MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2c591e76cb0e5c7e5883a4180c2d7286a4a80a5c3c83c062a8f666e0764c1dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2c591e76cb0e5c7e5883a4180c2d7286a4a80a5c3c83c062a8f666e0764c1dd
SHA3-384 hash: d819f91db52ed66dbd7ebf1343e93a523fe626871df2f0fddfe71dc0864f40ebf95ca70182e961c7cabc74115f383d36
SHA1 hash: a22625921195979fd16e5cc35dec3c735a0d57c6
MD5 hash: 99e7613dbe78fa96a28c2abb94fa65a4
humanhash: pip-papa-don-spring
File name:Invoice#1904387674.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'088'512 bytes
First seen:2022-03-30 13:31:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fa4b66456290731557fc4ee6d16f65af (3 x Formbook)
ssdeep 12288:Lf+uGxUdVNiUDDKQOrXWGolA0eWUW/uqCbjaAfVyAlHLe73dfDWVwyUEVcl:L2rgNiUDuQOKhlmWaXaSU/7y7U3
Threatray 14'911 similar samples on MalwareBazaar
TLSH T1A435BF63A3D14837C137267C5D1B5B959A36BF002F2898BA3BF52D8C3F39641B925293
File icon (PE):PE icon
dhash icon e4eea286acb4bcb4 (5 x Formbook, 3 x AveMariaRAT)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/259695/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.46874.4582.8265.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Searching for synchronization primitives
Sending an HTTP GET request
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12107/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe keylogger packed replace.exe
Link:
https://www.filescan.io/uploads/62445bd5a19c649412ac97c8/reports/bc79281e-6998-438e-bedf-5d59a5c16210/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7d0e996-986e-428c-b96d-dfb02072b7fb
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/967605
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2c591e76cb0e5c7e5883a4180c2d7286a4a80a5c3c83c062a8f666e0764c1dd/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-03-30 13:32:08 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4lczdz3mwds4pzmihjaybqwxfbvevaffypedybrkr5tg4b3eyhoq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03c24fbe7c863e8337b0c944f96847b5166297283727edccca056c4f6f688d4e
Formbook
5ab614491453ac799f4944620f8d433d42427aaea0ad0f1d55f240bc1ba6a057
Formbook
6e0e8d1cb340a26f3e8294c7b07ce486b56afcabfb90b7e20e4331b6384a85ce
Formbook
741c817dd6bc5c718770d5903d3d0bbb0038408cd6bc6321c1fe364649e38ffb
Formbook
89ca1ae6afd4451562d33f381d21e085245ebe1047d4a812d818fcf0a2e01393
Formbook
b161e9594ef8849e7a1c09a801b5d248cfff6b08c65ed6459dda75b25fdeafee
Formbook
b1e2238ed835357f061456c7a38d0620cef8b78f0e1a9856133cc5b2805e0ed1
Formbook
b9ed36a21e09ff33bef163a4b8f5f041bcc51ef24b12b66e4192a3dc529ba5f5
Formbook
f72d7e445702bbf6b762ebb19d521452b9c76953d93b4d691e0e3e508790256e
Formbook
+ 14'901 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:jdn3 loader persistence rat trojan
Link:
https://tria.ge/reports/220330-qsx23accd7/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
ModiLoader, DBatLoader
Xloader
Unpacked files
SH256 hash:
ca2ce40cb878ee57a487ee26e86a6d5be9996171f32d8eea12f19f974bd6dcb8
MD5 hash:
1f2c2df0c24a74f49c5b37a45a92f826
SHA1 hash:
915f340b525a5e4cd5f3aa380c747a925ad1732d
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/181eee01-a1ee-4dde-a41a-fd122da0a7cf/
Parent samples :
8f6c3613cdccfdb0d7fd02b33e0afc8c13c640d305b2fdc3319135a18e3ca73c
496a9fb5d6f7b03a1dff59806fe6b74faf6755a903e82d99980769d0890f2730
6171e04c14e21039e5d518ea5b1129a09ac09d23f8c8169da89ba5fc7e816a35
fb8a339c0426e7443a8a557a8db6745d4510abe1086a0ecad45493bbcab97fca
4ed75b8466a537951e39fcf6a8a024701d41c6ff3be98153dcc81dbff6a75756
f443e1a292f282bb4eefcb9072d2ad429fd5d10983732f8c0b23b1f607e63314
1359549cb60ef5ca5fca53dcc5a47d9552fd5e24afe09ef563f18051417fc4ac
df451e4553398ff8f82e6f516f7bd9b04fb8ea925612f2ab95b98284abb228f7
63f565a5108d757c36e565bd6f4d2ea6410445569d0ecbc70b9c33ba4115f0f8
00d73f1d61efc0d907030191c3953dd239de9aded5c6cc4029262127ce1e209e
fc2cebcda95cb3a39ad6b08289fe3764635bf8bd69a372c05f0140665b57b55a
566804eeaa9725faf35958d6bd0c12ec0715950881d260b6815618fc399f74c5
10cec299494a6aa98989e015fb80ffa0262912a4c2f52d57222fd4e9277e59cb
4860d96e25e9ffa5a288ee4ab81dbda67a521786b2abd2b7a91a3b37e863fe58
a1e618daaaa3133d466df43f3b43ff6b095deb8d2c010f5e35e592800eebc87b
f58399e122dc517bb6594d46903c8ea5f3a913feab06e3038f4a78760bb63ce6
88f2a0b582807e7cb8dce67a8bd81760c0f7f2e6329062c256cb7fe7ec7f3221
a6ccc05556ccbb60a723a57a8a584cc150e2f4819ef7b11c76e947e84dff0e10
a9a86b379236a699c4a6da12df755787d31a8c318e0fb79bfd240896a61f2a51
ba08e639ff6481a49493f7b2c7f5e56500960a32970e29cfdcec98689a3e3451
f29af471bd6ae227e1937769b3bc2341a5906732374a25137ab6d8715bedc874
6a870d79774d97f41d243d912d16c0079b923c64931ad7a93fbf303b0427ee36
4e4e661714c95139dea6c17509411aabe685fa5feada011a232fef5c04244aaf
a6bafb2bb8dc44d9fff66e3301c27fe77c36dde8d0a8a5c95779b2b8770c33f8
fb67e8ad570d57edca0baa8f47ce75a50eedb5df3af97cd141aeb508b8409f3e
a0d70aef1803b9aad25507304eaba337c45d2474dcddd5e52bcb1095087775c7
8f5f58b0b0e95605ad5e5324a75277d25590a13dd9b4e0fb05505b815833a2db
805a169b8f08ee6d903d5ea86178a1e50e65ae3c51a91085227b0e77c04efbea
cb8a598ca7d108efe4e56865bd748cb586b06c2667e5118ffbc22dff3f741648
f4a406b6b21db8b516e579643929b753453ebb4604cc799ec69f712fd7ba42d9
8dfee94c273148e304ce65b2174c1bcf211e31b9fb7074bb03069c831a4b119a
db5a12184d9b6acdf484a88b3e65aa9435f8a9d7eda48418aef2d028b98913d4
54ca735ff5fee6b29cc940ecb074e3b58c24ad834fee7cfbe56e78a04aa8e085
1521b3679443397b8a953666ff6e81b4650a4c3e731bd0ae5c057a29cd238332
e9e0c366653836804dbd66fa13dc4909cb186a2117764679e1e46f29dc9500bc
bf7843608d1b1c3fee60bf8fd4a9410047c8ef059ed1e55e018da081670159c5
01e55c453fc19c5df2c53fa3e1ddf9bc8f8af5ed23d361f3bc30df2e913072a1
a3792b703dde1aa5a935183c6696ce91cdea54579e9045b55848df91e6b312f9
d3bc2b767f795b5fc0859a8a5d3efacb8150a9c272d89701c164d3f703e15ba1
63fef1355c2426329defba3c5fc037b68085c45196ab8bd7ff2991b5dcfc80c0
1e7717a2d798ca288276e378b76ee35a7cdd11e0d32ed32f33670163a08c390c
9d42b1b9280301d54b45752d046405be7e1a632de78723aa46cb20c1cc43c801
204e96b879210c8e42455d3670b69e7c2408bb65324b8243346803ef24af6f9d
1755742f318f26db4bd9a258426cf22e90b27c2dd67e67fcf662659bce8847f0
927dde2c104b2a0d38a5d8c01f2aa5a16a049a19ce3e644a5adedfd670286e57
464fb0b39e6e803f8e032a0380fa66babe20032affda8b5dbf0f8fd687526443
e2c591e76cb0e5c7e5883a4180c2d7286a4a80a5c3c83c062a8f666e0764c1dd
66be852b20b6210134ace4c51802bc9fe3aba2ef95ecb31940066a11dfe57c34
e11e9572f2bc772cb5858c427326c4408520d1eb0f62ed2c9069c3c3dc710a01
f94b77c7de3e47949556c797e2fac84ada108a52ea67a57d9658fe9cc149b148
9380f842781eeb483f61572a8a327221cddc6402ce15807dd6746c31d40c3bb4
56958cbd9007cf88fbf7bbe0ab8cdd745af7c3cb43f495cf12ef37cace388bcb
710092a3d3733568c12c36e742da685e70ac3aeb9a851974c6b07a3d5f1d74c7
b90122d45b3e426cdf4343cc47fd486e67d4d2fe861f6a686f4d29919a327ed3
ed26cf7c1e212b911017851bdd62dbddd9ebeaabc1a7c39a85780cfe2159a66b
15a3f360c7768d11c783c454207c4a278c0855091901dbc985074a8e3b0c68b7
652eb4b75ead907220dc496b91ae07adbbe0e542f6765dfb57c802cdf4ecf23c
6458542795cc0a40d4ab238e2be5fb15546d5ca38e52d1f9c7d4157dca27679a
736a64dd3a9f74117c2e3ed828599c5aa5844146cf75b3a67d7c775bee0df90c
8a032d84d6da1a5b4afb83c4b9cd9be1fbebb29f3933a09eedc5955c899b1fbf
c16b9319edf591f4b75c3b69e09451de772816ed5a7915c9112bb8dd14e4aea3
e9b9b1c8e972c4882a540641d04979d3c7d6c762ee64707a1a2b147d06a43326
bff9f8e4fb678a405e05a729c9649fb5097ecb4c4a02a87ace28401ad22072fc
ab6089eaf0b6e157fd74eb677bdd1e457cbbe9cc1b97699dc7e8dab7989eab2b
99e39ef9a5267ed9790fbef614fa3a0054025c1cb866295e9e320bc95b128280
SH256 hash:
e2c591e76cb0e5c7e5883a4180c2d7286a4a80a5c3c83c062a8f666e0764c1dd
MD5 hash:
99e7613dbe78fa96a28c2abb94fa65a4
SHA1 hash:
a22625921195979fd16e5cc35dec3c735a0d57c6
Link:
https://www.unpac.me/results/181eee01-a1ee-4dde-a41a-fd122da0a7cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2c591e76cb0e5c7e5883a4180c2d7286a4a80a5c3c83c062a8f666e0764c1dd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e2c591e76cb0e5c7e5883a4180c2d7286a4a80a5c3c83c062a8f666e0764c1dd

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/259695/

Comments