MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d481e182171f2ecd8842f6fa904656313640da4477655d0732a378809d58d7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d481e182171f2ecd8842f6fa904656313640da4477655d0732a378809d58d7a
SHA3-384 hash: cf22212da7a2e9f1a21ac8f015cd615dc7bd0299f24eb6c91ba703ee091173be2fedaefa8d47576efa8cda90fb8ad6e6
SHA1 hash: 629472079c3022ff904ac46705cd03808194722e
MD5 hash: f6cf8bf74259e4cf8feacbf5b4d7a86c
humanhash: july-quiet-jig-sodium
File name:EEcbDKtUD5MqK0g.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:995'840 bytes
First seen:2023-03-27 05:28:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:b/PiwOvFzdvwe0PZe+LfnQpbZnN4LgDFr9lv6n:3mFhZ0ZeiPQPnNpDR9R6n
Threatray 2'383 similar samples on MalwareBazaar
TLSH T1B625122527BB476AF57A6BBE81A036455B7E7BA37703C64C09B110CA4733B021FD162B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EEcbDKtUD5MqK0g.exe
Verdict:
Suspicious activity
Analysis date:
2023-03-27 05:30:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9ec5cb47-b035-48f1-b071-cfa8e9515f70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/377734/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/642129b38f3f4544f6cc46e5/reports/eb3f546e-bc3d-49fa-a894-371b7cc7805e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/6d481e182171f2ecd8842f6fa904656313640da4477655d0732a378809d58d7a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dad2a36e-2bee-40aa-93e3-dc2facc0660f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1202433
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Deletes itself after installation
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d481e182171f2ecd8842f6fa904656313640da4477655d0732a378809d58d7a/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-03-20 09:06:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nveb4gbbohzozweef5x2sbdfmmjwidnei53fludtfi3yqcovrv5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
13c4ed220256fb2dfb95631c042d9eadf977bd2dc5e4aa0898ab99bd16d33ef7
Formbook
35dc865c22873093d1417a28a5782b40e96ac3a890b51cb57dd89bedb23f1bfb
Formbook
74918059a600f724964e71c9c698e6d46090248c16f29909a9de9a8b290af4a8
Formbook
85b572a6060bf6d434ab978aa1447096c11f84bcd329d71364de8daf261a4660
Formbook
90e86051c2fb04a3f6fda85273580abca9a9131fb5e32065f620c4410febe1af
Formbook
ac61c80f02e15eb3705836ff8dc9d81543eb0e26059d4aaa9b0895c716deafe4
Formbook
+ 2'373 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230327-f6lk3sdh6z/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
8e3ac9363b8f43d5e8cc7b7669160ccc8f4f28f23d73af4bbc79b1e8d32a327a
MD5 hash:
6390d371a2803c489142330f7961c7f9
SHA1 hash:
602abf6ee933b2122585fff1c0b4ba5b25203a4f
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/c5280ec5-4eac-4719-97a2-65ee74edd73a/
SH256 hash:
dec36caf3429f66b9d01dfaa711c5b5895c216a3ae03e68f1fd0ff002d70fa98
MD5 hash:
1295fc324f5049db7736871d1a3f185f
SHA1 hash:
0e7b24ec653338565012d757737977ae4754b64c
Link:
https://www.unpac.me/results/c5280ec5-4eac-4719-97a2-65ee74edd73a/
SH256 hash:
4a71589c38f681c31b67ff22387920deed48b701e61b56b88d805bdba0dc7d35
MD5 hash:
acbbf02f9dd32e587eb4a9443acf19a9
SHA1 hash:
e12e6e863c42934aa3e0de5f6e87c43af604e60f
Link:
https://www.unpac.me/results/c5280ec5-4eac-4719-97a2-65ee74edd73a/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/c5280ec5-4eac-4719-97a2-65ee74edd73a/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
000c0889c2d93807781cb5e2c212d07bd38c6fed9b738530f2515640306b5f44
MD5 hash:
8d369299a047f228593293887092e43d
SHA1 hash:
7e38cd87127c3ea59ddba80f7ddf35fb105a7f6c
Link:
https://www.unpac.me/results/c5280ec5-4eac-4719-97a2-65ee74edd73a/
SH256 hash:
e4853f244ddefe9cf485d37be24648ebf77167f347ef91e318d3b969ffac166e
MD5 hash:
e3237f62645b5c79fb6460794dbce782
SHA1 hash:
2c404dd431fbcaaa6627047e72f83aa4f453f9ff
Link:
https://www.unpac.me/results/c5280ec5-4eac-4719-97a2-65ee74edd73a/
SH256 hash:
6d481e182171f2ecd8842f6fa904656313640da4477655d0732a378809d58d7a
MD5 hash:
f6cf8bf74259e4cf8feacbf5b4d7a86c
SHA1 hash:
629472079c3022ff904ac46705cd03808194722e
Link:
https://www.unpac.me/results/c5280ec5-4eac-4719-97a2-65ee74edd73a/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6d481e182171/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d481e182171f2ecd8842f6fa904656313640da4477655d0732a378809d58d7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6d481e182171f2ecd8842f6fa904656313640da4477655d0732a378809d58d7a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/377734/

Comments