MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecb208b31c9db988e6a1ec481172f71e646a084add91834c0631ea2dd0d6efd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 18

Intelligence 18 IOCs YARA 7 File information Comments

SHA256 hash:	ecb208b31c9db988e6a1ec481172f71e646a084add91834c0631ea2dd0d6efd6
SHA3-384 hash:	1408c770fab626a339b6853e731bbd7c991e1e432c4efdbb58cc99afb39c00d501652c35f29a97e96cb210b7f2186c74
SHA1 hash:	79708082f50cca5c53860aa6bfc404e2762e4044
MD5 hash:	9a2a86186b5ee6d85c0dfe909e310552
humanhash:	golf-jersey-south-south
File name:	ecb208b31c9db988e6a1ec481172f71e646a084add91834c0631ea2dd0d6efd6
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'124'872 bytes
First seen:	2024-08-02 11:45:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	24576:bf+6UNxk0J9Wq3B8VkkogaAlQj+HbvG13BFt:bG6U80Jkq3B8VzogaokYvGpt
Threatray	299 similar samples on MalwareBazaar
TLSH	T1F7354B487AB83F42F27D93F54972695883F4669E24ACE79C4CD3B4EB26B1F444880E17
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

339

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ecb208b31c9db988e6a1ec481172f71e646a084add91834c0631ea2dd0d6efd6

Verdict:

Malicious activity

Analysis date:

2024-08-02 11:45:44 UTC

Tags:

netreactor

Link:

https://app.any.run/tasks/b2f111ae-d964-41fd-ba88-6f4d4268f25d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66acc6c3b7a04efc7439a637

Tags:

Encryption Execution Network Static Stealth Msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed vbnet

Link:

https://www.filescan.io/uploads/66acc6c678d5c73fb1cb2b73/reports/54c2d759-d487-4a6e-b644-ff7f7bcd5af0/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/ecb208b31c9db988e6a1ec481172f71e646a084add91834c0631ea2dd0d6efd6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/db91be32-2afc-4b91-9480-d6ccb4152009

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1486722

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Found malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Scheduled temp file as task from temp location

Switches to a custom stack to bypass stack traces

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ecb208b31c9db988e6a1ec481172f71e646a084add91834c0631ea2dd0d6efd6

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/ecb208b31c9db988e6a1ec481172f71e646a084add91834c0631ea2dd0d6efd6/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2024-07-30 00:25:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5szarmy4tw4yrzvb5rebc4xxdzsgucck3wiygtagghvc3ugw57la._file

Verdict:

malicious

Label(s):

formbook

Formbook

7ecc027520fac0c2341292e6e6cc3389c172399ee0d7a3672b5455ec7f4b775c

Formbook

a96c7253cab161d289efdea709091608649deeb1423a4df65d1cd13ad28642ae

Formbook

b52771878f98cb32f91e9c5eb88b1452b25077c973bf5db1ef3ab356ec9b80e9

Formbook

efab4e467f93e1f5b3f0fee251844f6e3667b794aff5fde442d7b4db955201e0

Formbook

fddb2e3244a031741a1da8a0a5086890cb02ef24bd93b7df8971b42d65b1a03d

Formbook

+ 289 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:v15n discovery execution rat spyware stealer trojan

Link:

https://tria.ge/reports/240802-nwry4swepq/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Formbook payload

Formbook

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/64a677c7-c8a2-498e-83f4-4077e7c0f905

Unpacked files

SH256 hash:

726fc15ab650f469e5a5c0300f5261d43961bfb5713bab962c90fbc6c37e9688

MD5 hash:

64d86b46c505b6488f6996514ec6dbe6

SHA1 hash:

3eef767b9f298582caa83eecbf0b64ed9be98a22

Detections:

FormBook

win_formbook_g0

win_formbook_auto

win_formbook_w0

Formbook

Link:

https://www.unpac.me/results/bf4e48e4-02d1-4943-a547-6be5218c7a49/

Parent samples :

b362ced287b5f00b3b2ab2c3a7bbc85b57e13271d76a6c65423a831fde92876c
2a346621e42f809c9cbfaf01bd2baa682838165f5e24c7c945f855671fc457e4
ecf7d21e6034165420d152b1c77462ac51da9950be2b4eb32f966eda29376aa5
f9e519cd66cb6bed521306afb703672ef2ed9d82d8341398c4199be4523cad96
8e5d1467792caf25ac149070af9ade23a972792a9bddf7ad6b811668e7b72981
2a6ee6b0b17d33a011119d09d27e466d0d640314992d262f03a3789c464044d6
63e3b4304b855b3219c28b8d5306241564ac5f1752a01b5b793ee7733b4c69a7
ecb208b31c9db988e6a1ec481172f71e646a084add91834c0631ea2dd0d6efd6
1b9e77854e399411406c1f8e3fa6e0bceb4a1284c7bedeed503bcb24bdcfbe30
d2b2b2ae2cf256bec969052f108726d12ce6f84a2ca91f4baf4683a5bb331c86
a1ce25c899ff86db4e54d042569e0a996d399dcc9a701b551999b1edeb2acb89

SH256 hash:

cab6a13eb67b557098f77b98629067b44d816356edcd34279f73c749560e3fbd

MD5 hash:

aa802efdbea1bc3c464d774ee5ff1dde

SHA1 hash:

eba1db1a3f26cdb4e11d75499448dfc498fcc4d4

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/bf4e48e4-02d1-4943-a547-6be5218c7a49/

Parent samples :

86d535d54ed2e30a80ddc2c530c330d8898ded55ad6ba35310f14c3f23a19a0d
15299cddb4e03bc2bbc2e2c057c1abf3ab063a5839e7fc933939797aa5c38fb5
12d10e1ecc6afdf8f4ec4b08806c3eb3164e83ee258031bf7e292279e8e3ad66
77ac5b15d78e58b7ed803e93aa16e4742ab0b6c1eb4e0b5c8a93f3799ed00e18
11c37fead8b02d4646499109187b632dc2ec2f49d842e7aabb3bb93d7ce3d538
ff155d8b9a7c9df0c77f203a547157f25b89aec97f2807081c74c7735602507c
552ec910ab15e94277c6211423d6a3f92fd96bcd8d84695c6adf3a36e9d366ba
c75ae9d4a81e584dbdf1d2ffe063a22ad2189b1408975eaf8ef6410edec81fd9
a2494f6dfc0726f3ada24c21185c0554d50f1ecc13bc434a47d0a0bad5d9e767
5223dbf673bce63ab81bbdfecc931ddd6d9a8d3c138e269e479e56167eed1c50
b24eaa1b9bd278aaadaa1c2e7a74a6674b0f604048c5851ae6ae598152bdcd67
a85df9ae1792ac726d8486058b5f1ddb89f232930cb3c7172291fe3adee3220d
b52771878f98cb32f91e9c5eb88b1452b25077c973bf5db1ef3ab356ec9b80e9
4f6abf63121d8ac6db6af1b4aaa3331822ebf670bb70a98720d759cd41ec6a90
85f373ce0f6da2b2bd6b1fba5243ce691997bab0e3d9f912d6d1b4f7c617d103
7aafc2b21a5a3d027eb1762dd91328b5adfb013f5c86fb4da95c4fdce8313535
007848670c9bdba545221e97ee5047081c60af7edf232f04b1f044b03732e323
dc37dbd4aabfd3993ad6c43f35ebd47fecf7c2fd40a3dbfdb99a21e1b6885f95
fd2bd6b337113729beeb74f7446d2b777315abca4d557a5cfd7acd679add2d65
9ca974f315a7980f38671b6668946264198130593006ff0423637c55249f21c1
267a95b7715bba494b96ff9d7bf29dfd8ee2c73c5312964b5039962826ce6fc7
6d524f19183002c058639b24455f309f78f225ee0a0210cfd820b83609f132ad
fddb2e3244a031741a1da8a0a5086890cb02ef24bd93b7df8971b42d65b1a03d
6bc6f1ef2929e6e16e0f98b29e7ade9b941a7080347db2321852b5afc58b0cfd
efab4e467f93e1f5b3f0fee251844f6e3667b794aff5fde442d7b4db955201e0
d182a98c60c7fe6f8945a4791c365234f519485f7a0e6dd0e95513f9670e0cf6
18dba55b8d1c77f7b0dcf0a2ae3a4a702be887e0fe36c6efca2d9caaaf33fe1c
684728d71a1b686e85a2671e253ecbd27da9e028f3160e84408033dc9ec21dbe
da0fd2ccf00f1cae00d3ffeec1f8dccd520b02b1b8953fe7839db61e0f843acc
8961382e3a069a9b64457dc4f73fe9aaa9b927451d7715fa1a4d9be8114edb23
584b6e279cccf8b9faedfbc68242f158f19f881643fc79614f3cd96d4c50cf89
7ecc027520fac0c2341292e6e6cc3389c172399ee0d7a3672b5455ec7f4b775c
7ad4e2e9091d961c63bd8a5de7c884df9c81c6395f35645f8c17befa50fa6bec
ac082f9d7470f51db94b17a7b86f0c680e76a2bbe82382332fa7a8a6d52bb898
253bedf2000dc70d54a576b7ef69a7cd990aae9b1734cf65193b7862f47da94e
e67ae0c8bca17f912e1fdcc8dacac7e967ac9dfcfc031d944663043c99f32ea7
3b0bc3f1f71b05a119884770f7c79d236ddf6b6ccc378b30705f3ecb712be998
5e979880469bfba9dc9b850ed945530fc277fcbdd96227661972c89e700ecd1e
4d1527ce09d716a68f0a548a3fab80d2223028460e036f43b579f211b91b0ff3
a96c7253cab161d289efdea709091608649deeb1423a4df65d1cd13ad28642ae
d5033b91615c5b714b92362b7906982f577b7235b0bdc8433a03cbe0e8992730
ecb208b31c9db988e6a1ec481172f71e646a084add91834c0631ea2dd0d6efd6
94b60b83cf8ae31ab9133dc8d689ae1cb34190128ebdfe0502a752113c7fc2f9
58a3d9499f2175456ff0b6f652cb1b0603fadf615b597a59713f23f2ac6350b4
b914e2a5f98b702eefc2ec6474500eb32fd3032032bfdba52fe136898de7c231
5868636d8eaadf62ceeacb1564bb3a8614e8e87471e2475d48f765fad94f3d9f
690f04e5bd79e7410dc886fd084b7c8b1c198d398674a95117dcc6137bdfc66b
19beaa481d4538a01e7156ab1d065d010056be23f81edcc4056629f8aacb46d6
b42cf4d03e50a5913c6a20c9b70ef11ca48890a75adf324754a01fb269182bd7
41445ff8ed7dc3ce3e7f54c5fd7fb93e5a7c8961237bc408b92dc48dada2ba88
523d949366cc9f4ddfa2d9c261bf1f0741879b32cc821e6e654830184ff4815b
5dbbaa22b757de07d0fb4b665b1863811a2e80498b5265ee903c3998a8684b6d
f7a08ebdae40fcb8cdc61a569fdf42b9e65d2dd8f88a4cca9cae0e632a3d8f53
023034cca9da6237539371b5b9ed642a7e27586f5908ee9cd400649665c22a40
949fd4ab1f31af8e7ca60994be0e8ab1d96f92ccb339d7aab1b5f969ffc7ba9c
f3ac084766855ffecdafc4e214d1087966be4b88edd5a2e729b6e699b7ef546f
de6619e254db011cc45ea6684edab7007f3e8deb6f264afa97c002d840858781
3b08f443e9b1999e957fecbe5a3b9b51b666b78b4286350f23e7c618e44e0abd
5f569c72db9c31528daf2e907938b9bb711ea3a050efe5bf5d514dc962c5415c
745bbe5ba33f2e50be4de60788cb6a685c2dd7f4f78d933e0b99f6be4988b013
25e04a4c87cc29c42fccc7137735bc6e7f5e11d06cc2039493b88be56c5133aa

SH256 hash:

cc39ffe308618906c4e56a532d49e7b3ed5f1fbed3ed89f4ba86166512c82c02

MD5 hash:

63a80785b20d3368f346d3ad89a121bb

SHA1 hash:

47da1eddfb596115ffedc91533868d7dc959c19a

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/bf4e48e4-02d1-4943-a547-6be5218c7a49/

SH256 hash:

6696b27ce4e4554d8b08a31990a1fdb11930796a04cf9a4621f7293681c56a74

MD5 hash:

02853a540957f63b8e7dea9cee62a1a9

SHA1 hash:

31cef17d6805c4be0ace89f1dc6fdb253cd70fc1

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/bf4e48e4-02d1-4943-a547-6be5218c7a49/

SH256 hash:

ecb208b31c9db988e6a1ec481172f71e646a084add91834c0631ea2dd0d6efd6

MD5 hash:

9a2a86186b5ee6d85c0dfe909e310552

SHA1 hash:

79708082f50cca5c53860aa6bfc404e2762e4044

Link:

https://www.unpac.me/results/bf4e48e4-02d1-4943-a547-6be5218c7a49/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ecb208b31c9d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample