MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee06ec93a5853e2753e8c758fda076944b7cb7cc657fb249b03d28cbc45db077. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee06ec93a5853e2753e8c758fda076944b7cb7cc657fb249b03d28cbc45db077
SHA3-384 hash: e2b55a59e4be1f989eda912a642b19891f4c258eb6d32df6480fa70b536226d43eab9276c066d6e1dd3717d9286da086
SHA1 hash: e2b37a60b19c489e13242cc46f7a5331cf64690d
MD5 hash: 0616aa1c76c5df2d2b8e53d966afc790
humanhash: pennsylvania-nine-pasta-december
File name:LV-700317.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:310'327 bytes
First seen:2023-05-12 17:13:34 UTC
Last seen:2023-05-17 20:56:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 59a4a44a250c4cf4f2d9de2b3fe5d95f (70 x GuLoader, 13 x AgentTesla, 7 x AZORult)
ssdeep 6144:fDpoe8dhzfwRiQ8RwwDtKtWznIt4KKooo4/dQZUtP:uzIADtKtWzIFZooZ2P
Threatray 1'486 similar samples on MalwareBazaar
TLSH T1C064BF83F84087D1E8FA8A3124F7493F873F6E7A5657570F264CBBB42AF30526612586
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 04cce2b88cf839c2 (7 x AZORult, 1 x Formbook, 1 x GuLoader)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
343
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LV-700317.exe
Verdict:
Malicious activity
Analysis date:
2023-05-12 17:15:13 UTC
Tags:
installer
Link:
https://app.any.run/tasks/fca1e3c7-5f42-44c7-ad92-63b6c1b92274

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/388748/
Detection(s):
SecuriteInfo.com.ADWARE.Adware.Gen.171.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Delayed reading of the file
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/645e73da0b0d015a1ec61e74/reports/89dd1c76-fd3c-4232-80ab-5b9639286742/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/ee06ec93a5853e2753e8c758fda076944b7cb7cc657fb249b03d28cbc45db077
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5f07a26a-879c-4582-9d1c-ef7d957ee736
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1231794
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 864776 Sample: LV-700317.exe Startdate: 12/05/2023 Architecture: WINDOWS Score: 100 31 zaiana-store.com 2->31 33 www.zaiana-store.com 2->33 35 29 other IPs or domains 2->35 45 Snort IDS alert for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 7 other signatures 2->51 11 LV-700317.exe 1 43 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\System.dll, PE32 11->29 dropped 14 LV-700317.exe 6 11->14         started        process6 dnsIp7 43 globosphera.org 92.222.244.238, 49850, 80 OVHFR France 14->43 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Tries to detect Any.run 14->61 63 Maps a DLL or memory area into another process 14->63 65 3 other signatures 14->65 18 explorer.exe 4 1 14->18 injected signatures8 process9 dnsIp10 37 decoracioneskyr.com 50.116.93.86, 49857, 80 UNIFIEDLAYER-AS-1US United States 18->37 39 www.home-decor-86543.com 185.53.179.93, 49869, 80 TEAMINTERNET-ASDE Germany 18->39 41 10 other IPs or domains 18->41 53 System process connects to network (likely due to code injection or exploit) 18->53 22 rundll32.exe 18->22         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee06ec93a5853e2753e8c758fda076944b7cb7cc657fb249b03d28cbc45db077/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-12 08:09:09 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ydoze5fqu7cou7iy5mp3idwsrfxzn6mmv73esnqhuumxrc5wb3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03315fc089295a2ff5733402c9a928e0fa0c26c3d67dd3610ea121845bde4f1f
Formbook
229acb9011d2cf600c9112b5f7d19cba56d9bf5ecc20880a6c760e10f685b244
Formbook
3ba9fcb37e910177dc4bc5efc157993430c545ceac7747c28a0ae0dee3e30d93
Formbook
40af7ea5c438a5e5d39e726925d6ce11eadb0438f7dcaa50e753e7bb393f6775
Formbook
43440434172d5730884fa5f0ae4f7ae73c4815e74618d18bc405d18dd325fed4
Formbook
597979053a51f37ffa0cbeb1847f707b2dd3b3cdbcc5c0a5e66a1f15b5419b8e
Formbook
5a95e92547f26d8b505c2c70b8c96dd8c41cb73ce948781b08a0adc831b1b158
Formbook
70eb12fb44e4b07a126e2e899c191fcaa482864709a5123dea76795bd2ee3008
Formbook
a5976236ba0b3e31a6dd09af3abe7d0121a4053bb22669869a874d1ba97bd495
Formbook
aee5d1b7326545ff692b98743e04d035e01415300fea8a5bf445d3490d6776cc
Formbook
+ 1'476 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230512-vryz7agb3s/
Behaviour
Enumerates physical storage devices
Loads dropped DLL
Unpacked files
SH256 hash:
ee06ec93a5853e2753e8c758fda076944b7cb7cc657fb249b03d28cbc45db077
MD5 hash:
0616aa1c76c5df2d2b8e53d966afc790
SHA1 hash:
e2b37a60b19c489e13242cc46f7a5331cf64690d
Link:
https://www.unpac.me/results/6f94ca9a-cf68-4ca9-8b8b-c1b3cf548770/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ee06ec93a585/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/388748/

Comments