Unpacked files

SH256 hash:

7cfbb654739e2856560a325a42a4f5873be66fe06e4a44fc9954e63ae920e5c6

MD5 hash:

602352c5e85f68043dea8b6c3b4550a8

SHA1 hash:

5846ba3a76246752fa4a6511458995d1e73827c7

Link:

https://www.unpac.me/results/280e4aa6-990a-4e1d-90b0-4ce6ae756769/

SH256 hash:

2ec41720b412f91f91daaefea38007449491b2c016238aa8f23b6866c89bc788

MD5 hash:

987ce346069cf47535e5ac57265c7228

SHA1 hash:

d0085325ed78fcac6d1f605753237abd1c40db22

Link:

https://www.unpac.me/results/280e4aa6-990a-4e1d-90b0-4ce6ae756769/

SH256 hash:

17faa1d6403f13d26d3bf27e62242883ae8f26a97cbd094e6ac8f75d39b29dfe

MD5 hash:

d78cc2cf0a1d4219c3b9815c0c8235ed

SHA1 hash:

12ce985c7e6d6a9ac3e79f56745b907cbaf91736

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/280e4aa6-990a-4e1d-90b0-4ce6ae756769/

Parent samples :

5ebb56bf6705acae0ea5adbb5f46f6c46527493abcf1482af9b10981a4e4298d
401df7c1ce321b7e1b72cad683db23e8d78d3a84523acc746d864f724a765cc6
24f65cdc73215c756025b3b584c9046b15a5feb7ee96a88d46c61a462cf46b49
2bde41794f3ec8ee0b4e4be924a18e9b55c9f61eed39f10d16bc0afd9e33ba48
945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476

SH256 hash:

5ebb56bf6705acae0ea5adbb5f46f6c46527493abcf1482af9b10981a4e4298d

MD5 hash:

0e3246d3fd336f884d852f9a7c4dcc6b

SHA1 hash:

065eec0d3c6be932af05fbaef62f7fc5f858fd91

Link:

https://www.unpac.me/results/280e4aa6-990a-4e1d-90b0-4ce6ae756769/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5ebb56bf6705acae0ea5adbb5f46f6c46527493abcf1482af9b10981a4e4298d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 5ebb56bf6705acae0ea5adbb5f46f6c46527493abcf1482af9b10981a4e4298d

(this sample)

Cape

https://www.capesandbox.com/analysis/116160/

URLhaus

https://urlhaus.abuse.ch/url/996752/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample