MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eca76bae7cf6ffdfef6269b5eae8bca702663e3c2b7f7aca6b9d4d194276acca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eca76bae7cf6ffdfef6269b5eae8bca702663e3c2b7f7aca6b9d4d194276acca
SHA3-384 hash: 232c2f1ccd6093fb79bc63129ee5f7f6786f44369933418c39281df266c42d300b9cc6aafb9e52723a77cbb1bf4c2e25
SHA1 hash: c08cc4c7c7677b5747e6754de482d3c0869d9d9a
MD5 hash: cf4379cf7675fc254a58b06862e47850
humanhash: ceiling-fix-mango-virginia
File name:eca76bae7cf6ffdfef6269b5eae8bca702663e3c2b7f7aca6b9d4d194276acca
Download: download sample
Signature Formbook
Create hunting rule
File size:1'933'312 bytes
First seen:2025-03-10 11:26:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:019CLUydZJ3XxXgLxXkKLgfF2/Et7zIqFfY4:019eJWNULYsNJm
Threatray 2'230 similar samples on MalwareBazaar
TLSH T12495E040B7E8DA5FE1BE5B7084B3B16597B0E48CE392E34F1E9066A56E837446D012F3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
eca76bae7cf6ffdfef6269b5eae8bca702663e3c2b7f7aca6b9d4d194276acca
Verdict:
Malicious activity
Analysis date:
2025-03-10 13:11:02 UTC
Tags:
evasion exfiltration smtp stealer agenttesla
Link:
https://app.any.run/tasks/eef384fc-2e47-40d5-8710-c9465fd2c32b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ced6b61f777fe30608968f
Tags:
autorun virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Launching a process
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Sending a custom TCP request
Creating a window
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
krypt obfuscated obfuscated packed packed packer_detected stealer
Link:
https://www.filescan.io/uploads/67cecc9df8726576332ec416/reports/8d4d9058-8077-4b04-8644-f00343141794/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/eca76bae7cf6ffdfef6269b5eae8bca702663e3c2b7f7aca6b9d4d194276acca
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a3f11a1c-8559-43ca-b7ec-e2a96169352b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1634838
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops VBS files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634838 Sample: HJE6WbtNVN.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 29 nffplp.com 2->29 31 ip-api.com 2->31 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 9 other signatures 2->43 8 HJE6WbtNVN.exe 5 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 23 C:\Users\user\AppData\Roaming23extSink.exe, PE32 8->23 dropped 25 C:\Users\...25extSink.exe:Zone.Identifier, ASCII 8->25 dropped 27 C:\Users\user\AppData\...27extSink.vbs, ASCII 8->27 dropped 53 Drops VBS files to the startup folder 8->53 55 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->55 57 Writes to foreign memory regions 8->57 59 Injects a PE file into a foreign processes 8->59 14 InstallUtil.exe 15 2 8->14         started        61 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->61 18 NextSink.exe 2 12->18         started        signatures6 process7 dnsIp8 33 ip-api.com 208.95.112.1, 49710, 49720, 80 TUT-ASUS United States 14->33 35 nffplp.com 163.44.198.71, 49714, 49723, 587 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG Singapore 14->35 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->63 65 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->65 67 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->67 77 2 other signatures 14->77 69 Antivirus detection for dropped file 18->69 71 Multi AV Scanner detection for dropped file 18->71 73 Writes to foreign memory regions 18->73 75 Injects a PE file into a foreign processes 18->75 20 InstallUtil.exe 2 18->20         started        signatures9 process10 signatures11 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->45 47 Tries to steal Mail credentials (via file / registry access) 20->47 49 Tries to harvest and steal ftp login credentials 20->49 51 2 other signatures 20->51
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/eca76bae7cf6ffdfef6269b5eae8bca702663e3c2b7f7aca6b9d4d194276acca
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eca76bae7cf6ffdfef6269b5eae8bca702663e3c2b7f7aca6b9d4d194276acca/
Threat name:
Win32.Ransomware.Generic
Create hunting rule
Status:
Malicious
First seen:
2025-02-23 09:39:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5stwxlt46375733cng26v2f4u4bgmpr4fn7xvstltvgrsqtwvtfa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1354429a271a349329dbbfda561fe0eb43ae4005f5d3c4abdec9aef08cf23baf
Formbook
4aac198c09ec253588b58e1b59668ba4ac7d1fe7384c78f3dda29b29c56e557e
Formbook
4d391afd477088c3d8a70522dfddc92ccd709783b1cca363ed92b01d8f3458dc
Formbook
bb0858a4512bf600dc3df29c5801c5c5da6732d89dce68591e6828291bd04c38
Formbook
d7b73de8f03918a646766c3297b91ad4f31f471e42cb3a5753c9a8a18076cf52
Formbook
error
Formbook
+ 2'220 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250310-nkj45aspx8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
AgentTesla
Agenttesla family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/30b4350e-d81d-43cb-be47-9e56b358abe2
Unpacked files
SH256 hash:
eca76bae7cf6ffdfef6269b5eae8bca702663e3c2b7f7aca6b9d4d194276acca
MD5 hash:
cf4379cf7675fc254a58b06862e47850
SHA1 hash:
c08cc4c7c7677b5747e6754de482d3c0869d9d9a
Link:
https://www.unpac.me/results/4e018e00-5087-41ff-a7b8-1bfae6059aa0/
SH256 hash:
125bfc72d71534a373a6c9e3eac26bf54c32a99e1f3a6ac47f5bf694f88c8503
MD5 hash:
146952588931888ea75c2ec3ec75b65b
SHA1 hash:
adeb58e4f38b87210a1194900a6d9d7ad859e348
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4e018e00-5087-41ff-a7b8-1bfae6059aa0/
SH256 hash:
31c1cf2545e26420671ceedfda1531842f1e8899bfe5320b73a6ef4c9ba4d19b
MD5 hash:
2090e409cc180b087cdd42408397bd21
SHA1 hash:
16991a679ce21097f945307501f3cd5ab01b9efc
Link:
https://www.unpac.me/results/4e018e00-5087-41ff-a7b8-1bfae6059aa0/
SH256 hash:
3b23dbc0ffe3b17b88f560c2b93eb64af9e94beb88d123a4c811a427584f09bf
MD5 hash:
dd3ba42fc1cf8e969e342d918a7b6ae6
SHA1 hash:
4216ef47c65f7bbb54fd095c5bf2e321cddd69db
Detections:
win_agent_tesla_g2
Create hunting rule
AgentTesla
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Agenttesla_type2
Create hunting rule
Link:
https://www.unpac.me/results/4e018e00-5087-41ff-a7b8-1bfae6059aa0/
Parent samples :
ce00b5a69092cf4b2a6f8c20e8f3cd5b8d1dfa27d946d9dca29413627a4ddfef
333394a3257c26759974c7bface3281c75d064e3c6c3f37479752bae52b364ea
45d0c2ec2ede02e8b8ef535346a4e7e06fd52ba27995a15a5f1a0b11e305d4f7
fdf11dc1585e1062c299ee652e789da5091b836f2fc999c99f0e6833e9d0db6b
ad269d354d181fb136d667589d1df4f9402585070c6385afad354fcb204bbabe
7a4a48270e007cfe195b3cbd18e16c77bac607a6f6c28ad76b6ea7b6aa28750b
19e7128bade3246917b6367e9ffb3dc01d8674cddabbf7db9a591eaf9e5314c2
eca76bae7cf6ffdfef6269b5eae8bca702663e3c2b7f7aca6b9d4d194276acca
d1e8a1eebb85d77e65676506e3a9706b4e431c4b35bdb31b720a65e582a7978a
52ac94d05d81c00faa5ffb989ba1b631b88790deb41f8f982c120fba5754f4d3
f39e7dee71963b9a93fd15a46e577d7e706497278ef181e9f38e05c1afbbd675
0498395cee5c766f2150c83a45216291a25fefa434e9bf7b6c27b8d599c037b5
a5a6f09dbfef79a19d216620a173e636ad05e97f28a90bd4a08f12cc0254d24b
4dd4dc6e537cd6431e9f5b84a99a81349e2aa2816dc2c95db9590ee958acd05d
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/4e018e00-5087-41ff-a7b8-1bfae6059aa0/
SH256 hash:
6cd477a499953525d3c9d6f946d1b67e9bc80e813e730982e76b131a94463d5f
MD5 hash:
2b6230e56c8d8c5ca6b76df8d7dbbd9e
SHA1 hash:
9a4c948688f0e3d68c5d456b69f8efb42bd36edc
Link:
https://www.unpac.me/results/4e018e00-5087-41ff-a7b8-1bfae6059aa0/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eca76bae7cf6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eca76bae7cf6ffdfef6269b5eae8bca702663e3c2b7f7aca6b9d4d194276acca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments