MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6eb55e95d67cd97e33c9db999877616465567fbab73a4ab2face292bb6df2f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6eb55e95d67cd97e33c9db999877616465567fbab73a4ab2face292bb6df2f0
SHA3-384 hash: d00af850823c425db89db75cf204e93f689cd1a70e6f2188477c13026d2b6012922a7eda88794b3c8c8d93d1cf667a44
SHA1 hash: 0bfa40d60f522f20b5ef145c2caaa532e99cf492
MD5 hash: ca9ac05b3f741d77e47c5632ca333049
humanhash: washington-maryland-hamper-coffee
File name:PAYMENT COPY.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:486'912 bytes
First seen:2022-05-17 11:12:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:eKJH22qla5w/yXbxrSeRG+dGqqbnFxocnMm:XJH0MW/IbxGWdG3nv
Threatray 13'576 similar samples on MalwareBazaar
TLSH T114A4E156579AC2DEECB47A7B88F3B3A4BB41FE00407B871B49EA780A8D133C1BD81554
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 182b4d5d84f0f0b2 (9 x Formbook, 8 x AgentTesla, 6 x RemcosRAT)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PAYMENT COPY.exe
Verdict:
Suspicious activity
Analysis date:
2022-05-17 11:17:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/da903a49-7abb-4a73-a89d-16ed995bfb26

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/271557/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/62838371bc516cf66c2a4d01/reports/6a487c69-d618-403b-ace2-f441bc896786/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7864aa98-2d2a-4446-b263-3c5ddec5a232
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/995749
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6eb55e95d67cd97e33c9db999877616465567fbab73a4ab2face292bb6df2f0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 22:54:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y3vvl2k5m7gzpyz4tw4ztb3wczdfkz73vnz2jkzpvtrjfo3n6lya._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
38444024682d6ea391135d374ecd6f457bb01df512801e25fcbd2931afe58d92
Formbook
3a4c026f2e3c450b18931610d6a795ffe504c41ca1d4bf7d26c5a7a57abcf389
Formbook
54d3a5ab9cf83b63a50a382b1f3fe4f2bdc03620744b9ecdee74723415fccd9d
Formbook
6f0508408689f77795e27f5320115355744c6b7d02cf59197dae8646bc73f267
Formbook
92757225e0960360fecddb2347f8c20601ff12479207486d4a5b46a1322dbb12
Formbook
b81070ab1c53b68f110a8127a7b1bc7fc83d9726c50e787949cac94f809bd92d
Formbook
cee2290e27d378faacd5a9ab5fc579e912c1ecee9db29e4e79d8b9cd7ee10c94
Formbook
de169c8e113efa4b4899ce2031442d81b243354cab40e8175dbefa7166c371d1
Formbook
+ 13'566 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:64pf loader rat
Link:
https://tria.ge/reports/220517-nbdwrabab3/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Xloader Payload
Xloader
Unpacked files
SH256 hash:
167ef3b4b8e721998dab09a27e7d3e28852680d457055a7849ff44d6079c9343
MD5 hash:
be03d9208898c71f59af7712a787efb5
SHA1 hash:
48d471c1b2e7711edb753ef2158e954420ba3eeb
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/fd5f23dc-c8a7-4d3a-8d81-f63c59ec071c/
SH256 hash:
a07fa86c20702797d38d4c0a9ab452f031089d462f4999ccc58c8453e161e6a4
MD5 hash:
e065b6b4191166a8dfb8ca27146a74f1
SHA1 hash:
873dedc671f1d4003b0b355d36915986bdd1e44d
Link:
https://www.unpac.me/results/fd5f23dc-c8a7-4d3a-8d81-f63c59ec071c/
SH256 hash:
6321dfd23c4a05adade4d4e9bde38a3e8cb401c023bc834fdd57d556cd365da6
MD5 hash:
b9cc7d84175da0cf8c9ea44c6d80a588
SHA1 hash:
026df2391116f6e2347767081a2ace4d9a4b4277
Link:
https://www.unpac.me/results/fd5f23dc-c8a7-4d3a-8d81-f63c59ec071c/
SH256 hash:
c6eb55e95d67cd97e33c9db999877616465567fbab73a4ab2face292bb6df2f0
MD5 hash:
ca9ac05b3f741d77e47c5632ca333049
SHA1 hash:
0bfa40d60f522f20b5ef145c2caaa532e99cf492
Link:
https://www.unpac.me/results/fd5f23dc-c8a7-4d3a-8d81-f63c59ec071c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/c6eb55e95d67cd97e33c9db999877616465567fbab73a4ab2face292bb6df2f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Reverse_DOS_header
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects an reversed DOS header
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c6eb55e95d67cd97e33c9db999877616465567fbab73a4ab2face292bb6df2f0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/271557/

Comments