MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2c2908685e1e75ab146191d8757a42fda84c0c0be27f2fd7fe301a8fc0bb679. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2c2908685e1e75ab146191d8757a42fda84c0c0be27f2fd7fe301a8fc0bb679
SHA3-384 hash: efd673f2ea362aac9fa0c4f5204ce40f639f6c8b6f4d097e8f0f61522dea149d2828e19d07cf10b1e775e9e7ef865a5a
SHA1 hash: 6cfbe4d044dc831656e42586035f8d48b5d5ffdf
MD5 hash: a20a4bc58cd0e59aa876521d1b4e3691
humanhash: violet-oscar-six-august
File name:invoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:795'648 bytes
First seen:2023-05-15 18:17:03 UTC
Last seen:2023-05-15 19:06:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:ZYZfTPUhoX6yPHS0wtek96Akyxo4Xh6vXOsg358UAFLgch6VVCLv:ZGLUWFbKb8AvXoOsS58J07
Threatray 2'835 similar samples on MalwareBazaar
TLSH T1E205E051721A9B17C7A853FF0A28858503B47B16BC6BD23C2EDF20CDDD12B114E66EA7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
289
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
invoice.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-15 18:18:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e40f7e4f-cd76-46aa-8b56-10b4c46564ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/390232/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.27611.13024.3356.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed snakekeylogger
Link:
https://www.filescan.io/uploads/6462775b50d4f3894cdee1f7/reports/7be7dee6-3600-4d72-8868-24031348a042/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e2c2908685e1e75ab146191d8757a42fda84c0c0be27f2fd7fe301a8fc0bb679
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1f3d9592-28e9-4af5-8da4-8039677aac38
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1234016
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2c2908685e1e75ab146191d8757a42fda84c0c0be27f2fd7fe301a8fc0bb679/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 08:50:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4lbjbbuf4htvvmkgdeoyov5ef7nijqgaxyt7f7l74ma2r7alwz4q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0003b5d6c92e1466b6f734da9175b9cfc65ebd4d576b73f92100b0b2e899bb3b
Formbook
114f4e62ec2b81ab45799a56b183ef282b2bc5c172fd9831af33c154b23034ea
Formbook
1d362a46e002c187e1ad022dea2fa97809a211c9ba763cfe63600d893fa3ab08
Formbook
2484f3b9e112f39471b0375d98ac190b4ffe3e29a295bcecdb8fd7b71af0094b
Formbook
28981de1a7a9617749fe0a5d19b8e0c80b2dc082118c1ca1b95e475df34e44a4
Formbook
362365797a625ef308f4071bc408a35c5cf5db4c2e6847bb854b995eec8e658b
Formbook
3fe2c04c33423019af7464d50b3df0775a565e9a31e1a289b49e4e180585ab00
Formbook
4759019b080ba0e6212bf1db94be7c1efebcb517a7cd7060186f50731c662769
Formbook
5a46bd65bf5067b29396df720a7f67abb3a773ee9ffa19587242bfeb6f5c4d15
Formbook
+ 2'825 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230515-wxk6ysfc5y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
e031d5f3652259dd052e79eaee198ab7fb0feb522a859771289a39a73a297f06
MD5 hash:
5e5b621044793588fde2b9482b862083
SHA1 hash:
b85e8343fc412a63748589cd544b90ccc841dc92
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/5264fa65-282b-4b91-bb43-42acf4c66e81/
Parent samples :
0003b5d6c92e1466b6f734da9175b9cfc65ebd4d576b73f92100b0b2e899bb3b
19a7140e84227b4d9af59569af23a0a5a1edd34c45b24691348f227f2c540712
4759019b080ba0e6212bf1db94be7c1efebcb517a7cd7060186f50731c662769
a4d87571d194ad479fd34b94ea91c8afb5b0bd448f2032a8868fa5c16adbaa73
e2c2908685e1e75ab146191d8757a42fda84c0c0be27f2fd7fe301a8fc0bb679
1d362a46e002c187e1ad022dea2fa97809a211c9ba763cfe63600d893fa3ab08
83655561bbc25a8d8d3e737bed283be32e228982310731a9640000797cd520b3
8bc2209887fffd6b27980ba8c2c138deb45370c5b0a8434f9542897c6a05c931
ede3876cdaa9f15dc9f49a080713bfc4e254d222d99c2a09b999d62d1d4f8c05
b755e080b9f6705b088275a44a96251bc547ad58b4f63c9988d90e1c97bf283f
36bd2802a452a2bee1659648b0a4b1de0cde1ebac09d0d5ebe0e2c1189483432
6371e6f808e46f98c8d2e98d1a81203dc6ec3aa755ee5e61bee436bcfdb92cbd
a29611641a2f20fafa07843982a24baf1e253bf03439d0905b61e816339158f9
607dcd836bd33a6d2afe6ef3c632468ef126eb49923409e246ba7ec86311c5a7
00446b78e85b721ff8ab19643f451074ed52d3ceb924f059f1b1c778af8fc42f
SH256 hash:
fc83e07cff47a7ea1058bf4d75f6d98fcdaf457a6f88007dccbbc36796a16847
MD5 hash:
fe559bbf47ec0c554420bba97f79ba0e
SHA1 hash:
c097427b5800a352d105c830e98332fe8925bcdc
Link:
https://www.unpac.me/results/5264fa65-282b-4b91-bb43-42acf4c66e81/
SH256 hash:
3ab1dcc37e7c5c643bf41e9f0f81f816f24974fbddde95e2af52426e3374dd35
MD5 hash:
8a2c496875c0871aecc16aae768b323f
SHA1 hash:
f5423a32125c70b512de301c5616c7b75477e2e7
Link:
https://www.unpac.me/results/5264fa65-282b-4b91-bb43-42acf4c66e81/
SH256 hash:
c60f95b2d15d6fa2dcee8f1998cd107f8d280d015c93649a48a156fd668eb4a5
MD5 hash:
5d5e3c30fc4149342c8d67bb248aaddb
SHA1 hash:
b2f5c0b4e7f39615079d5f03d62c683dbdb47182
Link:
https://www.unpac.me/results/5264fa65-282b-4b91-bb43-42acf4c66e81/
SH256 hash:
73ad71b6dbf8d066e1a7bc47ec915d713eb942f903db5d527158c6d1c63cadd3
MD5 hash:
2b1d5ccce63ddc919347de977bfe8804
SHA1 hash:
7f50bb8d9450a55d06e114662ddecae2f05ca036
Link:
https://www.unpac.me/results/5264fa65-282b-4b91-bb43-42acf4c66e81/
SH256 hash:
b52c29ba9ef8996bdf721950d900db96f1befb9883eb38c2075528e60c7aabd4
MD5 hash:
7b6143d9d94c8b80d191b77d8b6d1ba2
SHA1 hash:
1c91704ff6da2a9dd8aaa2ff2d5a5f69a445f76b
Link:
https://www.unpac.me/results/5264fa65-282b-4b91-bb43-42acf4c66e81/
SH256 hash:
e2c2908685e1e75ab146191d8757a42fda84c0c0be27f2fd7fe301a8fc0bb679
MD5 hash:
a20a4bc58cd0e59aa876521d1b4e3691
SHA1 hash:
6cfbe4d044dc831656e42586035f8d48b5d5ffdf
Link:
https://www.unpac.me/results/5264fa65-282b-4b91-bb43-42acf4c66e81/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e2c2908685e1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e2c2908685e1e75ab146191d8757a42fda84c0c0be27f2fd7fe301a8fc0bb679

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/390232/

Comments