MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebc698f8b5b41a150c1f74cbea8b403eeff3049435285675757fe8b9f85ccf45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebc698f8b5b41a150c1f74cbea8b403eeff3049435285675757fe8b9f85ccf45
SHA3-384 hash: 03b27fffdb6584a48e7b7670d52a22dc9bd2c02ed7514b00deffdb6e08a8e11cbaa1cebc60ff8d3b42a163717f863800
SHA1 hash: d69263fafff812d424ebede66691e8f3ce26c93d
MD5 hash: fd67c6108564928e29d3247254ae337f
humanhash: fifteen-princess-potato-lake
File name:cheque copy4572_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:620'544 bytes
First seen:2022-05-23 14:09:37 UTC
Last seen:2022-05-23 14:52:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:x+F3H+zsL9Vw2DpTnz15XhY+43aH/Pai79OS0A+zSGmMfz:clH+zsL9G2dTnzqXqH/39b0AnGm0
Threatray 960 similar samples on MalwareBazaar
TLSH T139D4120BAFBC91ABF74B5EB7216903562F509008E460E79B5E08346DEDE53E73C53225
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 8d17326b6945410b (11 x Formbook, 5 x SnakeKeylogger, 4 x Loki)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cheque copy4572_pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-05-23 23:21:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9b33af9d-1a1b-410e-a197-2e5d775d7c93

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273747/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/628b95bc370bb1455cc0bc14/reports/72a3b669-0e92-4150-966b-6fcd3013fd2d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7042d1a8-9047-4232-996f-fdcbf968d74f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999881
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebc698f8b5b41a150c1f74cbea8b403eeff3049435285675757fe8b9f85ccf45/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-23 09:28:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5pdjr6fvwqnbkda7otf6vc2ah3x7gbeuguufm5lvp7ult6c4z5cq._file
Verdict:
malicious
Similar samples:
0b794d405aee51f1cb2bc86d3f6960a9549b5c926d6b05e068d081b3e936ac8d
Formbook
11790a90358d5f0be495fce0dc3870ec8c088f23eddc84d4e90d5d4281ea6f27
Formbook
1de694a30e2faf51fcbd5a7e7054022b883bc644bc0f1df7e9723b2c879b587c
Formbook
581cd8671e414c5a4aad5d5874713e6ddbbb0c342e73493e28e59c86ed713ff8
Formbook
5f9e348e3e48670f658701a635bd7d463202a6c6699bc42c632b1a10c905423c
Formbook
85b04366a901afa7df0d75f192032dccaee58e83827d7bd71674e202043d4f90
Formbook
e40d04897171c6b9b64d69ef3eb428445b6621afb24a9a58efd3e6cf1867f8da
Formbook
f582c68390a4a146287400a374f7f7388a517597e8020c0cbf295d3689fb4223
Formbook
+ 950 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220523-rgrataeba3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
fdd10fb67e6276b3d848c92d4686f56b2ecbea1d629795a241ca6306a2f62d55
MD5 hash:
f20fd214bbda1a459a3eb415eec86017
SHA1 hash:
c658f61e4f308a69a4509649439814166c655e84
Link:
https://www.unpac.me/results/2ec95b5f-7eea-43c2-8a3d-b724128549eb/
SH256 hash:
260b5fd8c93db7bf86e36b587079483233020e755074798ddbc40821a4afe0eb
MD5 hash:
13346af03b105b0b8f593724d6dc0c1d
SHA1 hash:
85c3722ba3a0cbe36b4a8997a9476bc498b7b3e7
Link:
https://www.unpac.me/results/2ec95b5f-7eea-43c2-8a3d-b724128549eb/
SH256 hash:
e436bc54da50c745c8a858f8b378ab38e524653835cf1ab678e013cbf0a632a6
MD5 hash:
115b2a835b7e9e12afb838888c0746ad
SHA1 hash:
839d795c99acc23df722d2bd2711f5453cd82e65
Link:
https://www.unpac.me/results/2ec95b5f-7eea-43c2-8a3d-b724128549eb/
SH256 hash:
4fd58ef7c85ad75e3e49a2029c9ba97d01605ad5bedf2c1912782f558a2afcb0
MD5 hash:
a2ccbc8df4375409a47d436ef295e70b
SHA1 hash:
7424f6ea0cf1324e2dc795676ed25cc54a140f4c
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/2ec95b5f-7eea-43c2-8a3d-b724128549eb/
SH256 hash:
8ff1c66a0d7a23f10127d60777dcf05791b5e5505f6fd7cce780b2e0902deb63
MD5 hash:
d88d3718a6e17c68504c8208992819da
SHA1 hash:
356f87f252754d9f5a171719851957d89cd9b5ac
Link:
https://www.unpac.me/results/2ec95b5f-7eea-43c2-8a3d-b724128549eb/
SH256 hash:
ebc698f8b5b41a150c1f74cbea8b403eeff3049435285675757fe8b9f85ccf45
MD5 hash:
fd67c6108564928e29d3247254ae337f
SHA1 hash:
d69263fafff812d424ebede66691e8f3ce26c93d
Link:
https://www.unpac.me/results/2ec95b5f-7eea-43c2-8a3d-b724128549eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/ebc698f8b5b41a150c1f74cbea8b403eeff3049435285675757fe8b9f85ccf45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ebc698f8b5b41a150c1f74cbea8b403eeff3049435285675757fe8b9f85ccf45

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/273747/

Comments