MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 738716f118a29c164740d59ca19da16459eef1c2de1758d9ffed42434c0b364a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 738716f118a29c164740d59ca19da16459eef1c2de1758d9ffed42434c0b364a
SHA3-384 hash: 78c5052e700ae0d94417dc225b5701d672ed47d4d82bd84da73757e1a980227a2369835a7987beb13fd101855b71e4d4
SHA1 hash: 01aebe1b1c7ea5d4d0d43b195536353c41167713
MD5 hash: b01746305f5f6173bc489cce8f144b71
humanhash: cat-quiet-social-cola
File name:ebede.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:401'724 bytes
First seen:2023-10-02 14:30:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 39 x GuLoader, 22 x RemcosRAT)
ssdeep 12288:BnPdwWSaJi/AF1qn9y/X1w8WZ9V2nEQOyP+SkX:9Pdwwi/A+9yfi82L2nEM6X
Threatray 76 similar samples on MalwareBazaar
TLSH T19B8423B2BBA2D465ED72D7311E3D8B1F5EEE94A640A0350B27517F1EBC1A740C81A393
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:exe FormBook INVOICE

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/452621/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Likely Malicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/651ad3ee83a0c6425d0507db/reports/a43adeef-c9d0-4300-a4c5-09833c2db07f/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/738716f118a29c164740d59ca19da16459eef1c2de1758d9ffed42434c0b364a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/637d59f3-c1b1-455f-999b-553b80d13f45
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1317974
Signature
Antivirus / Scanner detection for submitted sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Uses netstat to query active network connections and open ports
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/738716f118a29c164740d59ca19da16459eef1c2de1758d9ffed42434c0b364a/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 12:31:39 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oodrn4iyukobmr2a2wokdhnbmrm654oc3ylvrwp75vbegtalgzfa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1f9a84f1b9a2d6e91efcf84470f260e867ac8c2a6c42109ceae024d9f370cd8f
Formbook
23bfcda4b9ecb16e315c10b4281bc1a815b74fb45fea48f29a92fd31ea9a6315
Formbook
457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b
Formbook
4c55b72d6382b77ef4ba16dbb46b590e0db7a4aa888ddb82e73936e0623f9102
Formbook
50f83575bd53ca54e6cccc82a0c6e2cf51947f2af2284701916e87500271e0e1
Formbook
5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9
Formbook
6300d368d310eceb7f16705109c32e58f5f6c3bc6d43503c69e20388f86c73a2
Formbook
8132806c05668768f28af83ccb49438520dcb0ece18326db9698623152f35018
Formbook
c275d87e329c16226557c0ff240d0e9503417f51da02f33a3dae9eb7bc089515
Formbook
+ 66 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231002-rt5nzadb89/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
738716f118a29c164740d59ca19da16459eef1c2de1758d9ffed42434c0b364a
MD5 hash:
b01746305f5f6173bc489cce8f144b71
SHA1 hash:
01aebe1b1c7ea5d4d0d43b195536353c41167713
Link:
https://www.unpac.me/results/e5ead956-6b04-43f2-83a8-cd6d2d67993e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/738716f118a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/738716f118a29c164740d59ca19da16459eef1c2de1758d9ffed42434c0b364a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 5154c7f634096d8f89d99ef54a306761a6128936e6260ca5ea7d123cb6dac052

Formbook

Executable exe 738716f118a29c164740d59ca19da16459eef1c2de1758d9ffed42434c0b364a

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/452621/
  
Dropped by
SHA256 5154c7f634096d8f89d99ef54a306761a6128936e6260ca5ea7d123cb6dac052
  
Dropped by
MD5 20374ec15334e8156f6c74fa622727a8

Comments