MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c2878ebe0b46fa1c53e17178c365200c86d74530cd80a278d8be8eee02a136d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c2878ebe0b46fa1c53e17178c365200c86d74530cd80a278d8be8eee02a136d
SHA3-384 hash: 622b3536aa0cc82cd7b82f548bf6dd3aabdd39846ac071441a2f8acf35e24e6ce5f0ea3b89611625463c185bf21670b0
SHA1 hash: 61558a2ed71722e275a9331d026eb2596891c07e
MD5 hash: 4c0038ab763e49f38d6787a1b8181028
humanhash: fourteen-beer-lithium-purple
File name:1Z7E9E498618774042.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:768'000 bytes
First seen:2023-09-04 06:03:43 UTC
Last seen:2023-09-11 13:25:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:jUOPypIzJfOUmJZeCbBC8DomZ6RLYwdi30RDJfXzhKOfm6PgCbL:jUOPypIzJWUgZxboCf69YGi4hEOeYgC
Threatray 1'264 similar samples on MalwareBazaar
TLSH T15FF4E0516255CB12E160B7F3D422A3F407B6FE2AE5F2D60B1C817CDA36B3B504A52E27
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
262
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
1Z7E9E498618774042.exe
Verdict:
Malicious activity
Analysis date:
2023-09-04 06:10:39 UTC
Tags:
formbook xloader stealer spyware
Link:
https://app.any.run/tasks/f2158f5d-ac45-4a58-a582-8176df5401ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445931/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64f57355e29c52e38dc711bf/reports/fbd7de1c-eefe-4631-9630-7726ffde62b1/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/6c2878ebe0b46fa1c53e17178c365200c86d74530cd80a278d8be8eee02a136d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7d4b27b-9c01-4792-8551-8cb340dec06c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1302624
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1302624 Sample: 1Z7E9E498618774042.exe Startdate: 04/09/2023 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 6 other signatures 2->41 10 1Z7E9E498618774042.exe 3 2->10         started        process3 signatures4 49 Tries to detect virtualization through RDTSC time measurements 10->49 51 Injects a PE file into a foreign processes 10->51 13 1Z7E9E498618774042.exe 10->13         started        process5 signatures6 53 Modifies the context of a thread in another process (thread injection) 13->53 55 Maps a DLL or memory area into another process 13->55 57 Sample uses process hollowing technique 13->57 59 Queues an APC in another process (thread injection) 13->59 16 explorer.exe 2 6 13->16 injected process7 dnsIp8 27 apzaccountancy.com 195.201.173.227, 49719, 80 HETZNER-ASDE Germany 16->27 29 www.638258.com 172.120.46.60, 49721, 80 EGIHOSTINGUS United States 16->29 31 3 other IPs or domains 16->31 33 System process connects to network (likely due to code injection or exploit) 16->33 20 raserver.exe 16->20         started        signatures9 process10 signatures11 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6c2878ebe0b46fa1c53e17178c365200c86d74530cd80a278d8be8eee02a136d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-01 07:17:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nquhr27awrx2drj6c4lyynssadeg25ctbtmauj4nrpuo5ybkcnwq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
039bf6fc7dfbdaede3058b77c9e156f241f7d3a45f6ce97c852a0c594fb6adca
Formbook
2ea94454b1acb888df318792b9a81e621b95e54619d3306a4a11e26148fb3fe3
Formbook
760831724396437abbc9df355eff72482e467f43cdd76d426283c86820165e32
Formbook
7fb288f5178629fb28c3e69ddce9ae31d61bccc816ff87f7e9dcfbb401238cb2
Formbook
a0a28dbb92c8b98ec543cdc18e47ce1e6c5dd619a719c48815887984364719cb
Formbook
a9ab4e13cdbebfec5197adfb01e69c3e1452c2dcc693bc366b082ef63cd5e3aa
Formbook
c0cdbf1f06967ed21beeac44d82b6fa168ec433ee130c042c6ffaf16029d9003
Formbook
e266f399bd4ae4bf061be020eb3b3cffd0a1a3621ff7985a200b9ead765f1238
Formbook
e8c89752942b8011820e9d04753700eb70f77a8701796ef7e826399cf889f9ec
Formbook
ecadb32b71a989d1a6126642c5182dd367ded29aa0a9d29433f88f474d6f997a
Formbook
+ 1'254 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:kp16 rat spyware stealer trojan
Link:
https://tria.ge/reports/230904-gsljlaeb2t/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
b0f628c63fe5793783414dcc5983b7e182ebc801cd2fd256c52bc2c443f5fbb4
MD5 hash:
dac078bd0644cd2a9ec1753f29d632b2
SHA1 hash:
5d70406737173a7845e4c54ad8d33cb7261ef6a5
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/fabc8907-2902-4c00-a3c5-b9e14fc8b85a/
Parent samples :
c12c8b215ea70724d05e814efd6d317d96477e8c2cb36d48be2f9b8de14b2b60
6c2878ebe0b46fa1c53e17178c365200c86d74530cd80a278d8be8eee02a136d
61dbeb0e19a0d2d2cb57d370bfc4d56e5aac60f82943dc908458e828c9e4b208
SH256 hash:
ed4ad11b3482c748330f4500c11633b3a47467492d4cdd84324bf327f41b279c
MD5 hash:
63503edbd00ef02ffb4ff04fba4ccf73
SHA1 hash:
c164e4405c49b153ccc2598ff06da7404e26aa5e
Link:
https://www.unpac.me/results/fabc8907-2902-4c00-a3c5-b9e14fc8b85a/
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/fabc8907-2902-4c00-a3c5-b9e14fc8b85a/
SH256 hash:
c094444932babf732e788625413d66665af54fa789015decb7e2da3d3ab25dc3
MD5 hash:
49204dbac9267797c9f6679a4bac06ec
SHA1 hash:
5590f19a53f6e6a88d14adfbc83ea1cd7ae002c7
Link:
https://www.unpac.me/results/fabc8907-2902-4c00-a3c5-b9e14fc8b85a/
SH256 hash:
6c2878ebe0b46fa1c53e17178c365200c86d74530cd80a278d8be8eee02a136d
MD5 hash:
4c0038ab763e49f38d6787a1b8181028
SHA1 hash:
61558a2ed71722e275a9331d026eb2596891c07e
Link:
https://www.unpac.me/results/fabc8907-2902-4c00-a3c5-b9e14fc8b85a/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6c2878ebe0b4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c2878ebe0b46fa1c53e17178c365200c86d74530cd80a278d8be8eee02a136d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6c2878ebe0b46fa1c53e17178c365200c86d74530cd80a278d8be8eee02a136d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/445931/

Comments