MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6e972d93f6d8d1dbb56f41027614d7738bbe73d9a8cc65de8b06da666440ae5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6e972d93f6d8d1dbb56f41027614d7738bbe73d9a8cc65de8b06da666440ae5
SHA3-384 hash: 4619a8e6637f802ca0d0dabdd797ba8f42a254a62ea891c2af7c0e56af408f3639d96113a30e1c0e7f7ecad4eefad555
SHA1 hash: 407264334d98faca1d0945a554efeea9b9b3ad00
MD5 hash: 309661983ec46afb1868c9b8954d6b5e
humanhash: iowa-lake-steak-hot
File name:JavaE.dll
Download: download sample
Signature Formbook
Create hunting rule
File size:976'408 bytes
First seen:2021-08-11 08:42:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 21032b08528b054e353a7a5a56440c82 (1 x ZLoader, 1 x Formbook)
ssdeep 12288:nioQBrcKxHPULy+QVo5XeT8zZlmVlC+Q2cjQ7CJXPcq9g8:n9Q9cKxHo55Og9lU4xH
Threatray 95 similar samples on MalwareBazaar
TLSH T1E4258FC379CDBDD6D03A6672FB3783E9C25EEC5489A0849F61D43579887822332A23D5
dhash icon d4b29ecca8b2ae00 (1 x ZLoader, 1 x Formbook)
Reporter JAMESWT_WT
Tags:exe FormBook NALA LIMITED signed ZLoader

Code Signing Certificate

Organisation:NALA LIMITED
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2020-10-09T00:00:00Z
Valid to:2021-10-09T23:59:59Z
Serial number: 4797d7b279be40de071a6d59b2d7b8d4
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: eab10c069857ae32119a0b8351becf4ecf3856b051b31329e76a4f8ab8b95915
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
JavaE.dll
Verdict:
No threats detected
Analysis date:
2021-08-11 08:44:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0d7b845e-a206-4104-b716-b9799a8a1964

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178154/
Detection(s):
SecuriteInfo.com.Trojan.SpyBot.1078.1747.2600.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Delayed reading of the file
Delayed writing of the file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed484a7d-b5b2-4f9b-b854-fc4eab591b7e
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
n/a
Score:
27 / 100
Link:
https://www.joesandbox.com/analysis/830740
Signature
PE file has a writeable .text section
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 463170 Sample: JavaE.dll Startdate: 11/08/2021 Architecture: WINDOWS Score: 27 28 PE file has a writeable .text section 2->28 7 loaddll32.exe 1 2->7         started        process3 process4 9 iexplore.exe 1 74 7->9         started        11 cmd.exe 1 7->11         started        13 regsvr32.exe 7->13         started        15 4 other processes 7->15 process5 17 iexplore.exe 114 9->17         started        20 rundll32.exe 11->20         started        dnsIp6 22 dart.l.doubleclick.net 142.250.186.70, 443, 49745, 49746 GOOGLEUS United States 17->22 24 geolocation.onetrust.com 104.20.185.68, 443, 49729, 49730 CLOUDFLARENETUS United States 17->24 26 10 other IPs or domains 17->26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6e972d93f6d8d1dbb56f41027614d7738bbe73d9a8cc65de8b06da666440ae5/
Threat name:
Win32.Worm.Cridex
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 08:42:06 UTC
File Type:
PE (Dll)
Extracted files:
179
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
zloader
Create hunting rule
Similar samples:
12e5c221195f7d0a47b98b5d5fff26ea8fc4ad4f76f1c21f47e3a73102f18c59
Formbook
24c57cf9a9fd72827ced5f95796cf333089f076c660bf06b5e7d071a4d5fc102
Formbook
2aad576a107cd5cb031c13a85f8403a3b0e377a608a1af77f6e5607295bd54eb
Formbook
481af12b4e027b76b68c817c3cb806291f52042d3b5dce2e9f073408f596e206
Formbook
607a091d00b4660179f3b9c85bf1cd66edf3a2bc6bfcd794e60030b67363464c
Formbook
86c37d778f584a2a3090ab170c8cd2fb3ddf952cde689b4c5a1efd74fc113a05
Formbook
9ef6c5467fd80274e6a37e2883a5e83a894cf2148ce37bf0adb1e884acbc4c0b
Formbook
b250b1ccb8194ce1ccc86b4a88bd7279f6804fac990758e95d203fdd1d97dcc2
Formbook
cbf6848b72b118e090953347982de71cfe1510dfdc4affdb1ee4d5d62af428d6
Formbook
f1b22c0b6c144d82a0e470b2c6a649135a4f212ade39c8135e0273ec100ff34c
Formbook
+ 85 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:vasja campaign:vasja botnet trojan
Link:
https://tria.ge/reports/210811-lnwqc8lz8e/
Behaviour
Suspicious use of WriteProcessMemory
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://iqowijsdakm.com/gate.php
https://wiewjdmkfjn.com/gate.php
https://dksaoidiakjd.com/gate.php
https://iweuiqjdakjd.com/gate.php
https://yuidskadjna.com/gate.php
https://olksmadnbdj.com/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
Unpacked files
SH256 hash:
84e0df12c22a0d8726ba9cbaadd6ce6e48933b99c5d238a865fe37ceb2073daf
MD5 hash:
d36afcf06a5faecc6d8e9d1ff1f3f5a2
SHA1 hash:
95a22bf96e96fed54f822b6977513d6ef45da49d
Link:
https://www.unpac.me/results/70a256e6-c82d-4242-8424-ac57c965ff80/
SH256 hash:
e6e972d93f6d8d1dbb56f41027614d7738bbe73d9a8cc65de8b06da666440ae5
MD5 hash:
309661983ec46afb1868c9b8954d6b5e
SHA1 hash:
407264334d98faca1d0945a554efeea9b9b3ad00
Link:
https://www.unpac.me/results/70a256e6-c82d-4242-8424-ac57c965ff80/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e6e972d93f6d8d1dbb56f41027614d7738bbe73d9a8cc65de8b06da666440ae5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe e6e972d93f6d8d1dbb56f41027614d7738bbe73d9a8cc65de8b06da666440ae5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1524412/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/178154/

Comments