MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec8a8ba728acaac222c46de8a8ddc8b9821ee8de92ebd73a1db6f2ba12f429a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	ec8a8ba728acaac222c46de8a8ddc8b9821ee8de92ebd73a1db6f2ba12f429a3
SHA3-384 hash:	5d383c8232df360884aafe12cd376c33d20b586951637538d5201c1ba16ee5c827f8031130ab2222fdc919d6d79ab3e4
SHA1 hash:	cba7e3fef8edd1ae92c5bbeb9fedf1bc6842075e
MD5 hash:	56005c88cc24b687f235fd0e4dd39b1d
humanhash:	oranges-island-emma-mobile
File name:	transfer copy.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	452'608 bytes
First seen:	2022-12-13 07:34:16 UTC
Last seen:	2022-12-13 09:30:36 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:3DbFC+C6Pv+3/OimO39SPhgcQANsVK8NGT5b5:TbFC3XGHucecQASAVb5
Threatray	805 similar samples on MalwareBazaar
TLSH	T1BDA4F16D2DFB0A99CFD940F9176F1626AD4CDB43B195D833A9AC143AC0677E844A037C
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

174

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

transfer copy.exe

Verdict:

Malicious activity

Analysis date:

2022-12-13 07:36:42 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/5e4913bb-36af-4d2e-93ea-c915445f72a0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/345754/

Detection(s):

SecuriteInfo.com.Variant.Tedy.256725.17547.22687.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63982b279a505ad9423f70c3/reports/fcbaf3f3-7d1f-4d80-b330-c945817da0dc/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/09360906-1caf-4c2d-b1a2-c0dcf17f014d

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1133239

Signature

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec8a8ba728acaac222c46de8a8ddc8b9821ee8de92ebd73a1db6f2ba12f429a3/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2022-12-13 06:56:08 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5sfixjzivsvmeiwenxukrxoixgbb52g6slv5ooq5w3zluexufgrq._file

Verdict:

malicious

Formbook

533afea70b1fd1d2bc1bc9ade167aa251bdfaca969dbda48b240a17e01891986

Formbook

81f88183029a59901067dd41d3b5fccdfbfc71600c6ac5cc259b83031cdb2b50

Formbook

a8af3c1e7acc8c9940cda87d5a962608b53431a6a0a57ec59edc30bcbcbf30f2

Formbook

af90b7982f9e83491575881365351306991619644e94fde6382d892f27a7fb1b

Formbook

ba4f6fbd034bef02cb7a118b6b51e5ac65e0e9c7fa340c099ec5588dfc463c6c

Formbook

d0e7776bac7c4f0d6a2ba3314ffcf6f430130cd3f6f3ffc4b8496b31eec9043d

Formbook

e66a3a8ec788ee743a53778ce3adaeb98d15c691a4e15a361c644b5e98e2f60c

Formbook

+ 795 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/221213-jen4nsgh7x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of SetThreadContext

Loads dropped DLL

Reads user/profile data of web browsers

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/700f3beb-07c1-4a59-b590-66f5a706bde0

Unpacked files

SH256 hash:

ec8a8ba728acaac222c46de8a8ddc8b9821ee8de92ebd73a1db6f2ba12f429a3

MD5 hash:

56005c88cc24b687f235fd0e4dd39b1d

SHA1 hash:

cba7e3fef8edd1ae92c5bbeb9fedf1bc6842075e

Link:

https://www.unpac.me/results/5196d127-09dc-4984-a7cb-9bb7ca36d8bb/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ec8a8ba728ac/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/ec8a8ba728acaac222c46de8a8ddc8b9821ee8de92ebd73a1db6f2ba12f429a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe ec8a8ba728acaac222c46de8a8ddc8b9821ee8de92ebd73a1db6f2ba12f429a3

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/345754/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample