MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb6639834b1b3fda93dc52d164f7d11f500188cd959810cf4c2f3b22eea1dde1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb6639834b1b3fda93dc52d164f7d11f500188cd959810cf4c2f3b22eea1dde1
SHA3-384 hash: 22e19b2a16a3627588ab57a349cffe8f05c7b1f2107509a737a3f1e389a9d63665d20139575da0956a344082d34b648c
SHA1 hash: 7e7d6b8395068d8b8245f2e5ab34dea053817186
MD5 hash: 7a0252538b69144bbbc04d510422ebd3
humanhash: mango-monkey-single-arkansas
File name:warehouse equipment.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:411'772 bytes
First seen:2023-10-25 15:40:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:+R2yOGvhXmtq0lbZ7FRBHciAooYZpmQv1LEqW:+QINmpZprVou1LEx
Threatray 15 similar samples on MalwareBazaar
TLSH T16B94122372D598ABF1A617B004375729EB7ADE4494639C87C7883B3F1DB13872E0A746
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon eccc8c94d4d8e8f4 (21 x Formbook, 15 x AgentTesla, 5 x Loki)
Reporter smica83
Tags:exe FormBook HUN

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
warehouse equipment.exe
Verdict:
Malicious activity
Analysis date:
2023-10-25 15:46:16 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/17a61ef8-0408-4efb-8d29-a80c537f1892

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456311/
Detection(s):
SecuriteInfo.com.Trojan.Loader.1797.20371.27631.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6539370ebc703e36b08cc010/reports/3aa9fa5e-9f1b-416e-a7fa-143685540957/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/eb6639834b1b3fda93dc52d164f7d11f500188cd959810cf4c2f3b22eea1dde1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Conti
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fdffaf5c-e89d-4ed3-9257-bfe9d901d8c2
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331998
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/eb6639834b1b3fda93dc52d164f7d11f500188cd959810cf4c2f3b22eea1dde1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb6639834b1b3fda93dc52d164f7d11f500188cd959810cf4c2f3b22eea1dde1/
Threat name:
Win32.Trojan.Nsisx
Create hunting rule
Status:
Malicious
First seen:
2023-10-25 01:20:55 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
28 of 37 (75.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ntdta2ldm75ve64kliwj56rd5iadcgnswmbbt2mf45sf3vb3xqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
036c6898af5b3d4003e544deb66eb29bd5a83c43903aac4667eb77e42169a6c4
Formbook
055b80bde855baf4e6a3d20ab9f9bb014bf47172d98aea3fd4282aad6a70a85b
Formbook
3bc486f0fe0705dc71bd7f103965c5708a878f908ed0ff11ab973af842805a80
Formbook
3e940bd501847e7bf60b525599626211d32f705d7c616584629a5dc0206bc52d
Formbook
85d5d8fee53df94ccc480e1ad9cdc75f47f4db122d67ec5d4d95f93a551949d8
Formbook
9c91537c85883eeb9b15a6ead090c3b7ad260455f022562cac8abdbe92f65370
Formbook
b3b9ce5bdb8e99a149c06df8f09c2809a42b6ad7b251356fd6f4c42cf8214c7a
Formbook
e03d56056800fe8def4ac90dc6067d655aa853f8a37d7ff78f592b99a83d1e5e
Formbook
f0831ec2522d7d8e085f88c8ead0df0478c75efe438e8449bab3f54553e47788
Formbook
fecb7826eb9472fa8b7a79c1029720e19f8e2deb1d2c57c8c6ebf66232ac7981
Formbook
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/231025-s4rersba82/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
eb6639834b1b3fda93dc52d164f7d11f500188cd959810cf4c2f3b22eea1dde1
MD5 hash:
7a0252538b69144bbbc04d510422ebd3
SHA1 hash:
7e7d6b8395068d8b8245f2e5ab34dea053817186
Link:
https://www.unpac.me/results/a2fd9714-27e3-4a9c-94d9-0419f6446a13/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eb6639834b1b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb6639834b1b3fda93dc52d164f7d11f500188cd959810cf4c2f3b22eea1dde1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/456311/

Comments