MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eeeec436d7abca44202ca9e5f3e20d2bc6a7f4adaf240e1ba5ab41e94890c29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6eeeec436d7abca44202ca9e5f3e20d2bc6a7f4adaf240e1ba5ab41e94890c29
SHA3-384 hash: 8ff9b75cc9ac9861bd27ceb42701cb6207b2241a6b0c532f5574742840859e8fbc85ba022fb86454148bd7bebcad21e2
SHA1 hash: 3e43cfda04be09e7d330ef20072937ea86e1430b
MD5 hash: ce4931c9f9cd5ac19e290cafd7357780
humanhash: cardinal-may-jig-king
File name:rOrder_0562190.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:651'264 bytes
First seen:2023-09-22 01:04:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:xMCxqEisUH/k+uvIYafzpRnAvtTvTSpU:dqEWOAYafzpR6Jvc
Threatray 31 similar samples on MalwareBazaar
TLSH T1C9D4231B27EC4F22DD5CA67E4166419013F9C2872037EB9E5EC6A4F96CA7BC00E641DB
TrID 66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
rOrder_0562190.exe
Verdict:
Malicious activity
Analysis date:
2023-09-22 09:10:20 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/e7340f0e-9b12-44f3-bcfc-b767eb93be83

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/450524/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger masquerade packed
Link:
https://www.filescan.io/uploads/650ce8401edabd99829e4d46/reports/57ebf8c8-7708-40c5-9b64-e80230667b91/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/6eeeec436d7abca44202ca9e5f3e20d2bc6a7f4adaf240e1ba5ab41e94890c29
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac90409e-d215-42ef-9143-02f7ea82f558
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1312698
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6eeeec436d7abca44202ca9e5f3e20d2bc6a7f4adaf240e1ba5ab41e94890c29/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2023-09-21 04:39:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n3xoyq3npk6kiqqczkpf6pra2k6gu72k3lzebyn2lk2b5fejbquq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0cc4308eaf906783b45db5c75d2bf7e5a0b74d9d531dcce595604c1f436d4fb4
Formbook
4588c6ac02ddd81f8315af2307ec516f58400c555ecd74944a77964fbdd992c1
Formbook
5aff1db8f4c749933cd8869e1e80f000e4c27de7c0c7a7d1aa59c4f324522210
Formbook
8a74737cd563828a070e74b5fa4af0eefc7a98cf8b52fcc0ee5db3c83a2d9cb0
Formbook
9cfa472702dbedc0f87b0e594d3c8ace16e1c9952d8d7e44be8aa9114b214c45
Formbook
b842e2fd60338a5a60a60ca5e4ec84be149b7a15c7840e93c2e22ac03843701a
Formbook
de626ef467f34c5443918399208e46e271a40e010e23622eb53ef37d147e746f
Formbook
+ 21 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230922-bfhpaade24/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
043961098da7adb01104bfe078e0a9ba8ef1581c08c182bda7dbe321f9a2cbe8
MD5 hash:
70898a3cb1089c9bfead550b36b55d88
SHA1 hash:
9deebc8dad032b8c062744e0cc7f211d390c7c5d
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/1bf7735e-7622-4079-b229-78ef3b8a6525/
Parent samples :
5aff1db8f4c749933cd8869e1e80f000e4c27de7c0c7a7d1aa59c4f324522210
6eeeec436d7abca44202ca9e5f3e20d2bc6a7f4adaf240e1ba5ab41e94890c29
8ee018d985fc1492a623c99ffdcd39c768a0cdeb975d791ebd3a1c372ff2128a
8f939a17b7cce53784b111ad018d932191e79305b5ae129347503b238f2274f7
afbcc4589635ef9e83579c9865d99e7b454f827e5ae02b8248db0fc73d9553c4
SH256 hash:
eb3c14db4a7fe19d173136aed70921e64e0f45381a556f0f87ecb0f4f9ce8a8e
MD5 hash:
f95951ec1268bf89deb167d4ad8074c8
SHA1 hash:
f63707eea9536bddd0abb93683342b53c1e850a4
Link:
https://www.unpac.me/results/1bf7735e-7622-4079-b229-78ef3b8a6525/
SH256 hash:
a8a5fa695501c7d7e1c70dc9c7aa9dbaa98d03c4ded262947811cb883c3afe7d
MD5 hash:
200ab8e098a1e41ca357d3cdcfab4bdf
SHA1 hash:
dc2a6966c9b964286e41d8cc77d57bc5e41ed216
Link:
https://www.unpac.me/results/1bf7735e-7622-4079-b229-78ef3b8a6525/
SH256 hash:
ea82d7e23eb6eb34cdae298e3f612be3275f504ed7cc5438a7d18944b0e94aa5
MD5 hash:
4e331f561f265987fda8c37ace0b7e30
SHA1 hash:
93f390704dd5afe9fd7c8ea4e2aade78ba25f661
Link:
https://www.unpac.me/results/1bf7735e-7622-4079-b229-78ef3b8a6525/
SH256 hash:
f18ede1829f6537e67a2f4e8cdcd767ee6b50b8dab392ecf26c75ac34e1494fb
MD5 hash:
65d61d54ea7665a497fed9699cc9e7e5
SHA1 hash:
8418bb9f902beac21267a1a60ac8431a4179defc
Link:
https://www.unpac.me/results/1bf7735e-7622-4079-b229-78ef3b8a6525/
SH256 hash:
0bac530af531541aef55b380bbb3ab5592e0f11941b5e2a053c8406f5519faa5
MD5 hash:
58502fb6aaa0c105637cf2a21ff1d104
SHA1 hash:
2fc3130188731710c1797380ce51d1102acc0b90
Link:
https://www.unpac.me/results/1bf7735e-7622-4079-b229-78ef3b8a6525/
SH256 hash:
6eeeec436d7abca44202ca9e5f3e20d2bc6a7f4adaf240e1ba5ab41e94890c29
MD5 hash:
ce4931c9f9cd5ac19e290cafd7357780
SHA1 hash:
3e43cfda04be09e7d330ef20072937ea86e1430b
Link:
https://www.unpac.me/results/1bf7735e-7622-4079-b229-78ef3b8a6525/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6eeeec436d7abca44202ca9e5f3e20d2bc6a7f4adaf240e1ba5ab41e94890c29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/450524/

Comments