MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60ff338c7b23bc6defd3d1def5d47bb9480e1ea680783f1da6a498bac0d9ef65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60ff338c7b23bc6defd3d1def5d47bb9480e1ea680783f1da6a498bac0d9ef65
SHA3-384 hash: 80e81ffe4f86a364541b39f796adaf3d8e5bb22ca1d5cb7e48eee04f26c272314e10dc396df0aae4f695c69fadcdb90a
SHA1 hash: ee559f3fc45de552a34465fa748e644c8e3ce7de
MD5 hash: e7dd93384c789aaf80dabe226b0a9eda
humanhash: oven-spaghetti-ceiling-princess
File name:EMASK SANAYI.xll
Download: download sample
Signature Formbook
Create hunting rule
File size:566'784 bytes
First seen:2022-04-14 11:22:51 UTC
Last seen:Never
File type:Excel file xll
MIME type:application/x-dosexec
imphash a31761b5a590c4c499d5f4a347d75c12 (23 x Formbook, 17 x AgentTesla, 6 x RedLineStealer)
ssdeep 12288:ln/zDvGHAykHSzLW/4+8bzbBSreMdd6gFK/UqW:pzbGHAzHAjX1NcL
Threatray 116 similar samples on MalwareBazaar
TLSH T199C48D57F7C7FAB0E6BE827A86B1891C527774520260A78F674072896D23392493DF0F
TrID 58.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
34.3% (.OCX) Windows ActiveX control (116521/4/18)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:FormBook xll

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EMASK SANAYI.xll
Verdict:
No threats detected
Analysis date:
2022-04-14 19:18:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9655d61a-0e9f-4895-89c4-2df76e301dde

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Artemis4EBC548DF517.17970.15145.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/60ff338c7b23bc6defd3d1def5d47bb9480e1ea680783f1da6a498bac0d9ef65/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed packed
Link:
https://www.filescan.io/uploads/6258042effe27d5119cd8020/reports/757e9719-1569-4977-88e4-7ee8648b23f7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60ff338c7b23bc6defd3d1def5d47bb9480e1ea680783f1da6a498bac0d9ef65/
Threat name:
ByteCode-MSIL.Trojan.ExcelAddin
Create hunting rule
Status:
Malicious
First seen:
2022-04-14 11:23:07 UTC
File Type:
PE+ (Dll)
Extracted files:
3
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=md7thdd3eo6g336t2hpplvd3xfea4hvgqb4d6hngusmlvqgz55sq._file
Verdict:
unknown
Similar samples:
0c425d6c6bce93fad4f32c275db574e8b3161a1ae55a9a957d50020b516d3e2c
Formbook
0ef5f84a6608bc85058740063ba211f2d7da26883266aed349531c9678d29d55
Formbook
226626815bd89794755b446ad9ab17aed9287f970e5aed3d184dc34e1ec34e8a
Formbook
2d9035fccfa410259c75bb54edc9c95c2d736e6bdf87832fc2062dcd89286b39
Formbook
2f617a71f3eaab15248aa9a964c464e71d8ec784417e79c38b5951ddfa39c2de
Formbook
30980176792fc176767dfd338ef7fd0b73f04b66cd63e1e3b0bbf485bc064ed4
Formbook
5f1beab27690a8ea9b9be78c5d34dd852dd3af4f5128feace84d1b2e10d73b59
Formbook
676ba4f2375a2e7c7dcd4949090db27254ddf06d5d8dc6ef88072ebef8a97784
Formbook
b2991de24bb7a821f3baf980d08ce4bb3d6bd851fefe846147a563340d398d73
Formbook
e0a8a096299e8b28d1166af3321045635294e03227d45515f5c48f4fd38e943b
Formbook
+ 106 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:o24i rat spyware stealer trojan
Link:
https://tria.ge/reports/220414-ng5awshgg7/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60ff338c7b23bc6defd3d1def5d47bb9480e1ea680783f1da6a498bac0d9ef65

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments