MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e13ff8371479ec562aedb0e587bff6d0bf55b78d70568f8d934687fae50454df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e13ff8371479ec562aedb0e587bff6d0bf55b78d70568f8d934687fae50454df
SHA3-384 hash: b121c15f870688a6dd15f509f3f73e03ea7fc958c54f0a7c109b31780ba7729d62c42ea1c0c9851993bc6eb1beeeb352
SHA1 hash: 4a89897bd0b0bbf2a08e7b6bb794add1739fac23
MD5 hash: c9dbda15d8d46afd8e6cb17ba4dded7f
humanhash: single-mirror-white-seven
File name:NEW ORDER 2T6U086421533.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:753'664 bytes
First seen:2024-04-28 09:10:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:CWYIPXjxannnHg2z0lqwRC8yVXjAlFVsGRsIAnHdOtDDfMiozyOXzYe2/fCpG:CWYIPFannnHg2z0ZRCHXMoWnimOUeufD
Threatray 619 similar samples on MalwareBazaar
TLSH T1ABF423B637DE8787E9AE4BF80422A4105777F5555890F31A1EC7E0CC4E82BD2DA8097B
TrID 49.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.7% (.SCR) Windows screen saver (13097/50/3)
7.0% (.EXE) Win64 Executable (generic) (10523/12/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon c0dcc1c6c6c2dcc4 (6 x AgentTesla, 4 x Formbook, 1 x Loki)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e13ff8371479ec562aedb0e587bff6d0bf55b78d70568f8d934687fae50454df.exe
Verdict:
Malicious activity
Analysis date:
2024-04-28 09:22:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b7e64a77-8cfc-4540-a556-d8b7613a8098

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/662e12aa54bafb7d21e3603e/reports/6773a85f-0a0c-4fd9-951c-53767890c819/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e13ff8371479ec562aedb0e587bff6d0bf55b78d70568f8d934687fae50454df
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/491a993f-2cc3-47b1-973f-27e9568523af
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1432827
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432827 Sample: NEW ORDER 2T6U086421533.exe Startdate: 28/04/2024 Architecture: WINDOWS Score: 100 28 www.ordinarythoughts.org 2->28 30 www.jthzbrdb.fun 2->30 32 3 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 8 other signatures 2->48 10 NEW ORDER 2T6U086421533.exe 3 2->10         started        signatures3 process4 signatures5 60 Injects a PE file into a foreign processes 10->60 13 NEW ORDER 2T6U086421533.exe 10->13         started        process6 signatures7 62 Maps a DLL or memory area into another process 13->62 16 ggpvgiCQeLDoVhRplFeqYR.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 openfiles.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 2 other signatures 19->56 22 ggpvgiCQeLDoVhRplFeqYR.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.heldhold.life 203.161.46.103, 49721, 49722, 49723 VNPT-AS-VNVNPTCorpVN Malaysia 22->34 36 www.a-two-spa-salon.com 157.7.107.63, 49713, 49714, 49715 INTERQGMOInternetIncJP Japan 22->36 38 2 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e13ff8371479ec562aedb0e587bff6d0bf55b78d70568f8d934687fae50454df
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e13ff8371479ec562aedb0e587bff6d0bf55b78d70568f8d934687fae50454df/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-04-25 05:02:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4e77qnyuphwfmkxnwdsypp7w2c7vln4nobli7dmti2d7vziektpq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3eebc98964a6d4a81fd0371df1a6207100e7bea4eb78a000bc2accb0f10e6e7c
Formbook
48ca70c01e870434304ccd508ef88d824b8d3c9588c990402dae450a5e56f73c
Formbook
6465b2c5702a723c7229e33fdf38676e3b0e0049b5b632e2fe6e210713f6a7e7
Formbook
81f6e3ff9cc821300e30acd628d0579793806ebfb89941d04f9bc33998f9a851
Formbook
82f44b1567060a432d242e4dd09be70c655d484af05a5f59c78a4679d0be160b
Formbook
8a5024ca7e74fce854dbfb989c0a5e3e80c1e70620b6fba6b7126a6842ce02a5
Formbook
92044a1dfdd31eaa681683708cbdd3c75e398f35a6ace235926946dc5fd1715a
Formbook
a5a473bc3d643ce300b72af75ae8f7a0d47ee983f1160707606ef9e818bb1a2f
Formbook
ae300b28b2240d11d01e9066a26a88349258d4016c41460604c9ff5bb64c9b6d
Formbook
bafe3979cf8761e4f305509427099ef0e6193ce077236e31540aff4c47ddc74c
Formbook
+ 609 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240428-k5la5scf2s/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
32bf6832143ab8b98107d3b25754742ec33ae043ff125d27869caa287023515c
MD5 hash:
16e913c65371613cb6dd1af205ac6efa
SHA1 hash:
6b47bd848cd17039b60b6e9c80627c2516f19af8
Link:
https://www.unpac.me/results/80967b53-0837-448c-9d0d-50ec5a06fafd/
SH256 hash:
d901a47b5b4ea6bf997e5838a1f0966128bdb992e60962b0b334e50d0babaa53
MD5 hash:
80ed8eba3fe3c574e0a540cbc79488aa
SHA1 hash:
e6065d954bbf8a45daea1d9ef9fcfaac261ff88c
Link:
https://www.unpac.me/results/80967b53-0837-448c-9d0d-50ec5a06fafd/
SH256 hash:
1c633f39a192f108f755e0bcf412e8489ad80781f3b7807c80892deb2526ff0d
MD5 hash:
e4b5d57e9e46a4e76075b5b92f71577f
SHA1 hash:
d76dc165724148193c6911cc75fc62c198737d3a
Link:
https://www.unpac.me/results/80967b53-0837-448c-9d0d-50ec5a06fafd/
Parent samples :
d89ea6a01347b82f963ed7960583e5d76c6a07e91852fae83bc290e0f64a06b2
3f700fd41c6cca501d50cc2f62afd8e0d951efc1a918aa65ab3e84ee563ff1d6
SH256 hash:
a3de65d9607fa28995b6d60b0ad501d36107454865c7a74e8121ec11320ae565
MD5 hash:
7dfefede4d4b4d15fe2c4d83996e9e1a
SHA1 hash:
62e0258f0a8d23d17225ff7ad0b304ab12a9fd6a
Link:
https://www.unpac.me/results/80967b53-0837-448c-9d0d-50ec5a06fafd/
SH256 hash:
cb6bb4332acb68b061fa6ef8ae56dc46ee60dd93959c45eef9772072e0b7dbd0
MD5 hash:
00dff81e2f32a4595942d01c421ad9a9
SHA1 hash:
1c6aebd9c11199ec84b0d9afa191e68aad2ccb2a
Link:
https://www.unpac.me/results/80967b53-0837-448c-9d0d-50ec5a06fafd/
SH256 hash:
e13ff8371479ec562aedb0e587bff6d0bf55b78d70568f8d934687fae50454df
MD5 hash:
c9dbda15d8d46afd8e6cb17ba4dded7f
SHA1 hash:
4a89897bd0b0bbf2a08e7b6bb794add1739fac23
Link:
https://www.unpac.me/results/80967b53-0837-448c-9d0d-50ec5a06fafd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e13ff8371479/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e13ff8371479ec562aedb0e587bff6d0bf55b78d70568f8d934687fae50454df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments