MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec6ee7d5f97f7e5e14602ffba790f130f500cf94fe4f1806ad98d453c5ac9f31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	ec6ee7d5f97f7e5e14602ffba790f130f500cf94fe4f1806ad98d453c5ac9f31
SHA3-384 hash:	ed33d9715f265aa5eb026e868f93bdba1062822290ca00655ee9b92693b89ee66646a182ee3002cd58825498f64edf2b
SHA1 hash:	bfe1e38e79ecee5cb3052eb8374ed4248bb71af2
MD5 hash:	5d7ba037af21afc33c5c830a64977b05
humanhash:	black-green-alabama-lake
File name:	DHL Shipping Documents and Notification details.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	982'528 bytes
First seen:	2023-10-18 06:30:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:G+Ihk4GrRqkwYZizBKQ/kr42dVyBgK0Qwg1X+aX0c+TRvHEMiF6:SmPqbfdX/2hyKQFtATfX
Threatray	30 similar samples on MalwareBazaar
TLSH	T147256E3D19BD223BC1A5C2B9CFE5D827F000D86F3462AD6598D797A64357A8634C323E
TrID	61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.1% (.SCR) Windows screen saver (13097/50/3) 8.9% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

307

Origin country :

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/455586/

Detection(s):

SecuriteInfo.com.Trojan.DownLoaderNET.710.15888.4535.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/652f7ba810dbe5fb92cd5e6a/reports/3eea2c65-0998-4e4b-a1a2-459b53a2694f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ec6ee7d5f97f7e5e14602ffba790f130f500cf94fe4f1806ad98d453c5ac9f31

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b4547695-378d-43bc-a098-54135d6f351e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

n/a

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1327818

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large strings

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ec6ee7d5f97f7e5e14602ffba790f130f500cf94fe4f1806ad98d453c5ac9f31

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec6ee7d5f97f7e5e14602ffba790f130f500cf94fe4f1806ad98d453c5ac9f31/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2023-10-18 06:31:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

11 of 22 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5rxopvpzp57f4fdaf752pehrgd2qbt4u7zhrqbvntdkfhrnmt4yq._file

Verdict:

malicious

Label(s):

formbook

agenttesla

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/231018-g92l5sbh91/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Unpacked files

SH256 hash:

c941a534f960bd544c61d9f3c13ac12a678de6698871d254bf0110ccb8efe259

MD5 hash:

5121ce19f29de71067d1083d7073eb7e

SHA1 hash:

1a3701d6e38c21ea741b417fbf8410c4a0fc6437

Link:

https://www.unpac.me/results/e604cb0b-adcc-48f8-8209-e5046c682176/

SH256 hash:

14bb209b285279dab6ec2ec5b36dca3286fde25f887c5b7c2d250296ea1294ba

MD5 hash:

b0172cb5587e2323940dd50f7b8e160f

SHA1 hash:

630f9a2f75385c31819c26b625720ed0b07f2226

Link:

https://www.unpac.me/results/e604cb0b-adcc-48f8-8209-e5046c682176/

SH256 hash:

a423c504363f667df200214a38b215fa895a69269ce97c2e15598b848c7d0df5

MD5 hash:

c7ccf830737d959cf412698e58d79bec

SHA1 hash:

c471a80a4dabd417917ab948e5760c9caaded460

Link:

https://www.unpac.me/results/e604cb0b-adcc-48f8-8209-e5046c682176/

SH256 hash:

de59c3246c72163cfc5d3b5a8aec72ec6a585893a6c7d80fbff35238aabe6027

MD5 hash:

c3b2bcacf04baacd6daae4cf4896872c

SHA1 hash:

b7815d4d77ea49e493898d9ce06061e2c9c83feb

Link:

https://www.unpac.me/results/e604cb0b-adcc-48f8-8209-e5046c682176/

SH256 hash:

ed278807068709bcc74ef7d01ce46682b64d8ec9c8466dc8aaeb92ed75495aaa

MD5 hash:

51e85d063788811778e570139e28ac5a

SHA1 hash:

b3a9f24d4d25c91058e6c1f91e07219423b428fa

Link:

https://www.unpac.me/results/e604cb0b-adcc-48f8-8209-e5046c682176/

SH256 hash:

d511c0658340ec9d35d8f08fd22ae55c6aeebcb52dac453040817a6f9ffd7e43

MD5 hash:

3ac67cb9041168e636198401f53d857b

SHA1 hash:

6207398f41db994130c80150a0c2598045e68b45

Link:

https://www.unpac.me/results/e604cb0b-adcc-48f8-8209-e5046c682176/

SH256 hash:

ec6ee7d5f97f7e5e14602ffba790f130f500cf94fe4f1806ad98d453c5ac9f31

MD5 hash:

5d7ba037af21afc33c5c830a64977b05

SHA1 hash:

bfe1e38e79ecee5cb3052eb8374ed4248bb71af2

Link:

https://www.unpac.me/results/e604cb0b-adcc-48f8-8209-e5046c682176/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ec6ee7d5f97f7e5e14602ffba790f130f500cf94fe4f1806ad98d453c5ac9f31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe ec6ee7d5f97f7e5e14602ffba790f130f500cf94fe4f1806ad98d453c5ac9f31

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/455586/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample