MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec7f9e26c253ba9024ad8baf255778a3ee3055cc0f834be9e77a41e80d49e9e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec7f9e26c253ba9024ad8baf255778a3ee3055cc0f834be9e77a41e80d49e9e0
SHA3-384 hash: 646d5599a45910fab4d171ae7a23e4c36dc5c18498295ca9b8e450cd6c9f3e3aa076970cc83a05efaf6d75a996d37bdf
SHA1 hash: f2066b5bc181c2e5788a23c5b335f2045a5c4d07
MD5 hash: 6f5d737532ce8f20246b98b439168fc4
humanhash: mockingbird-alpha-jersey-lima
File name:BBK987866767899.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:811'008 bytes
First seen:2024-01-19 11:20:52 UTC
Last seen:2024-01-19 15:05:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:zt0r6klnaP5oE/kbQRgp16XR0oBtFR7ke+Dp:z6r6mHTbSw16XTffkZp
TLSH T12305C43D39B91227E075C6B7CBDBF827B138947F3051EAA4A8D2275647C6A4224D313E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 6dd2d312dbc8cc49 (94 x Formbook, 5 x AgentTesla)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
6
# of downloads :
313
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471655/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65aa5b228369fab94df0e2f5/reports/dfc631d0-3078-4d8b-a1b1-c239b5c076c7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ec7f9e26c253ba9024ad8baf255778a3ee3055cc0f834be9e77a41e80d49e9e0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/700a67e0-70a2-41a1-9588-2a75b25ea9d6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1377355
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1377355 Sample: BBK987866767899.exe Startdate: 19/01/2024 Architecture: WINDOWS Score: 100 34 www.tempahwebsites.com 2->34 36 www.qfs-capital.com 2->36 38 11 other IPs or domains 2->38 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Found malware configuration 2->46 48 13 other signatures 2->48 11 BBK987866767899.exe 3 2->11         started        signatures3 process4 signatures5 56 Tries to detect virtualization through RDTSC time measurements 11->56 58 Injects a PE file into a foreign processes 11->58 14 BBK987866767899.exe 11->14         started        process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 38 1 14->17 injected process8 dnsIp9 28 www.notbokin.online 67.223.117.3, 49716, 80 VIMRO-AS15189US United States 17->28 30 www.meet-friends.online 103.224.212.214, 49718, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 17->30 32 4 other IPs or domains 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 21 cmstp.exe 17->21         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ec7f9e26c253ba9024ad8baf255778a3ee3055cc0f834be9e77a41e80d49e9e0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec7f9e26c253ba9024ad8baf255778a3ee3055cc0f834be9e77a41e80d49e9e0/
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2024-01-19 10:15:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5r7z4jwcko5jajfnroxskv3yupxdavomb6bux2phpja6qdkj5hqa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:he2a rat spyware stealer trojan
Link:
https://tria.ge/reports/240119-nfzn1schbn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
3a5850135a42675ec97cf29b01e8a7204d23b031fd10e15d03d99c6ff9fe14e6
MD5 hash:
c198b0eff5b8176b80b5afa2341d1935
SHA1 hash:
f1507ae0bd68215945325e2386b75b8787482ee9
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/9dd3300e-da7f-4d10-948d-aee9d2a791d4/
Parent samples :
8fe6602d0f4d2a1d7498fed8426b787710fc3bf7bcdd2352b91edc397262622b
b240bad854a6a303cb4c10f6fa8629a79727b9d606668e9e62273a98b664fe40
36bbf8364dce4ca87034ac5be0a11cb79d0ec00b703e14f7a6b3f83cc5b66beb
c470e4b00af7989d546bcc74d51f93920ad6b17c097eb8fdece7f701d68ae052
d7147ff4c83891f4338af09c1c6cb2f7fd00dfbf3753bce7024627b72fce78eb
c104d364eec79cad7a9c9040ff30d46e6b2bf694b3c8f80130bb599345fc3d76
296abb33b7337fa594b7a28aaa0793ff1e7218b97974fe1764a0773f8962fbdd
45043a002e8f3d458e3dbde726fc373528fc485ba829b9b02b5826eb63069e3c
e05dd4fdf0071a4108eac210a9eeae5c2bfa44d80dc8eac941f4e4a0d1fc0aa1
b5f2e0b49faad7f9714d0b1088965647eb83d8772b234555738bcea1094dfd2f
ae06162a5d6deb6cb98b2c2f0d1f5e1c8427f15d271e90654d47520833d3f106
ce4538d962580d2b52a8cb68aefb500eaee8f07dd01c1fae3b50b4a40585131a
16c87c0de9538e8cac5d187949b3fe9b1a11ee1ed2bcdcc726ea47115d6701e1
9e392cb448daf1882dac5f6fbc0d736c76bed78befee2c8b513241b8ed6a95a0
71780af43512c9499d7388e6c3e04b3e667bdbd49e0defb6a458126be2cedde6
e40bff3bb093b2bdc11d7e1d5a990db99b3a914dc74a1aec2d28662da10cde9b
041e8def9ed010055a5b366d501d80f49601e6c8650470c7163addb52a45e634
43b5cfd70c439d116d7ec6381d664d5c8e7f89f84eb4186675db11bf830ebabb
154da40b848da265e6339dc5773113f75d1b7922b1273a9e6ee6782e33b6b6e4
5beccb2435d3933d532afbe6c4f432dc6329c280c0d9fa8a849dcd797d542cc9
10f995960aa806c718494876517cb801027ea00e3110e9b754b1ac039a0f696b
05d10f03be1265543cb1dd13bd493f52de93c6ccceef98fc3ad9f2cd55930ca0
ec0778be2b035c23fb64b29a0b1480ab8e11e6bec3ddc1f6f94dab39e35fa4fb
14ac214aee66557d77577da7211f5fa6476753b38ff8b40738c660a88c8ffd35
66e61b3996bf7efd0024f9dc73bd4e9d180b1347dd10e2b9a985eefde8cbb250
b80d975ddd8e28bf201a5dd08cbfa50ef211aa5600f33b4c10e6d72068864f13
48bd774210f381b63ba719ff062f5000c3e1ed8648f5df60530b2e65d5447c01
eb9bb2864bcf714084d8b6c2d9dbcf55a30727c8e87d66eef592048dab10dead
0361bde7da9104b4a09db39ac90c1af16e0aa137f4f33c57c9844066ce7c6d7a
9a2008be914863b763da0fec53a39e995cae4bb95a03aeb634c95ba7a6943522
7af9cc5b2aade862d245026c370d0d4fd4d375426cd26357abba3ddb4c8a9824
4d0e2778ee5d3e6ecd06d412459a79d86e9d2742403e378c7581a70cf0e2451e
5e1d953a310fff548296b75e81092f5f360c146f02c45627fed82a8e85e8582a
64fdde31e18afd348c0727affafb347f0cd0203ec20268fbea9dcb4cc6d1caa9
d1fdb78142a09be2db38f3e704f9cc96649745d1055eef07a702ed674cb4b9ed
f9a4e3002fdbcd93464f38fc49bebadbcc0417454c702e8298cf245fc751eee9
f797e394559b216d6a6fbd4ef0ab89291e495fe1b5aad152b50fbe5874b21f58
9963577e3c04d62e4f22f861f0c7a51b9f297847125e271024c6f138a37b08f7
bb8548a744cd648172b769babfe7fb42aec25bc35e812f491af41d31c4c92d13
b46aa459568e452fd54cfc23308ec8f18affb47fa20a5813ac307ae05562a099
82dc16435a574994fdc6844c28c6293c8b6753eb651ce4faa5a002ad83914123
85f953d72889a0c7dd1908d932854ce5999e6bf65feb103e611cf20e05f353fa
b7b13f7292e1c908ad3d37dcc096ae01582efa6f1d91893a78bd0f84b283b148
779602a8ec3577cf114c41704c9fe2b90130da2dc331c4bc2cc5a0082ebacfd6
0322ac069d3777358bf3ccb0af596a20dcaa1d0888dcea9e043dd969eae4bc3a
1e6327a5456f3aac77ec28cc80c9f9f8cff8a157a25a8a2f597764dcbccce3ea
9df6347fd6d4c18024e5330a6d05ab03d7f85f7aa70d7f083bf80f764852a367
56a918e62959cb549a2dba171a6aa849434cb4052fcea42f10a85fefde442b11
7cf52f2f8e215fddb4ccf366bcba1dbd374745a86e45613522461a3a71ade4fe
64d39c5ca1acfee70e9e783ae33212a0f271ba323077a7c2b0a135706e3e37c0
2a0883f81fa813b247ae1243050bc720926599286a213725a86a50ced42c0ead
5dd4c27314890b2dce6f382d1e7211938c08fe622d120f98924db0b5396dc80d
5931b9bb54cd619e0e0518c4e61654a3c154b59e72428698ea3f381cabaad213
ec7f9e26c253ba9024ad8baf255778a3ee3055cc0f834be9e77a41e80d49e9e0
a4e15cb73ccfc8ff3119326251deca62b7618cf21c6554eb3edd9aaca2d222f1
7145bd1637fdc8111b86d7586c07526d2c9db8f4e2f30d99ea9740feecfd3d2a
d734447cac7e7f4656b9eeae3a3afbbbdb5de5383a086258e8c2bbd60af69489
f73f985bf2f74cc1006a5e911bbd7940073809b01da2823a6bb1db85288c0926
595c20f94db2ba132681d1b669ddd21a561f50a5afd4df0925fe8fd2d988f3c6
9c051c1f0938d57caab88ddf7c68456838889f84907436aa6dbf50b1e35ea6ab
5f1da6912a7c832726ad587d5b8cc3480e931d1f7997603a0a391b422b1013fd
c365a6886581c5afdc2bba03f6b8dd4af723c570002d359af8cafa1c145e4adb
4c8efb2c7d2516b6253a3008e5f4dd5a0efb6b9752c76642491d9f6bfd9df6d9
c8bbde20a022606bed6b8b1fa2ee04d67f797e9f0db2b2ca76521a16f56b267a
2d8467103cc2a2c613c8b04a174839f339c793f2a4b05f872c538e06d5e89a78
2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625
5cffcbea55270dc431c4838acdfd6f2a12b7b3e7671674816fc717653abe577c
9038c3bbcd0f0ec3a2dac2581ddd2eb0cd178cb4bf307562cce6f5fbf21772ae
f7f15a2841957be3bf2831fa44dfcd0125a68f1a36db209bfc17fee0a6d77b22
c4228dc6ce27a3999eb9319d40699625d8e003da61d9a4f274584248a0535548
1d85b0167afe65046fa652f0004736612fe1255ebd233745e94a01451c57f190
f4f30e7141908e117623dcac4e9f98cee8287fab750a1d720bdba5350cad19c9
81af3372de9de0b722517247542598548c0c6745448d247f3a99da73e4d635c7
c91554dc0140d85cd8b7375c44f322bfb86594d508b49133f4aa2059316b6ebd
59bc08231420c0f5ca032178b6654aedde4825136fd3e65c71e4bfb10127992f
7d0c488d900c633cfac5914cc35d1a31d3549710db2c9ce1612ae94ecf106dcc
SH256 hash:
900c325611d932c523bd52f76d838e97537b401c2fdb68cb1ca8f4144b5114f3
MD5 hash:
d27cb00813a4251416cce325be2bfd46
SHA1 hash:
584b8515bbc868e71d2eda9a0b8f590075281547
Link:
https://www.unpac.me/results/9dd3300e-da7f-4d10-948d-aee9d2a791d4/
SH256 hash:
1d33d555b73c704ff4fe4034d52b78ea5adc015480134730ee5be35dda903dba
MD5 hash:
d57ba8cdc26064b4bb6d9a54d192eeb9
SHA1 hash:
5667c386c978441a63c13a0bcad6a12b7532281c
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/9dd3300e-da7f-4d10-948d-aee9d2a791d4/
Parent samples :
a3bff963a78d300d87f4eb0b72b89f77dfe2949c020d49787bf69f78cf950957
cb7c810d1def4f26ab7841a883508648e9d5a7de232a066f63ce7acdd8e4f5b0
7e4178777e66874affc0c4e95846d4fadd7b9d39252ef984ede3e13ffdf0140a
7f4cf7be9758a49380bcbf0d253f9ee9474dcaff8807b4807b6b6604c8145fb1
e1634ff5ede9a20d67be7a3fae3c88a3983ae5c2804b588637068b0dc9fe3a0b
ff6b215f19a9c250170c0b55fbe400ef0abf5f619ca223f8e407d2141f522122
700fd6c408ce5d0e3953026e355db953dd3ca0850fedba2f0c772f7dcb18d80b
63f2ab7b378b46324d18e2a5246a1966d80be0952738c16c512358d537216ee6
c36013e4224ff11ecd2d2c1eeb69830211e2cfedc94260678ff9ee16590c89dd
36776fd1a84b600bff010627124a10d6d7b2924e469ba04f0a1ff39f003c129d
e6d8312356c497c9781cf72f5bbb56a16643c7c3dd4fbc1745fa92577702de62
05369208d0c31e1f2b1cf7bfbeb95439f5b23a08d6ec859a2cf51530a0c74ac1
772c3cd8d8d7bc1043d33a0f97e74e9e97754752f0a3d9c50aa28bfc1784acd3
ec7f9e26c253ba9024ad8baf255778a3ee3055cc0f834be9e77a41e80d49e9e0
841a8d318d917200d97923744371ff2e98c5ea8d9205823bfc895a9a494f2538
705322479931288652d8dcca3391e35ec17f003f68085455d8f6e2acec7dd2f7
055f46cf6b7e99842948d4e59820a70b779c864471c9a4234d7ac68637b94f6f
b5299eeae320619ecbc6a36ed9ddd7c7aef9f91779539f1c72bce38de5d82635
607c6eab23177feefeb9b9e941479f5c70f9132eea7355f693bf0c0f3bdd961b
9332e08a8bb23a66d9c1003c97fa4efbe3b5aaaf804d8a4ebb51323df3ade564
fd3c1907423ee42b394833ce43061bd8656e4250b63b5f0da32d6b101c99cfe8
72a051505abb9381f7e7b9256a38007e6b2f73915fd0b6d1891bae17063e8259
a27b90af0efe1643f641173c2a2efcb9eba21a9b4e2b13b8aa7513665fb490d7
0509f94b1130c86832027f9990c3f3da9a84bc00f1462e99e8ef16a806944bb4
2ffc3eca97e5736c881f13458e38408a554e94fa8df23753bf15423a6673e8d4
a72e43fa37b46c6c05aae87485a78b39a69d82624a447bc4a6f2481bcb892709
5b17813545c85a10c81e81610c7ebf01d2316f80c8b02b89bb747c31a8c919e6
94a33f12727532ff17c7cbce2fd33276e607e53bd6e03e8e7ee38f1386491bc9
b348825be831e3eb48ba5bee71b43e90073ba4d29056c86aea794dd1b6424618
1772bc937beb129e72657d927f5f33420225761fc634aa0c2a65c48f2bf35c90
ea399759fbd83f80066105ff45bba9e5f4d2756eded1a0bacdc0bdf32a283af2
58924b2968d04cc20ff58b4d0c4c220f7109eefb13db6b348aa2754293fbfe85
0497f6d061c93f99d46132b30e460f5e856ad3749b1d7ac9c9e1351e6db37020
bdedbe6d10d500531db662fdfaaaedf6b3362c144189443e1945f16c2db331ca
22de0b61308c9e186e46c8b584a91bf0d30e41822c8bb057ba83d8ec1c4b215a
81e7f10e3da2b0ae2e6785fa2126c3e76c3d11007ded45f88fd08390a25e7e69
8b44d22c62f8f7f749ed63a3ae1ea5068bdac5db4fbccec5635f47a6fd27dbde
c3cbff3aed1ec835babf2cb779d38d66ed9328662fb049819ce7d199e693409b
d4de5078a15d847876ba1af8c9d49b5449eaf21515b7a70307d42ced8c335ebd
c0bb5c738263d4ab3fbcf7743f3b700324c93d3236cfaecc0919771b0efe1b70
9d58f6f9e8cadbecbbef127edaa0f5376f8a52643e8d08d029f6672783a16e22
21f4cff809112e0a354179b898ede4e2d46c02c4054faeea2a1d57c08f6ac6bd
3e941cee8775445c37f252c350d1db6c09ba1587a798ffe8ded410568fe84629
008829495fb07d03d8ba297ade38201a8d713902ee7b2c18710e2ca63513daa3
e615bd88ac5bd226b4cf4d0893aa6a6ff8b1dfa91bf048218cf8dbba623c2796
070bc4d30d213930baf0450e5f9fa01b63311708e85bb68069182400a3946c49
83f04cafd0ef0c6d710c4116cbd6222b5746d7c2053005b395f78ea4a0ff07ab
5d6af06be9ec01074484b491de582d0ba0625f30ef36b96331675cd2615fe7ed
15114ec1d55832243fff432834efa5432e01e8834b6b8bfe05c7e6e8bdf78b7e
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
f746ed45af2d73fae31d7c7b26b365377aa7d8bc97a12b9583502797c71502f1
cecd3fc1bf9666dbc8f10ef183088b53b0b8ddb2cd7a2590ae55c569cdbbdaf2
1d132becb6f5aa7c2597944d9fa196bacf8cea871ccbdd09ce64cab06f581583
d5b58663ecebfcc7b6093c8d0fbea2539cbcaeaa00d3f46f38b60353223ace6f
29f087438d46cf90b950d1013a74442b2f59854ff69b760616b9d14d6ac9a801
0b31e06dc15e96e9b5a3ff9f7618643d8d0e8e71f631414482ee8c218bbd2d85
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
59bfb982d029cacbcb298fb5f5cd32d30a4420c92cca120304e144aad3608068
41f69d2ee1b520c3b7b6f890f1aa179e8e4e7b42e0ee9bde0d0bffe6ee99e21b
0dc0814bf9af68b936d74daf83ecc88ed015d0b1a53c1bf886ea739dcaa1166e
a089efede840ee87f839049b84e2d055269fb6d0b349189e818f29658cbc3d11
387728d4d68279a1347744d93c6e1b441a8c85f954742b48ed76602c6074c399
e453df70a43c13e5369e84d709be914f98bd1035d4efee09d090572baa1845d1
d1eff45d764dbbd9e9fc345263b8b7f3b39996d4dd57b3c3ff4dd57215faad07
fa4c8c4fd3ad0008d15bcd71e575130151f5f211f7b1fd3e4c934e68f9ec5ad7
776774dc37907872aa37bd08d7940d51fcbdf88d09dddfd406215a9a5711dec7
5d47a80d0d70a08c67a9a793bfbbb939c9b13938e76e4b03f8499b3f4e4caa6a
5a35f52e0d2648bbaa5effdc525dddae79a9012344c54270c12415ff6d83e52a
289c80a31dd9c0f4c69db3288e5240e090a70e076fef4e392c63af50d224e4a5
069960eea034929991cd4c1edfd5cfbe12ecd1fb8cc85a58e64696c69839f49a
d9ce37fccf19b2aca12e06ede4bfec3654bc288b8748284e9ecc2676b8d93212
8d02093810a5c085023f3fa3de9619de6e51f5467f7826fb512a9e7878bc4569
2e62ccab66721d06ed86a11e1fb8e2207f440529a148efcb866b29f2382d12c3
aa2a7a45f9361876ba300272fd6c98d32ccdf80927ad088cf114195afcfc78bd
f318db79a444204fb79a7e1e023b3bfced09f60e439c9fb926580aad1b9e09ed
2d79661bab06962e3e62224d335c54bba46b49816053a657f5e385f9c664decb
18dcc42b24c46ae2977b3173964ba0a89595c83839bf527a32a7c7b28b4c369a
89821d7c365a38226118279910a8239ebb5357414ad78e69fcf23dc1092ea3fc
558122a88015bea8cc58d92d22e752167ccf7d837d8d85a3070497471660de3a
d8de75418c41232ba6cb4177f0766f5c48bb4952641c8c43c0a1f066f997e5b7
2a0bae477238b2eb5b2dd0127bd7b1a6396f6512dd6b3dd8b85aef23fcc59322
0305ad42c7da1b460dca33c0053dd6ebef74cd532f443817d6c81bbe74f959bc
e24f2f385bbbb4c09d165929599a3a802da74c2071a40b2d192313e21c0de4da
98bfea598fdbf66e6fe2ec2c44712794464832f0ae920abc93843780c15f506b
421bc23fe947a02ce49679bf4048785e3d50f4b914c0de05119fd12888687623
198596d17d62409a12b4f1f21e0a165774653713a4f9f5918ed710711b72573f
5a88ba99a9a102c08cbc44679f5bf078a79134bb99d0ca92fae9a8930500211b
3b4e3532a40eca44a5d89734e3fa567e88cdda066bcd7048172a5e1f95c8781f
11db5a95e90d6d4fffdd165db26971e275c9f799302de519a118ad1b48c4f587
1899cb937862bb84c5e4ab6a7211474a014cee50d4a05099a17ffb63ce8be0be
3d6c98f71037a6853222932b8b2b562c999b6111535c71081c7b90881b76b8b4
d948f80bf490f2dd3633d96c0c730b023984f67c45f225bf4c1e169085975293
844a5da9df7b604b6f85ca154026f32842425c57cdbdcd68cc6dc00d05dd1f29
258d0d5f9ddd5fb732807dd74dbc71f99adb82b82420f193573d01cb5a3a563f
683eb38c67e70e0cf2b9f5b2cb2ecb80dd91abd50539e216de7568512d5087c9
8957582ccd1876780ff5a43336984ee23ff03be1c8184a6ff9797828f52536e1
7a387acbd5bb25530813087436b2207051b361ae1e6d32f451958732cdb3b7f4
b2f95f5faf9437b040fdc78d347ce9aca970e2cdcffe877939362210bd685d52
f87afdb24721791be0b5b0a400b20a4f6545f8738b6a6665e1b0d09213c43b5f
fff9e202e5905ba82f68b445004980a5a99b78e3e86098bbd7568f8e61fe3260
85d6eeb46f4f808ab01a7af7e736cecb2e0d68baa4a60c1fa579a42558746de3
781f43e37ca22df3c807e1238d271cebab045e38212a58b5f47406e9ece9e2b1
923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45
d6a64dc592c210af25a948be2824c9e92b02d99786004fea9b21032d467b9a12
27769f4bb96d0e605bdc282658c6a729e4ceb8447cd9e1f9880c69862258e66f
453a55e207726e7d46391d250ebb8be6b2f188c27ae597d49defeb8831f026dc
9c08f0499db9529b8c171f66432a1185ca004f2762ee77e3de9f3d8a8f5998bd
24b2c5278a4d80c22994b4d9727293aa6641ae9947f7ed522b7b5f44fa1f7a63
90ce02725d886ba2f6ae19d75257230e7fb80c9d19fa77d715f3e3226bd07125
32d376bc206926ca6f299e97d04644b68e6a863ac4975bf4a804bd120e82aeab
c6e74d13f05f11c8bda77a12154cc75b110cfccff566ee72106f80b302734565
0bb832320a92ba68c398f71058c99556988795e84f3838ffa8143921c3ed04c7
4ba298859e61cb9c39d9d4a4d556fe6357ce0901d5d4ac6f78e6e15ced75cccb
055df72340a95664035986e6d027055304abed82949af74bb5e230c841a8f8f5
47d396f2913a1a812fa3421d33730da64905cc93d2936d048fc51ec9ea2cabc4
6271c329c4f40cf98e90cfa7016bcf533be22f66c7e20446ea721a9a475e2325
b557e372c22db30990fad3e3226c4ab649d96b40170cb8890ba401d6ec0f3cc6
938e74e2208f8d67dd6e3d8cabb73682e0d160f6270171fac3af80f7712304ef
f84f0208e1ccce6876611ab8d7e4c92f4e02427e9a72283f5346f98bf6539160
82456f6e550951ab6a0dc2cec4f2b5dc7cdf7e55170afb0589fd01196622e98c
ebaad7382547ccd2a7122e2a991e0b5fabcfc49823e258eaef1c2c57062321a3
6e4abc6a114b9b50936426d9eba916fe2a4fa59e9e226ce1c369ffb092d8087d
ff232b508c8bd32a681a0a4737e6028f92538cc923cb67989841644294493b00
04709040eacfb086cb71024a846c381ba9aaaabc80580aa2a63057df7ec218f9
8a29c80b0cd5df46f57f94c8934bccb49663e1c2311670875aa1ac48004fbea2
20e505e45d023aa2aaa74d1afb765b33a21e6b09de26a54760cee2c4f5ce1453
6c1ef5c49bd50a87b78c6836da99912d61bddbe94f5f604bb6153ef2fd9b0510
cd0cb018865b79f3e52d5dd49fb34e2fc0cdeb41feca165cbdd23fda66c2e6ae
8fa2e0d127c12e87357d7e9c41b3e71a0e2bd4bda5a1ad9bd6b10fab0f934b05
a8148f9225500d804ff688e662c4d1c08ab0c7a5575d9cc06feba87eb2afed92
12a594716a14edb8fcc167ca1f5541fcc2bf6f8758be3f072092cb7869bed11e
ef9291504c34bef37e4bd77b57f064beeedfb87295da6e6c5979970986f21c7d
19a9be9c599e9d453d07a0f5d72e891ec5b978d47c54ebfff855f9aa2b0994d4
b434201842862745c16dc4c8d7eb1e21b7fbb0896ccc1c1975cc9e23392a7b46
cde87a87ff004bcd031ff14bcaf31f598e4cbc33972fce7adb8b798d80d96723
114322a61e042f61dcd09306c0d19f875e41638452c3bf9a24a6c8251ef5ab72
77a38968b37bcb562fb8df2e70f08d312cabcaaf5dca09e995ead70240a05a30
65af772e03925fe6f08f4da235d1b7d529fc36ddfdfb4648276431f94cda0636
SH256 hash:
aad5bfbb1ddc1e1e61a9bd8fd81dc629e775a16f1c9fe0458ffa89124af8d80e
MD5 hash:
c525fbe0ee1fc8d400dde70848e60325
SHA1 hash:
14a6e8f6e96541e3bf998dbcf86fc54b224d617b
Link:
https://www.unpac.me/results/9dd3300e-da7f-4d10-948d-aee9d2a791d4/
SH256 hash:
ec7f9e26c253ba9024ad8baf255778a3ee3055cc0f834be9e77a41e80d49e9e0
MD5 hash:
6f5d737532ce8f20246b98b439168fc4
SHA1 hash:
f2066b5bc181c2e5788a23c5b335f2045a5c4d07
Link:
https://www.unpac.me/results/9dd3300e-da7f-4d10-948d-aee9d2a791d4/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ec7f9e26c253/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec7f9e26c253ba9024ad8baf255778a3ee3055cc0f834be9e77a41e80d49e9e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar bc52216ecd78b69611474776b109ed05881a4e7c9dff4883a616229a9ace1516

Formbook

Executable exe ec7f9e26c253ba9024ad8baf255778a3ee3055cc0f834be9e77a41e80d49e9e0

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 bc52216ecd78b69611474776b109ed05881a4e7c9dff4883a616229a9ace1516
Cape
Cape
https://www.capesandbox.com/analysis/471655/
  
Dropped by
MD5 7e07918c4ba7010b801c8765e707818f

Comments