MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebcb11c34621fb23b52cd1525f932bf3eb550359547518805b6db9da1698a6da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebcb11c34621fb23b52cd1525f932bf3eb550359547518805b6db9da1698a6da
SHA3-384 hash: 5db5be2dc58dcefb59899b8f2a2f880ddc32ac4580f7e14e47c87b0413c57e016cb3a87b604581a260f6e5bfd1a1c6ca
SHA1 hash: b004f5ac43ab5d0c90e68e4a20db9696a97fe521
MD5 hash: 928ec247e6f6cd246851bfab7a7154fb
humanhash: fourteen-autumn-high-oregon
File name:928ec247e6f6cd246851bfab7a7154fb
Download: download sample
Signature Formbook
Create hunting rule
File size:269'042 bytes
First seen:2021-07-20 08:34:29 UTC
Last seen:2021-07-20 10:41:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f45f4bccd20f0a7ca0fccc38d235a8f2 (2 x Formbook, 1 x Loki)
ssdeep 6144:SQbSnYgZbTL1QNCVQAE12yeFwtLQgJlugDRe4JlTQBUrtr:SKSY8TL20+AQ2y/t9ugDRe4JliC
Threatray 409 similar samples on MalwareBazaar
TLSH T1044412756D7EC7E2C6918833A3253AF9850093F7ACEF5523BFA81C1A1FBC190525AE11
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
orderr.doc
Verdict:
Malicious activity
Analysis date:
2021-07-20 06:08:53 UTC
Tags:
ole-embedded loader
Link:
https://app.any.run/tasks/d8df4645-371c-41aa-bd7e-e739e20e7b7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172727/
Detection(s):
SecuriteInfo.com.Variant.Ulise.260215.25330.11265.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/32b102b2-3b3a-475a-9fad-719908d5fc13
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/818747
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebcb11c34621fb23b52cd1525f932bf3eb550359547518805b6db9da1698a6da/
Threat name:
Win32.Trojan.Ulise
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 08:35:04 UTC
AV detection:
21 of 46 (45.65%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
1013840ac2390a6e2a17e41c6750382202efe8c7449505248322ef6a39750fc6
Formbook
10b9c66c17d2e559b0770c647386194546a4f64243e813fa2678cb7f7b16a5d4
Formbook
32a0c4d5fea8fbc8dd04dbf43f3d3877184651e1b59fd831bdd2af1a64e8f7aa
Formbook
5359d2f2d3a0cfec993a2d15a30db38289a02d3fda4acb8843750ec50ed344e8
Formbook
6b7afa4ba43a383c37bd7a265fb401be83482f7682cd2f6fd1ee733a38314092
Formbook
8cdb536378c7a12bb65333b52664cb99cd74a8b14afbc1b74ae73111b8edfc57
Formbook
9d84b1d50b931d6ef5a0b45ca33fe995dab90bc05181b2d2cd5f996fa2bc7c1c
Formbook
bb21a5f1607c110559ca73cc8106f61313687e304b3c609b718580f647345fcc
Formbook
bee3c64a4d3862a54f11a05303fb39c9768891841673269e477d0d87ec1862e2
Formbook
eefd38a540e7ac67780dda6a05981f1c6c4933717adce549e060d098e7b0fb29
Formbook
+ 399 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210720-pay6ebjyvx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
82c2384aaa789fc086394364777eacffa18aa54cb49ef814ac8c469ab7743ffd
MD5 hash:
f98bb689ca80c03734ef16119eb5ab60
SHA1 hash:
b8c1197d650e04e8342be9409ed710f71735beac
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/71873fe6-cd5c-4087-a287-27bdd6ea2480/
SH256 hash:
a71e2a2e28a3787da40aeb8bd16df418f7f63a59f5341757d914a522ac915685
MD5 hash:
96bd8ef1683ed08a9e14f5bb6f5e0466
SHA1 hash:
e1c5806cea5383942efc19c8c4599f739c45726d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/71873fe6-cd5c-4087-a287-27bdd6ea2480/
SH256 hash:
ebcb11c34621fb23b52cd1525f932bf3eb550359547518805b6db9da1698a6da
MD5 hash:
928ec247e6f6cd246851bfab7a7154fb
SHA1 hash:
b004f5ac43ab5d0c90e68e4a20db9696a97fe521
Link:
https://www.unpac.me/results/71873fe6-cd5c-4087-a287-27bdd6ea2480/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/ebcb11c34621fb23b52cd1525f932bf3eb550359547518805b6db9da1698a6da

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe ebcb11c34621fb23b52cd1525f932bf3eb550359547518805b6db9da1698a6da

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172727/
  
URLhaus
https://urlhaus.abuse.ch/url/1468004/

Comments