MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee1e6c57be9de3dde5f374dd49232f23b3667b52fdf770649bbd27a1abceaa16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee1e6c57be9de3dde5f374dd49232f23b3667b52fdf770649bbd27a1abceaa16
SHA3-384 hash: a58ce30ff23178575820fde46d832a77193247cf7958512a65c42e6fad04946e933c7b80dbb509e637b1015791596f09
SHA1 hash: 55065471e78d7d34826e4df38f4538bb2c17a63a
MD5 hash: 209bb97a7d4d13ab2482bd82fd987b50
humanhash: summer-tango-twelve-lima
File name:SecuriteInfo.com.W32.Injector.AHL.genEldorado.26044.10817
Download: download sample
Signature Formbook
Create hunting rule
File size:262'144 bytes
First seen:2021-05-03 16:00:42 UTC
Last seen:2021-05-03 17:05:17 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 6144:gEIPXIPiDsiaUma+VXjMFXFnPOaaAZVvsGe6NAXJKqAxm:gE9awiaUmzVTMFXFPhst6NA5KRx
Threatray 4'931 similar samples on MalwareBazaar
TLSH 4C4412267240D837C7560B3158337BA6DFF8BE110D528B8B7B307BAEB6365C2860B591
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
55
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.Injector.AHL.genEldorado.26044.10817.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ee1e6c57be9de3dde5f374dd49232f23b3667b52fdf770649bbd27a1abceaa16
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee1e6c57be9de3dde5f374dd49232f23b3667b52fdf770649bbd27a1abceaa16/
Threat name:
Win32.Backdoor.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-05-03 13:17:47 UTC
AV detection:
7 of 29 (24.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ypgyv56txr53zptotousizpeozwm62s7x3xaze3xut2dk6ovila._file
Verdict:
malicious
Similar samples:
024c67bdc81850f0d4acf648be1016358c78e21a74dbde96b0d753cffd76ffa7
Formbook
0c856e57da034a8943b4065297d075365090d9eb925abb7ba74dd3df9acefc1f
Formbook
0fce851d001cb1a92a7939eb6a9fac428f5fd9750caa9a1981e27fd659c32c03
Formbook
2080ae2cfe843c0e1754f994b356086718dd6dceedf974ca37b629fb4da817a6
Formbook
4fe5115259b2c032f03275273349549ab896959c818d771a4ad755ce64866379
Formbook
5fef6e5e702f6ac33542c50d34d3054d1b957c3afd5dffc8fbeaa81d82fdf562
Formbook
6120294360629da33cd6f897de16401325be12ae2cd9dcc03857de7e0b4f94e4
Formbook
a2cdf452f83aa86c0f3ade321cfc00a9ed3671082372081a67cad84a26492051
Formbook
a2e99d0aabd8f0ad83b885eccf313563526a58b2da435bf34dad29294c712efe
Formbook
dd44eb26a328f1e86823339666e1b1237ad7b1d880694c1b8fb8164b931aa512
Formbook
+ 4'921 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook macro rat spyware stealer trojan xlm
Link:
https://tria.ge/reports/210503-dgkezfk1pa/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.111bjs.com/ccr/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/ee1e6c57be9de3dde5f374dd49232f23b3667b52fdf770649bbd27a1abceaa16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Executable_Converted_to_MSI
Create hunting rule
Rule name:INDICATOR_MSI_EXE2MSI
Create hunting rule
Author:ditekSHen
Description:Detects executables converted to .MSI packages using a free online converter.
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Microsoft Software Installer (MSI) msi ee1e6c57be9de3dde5f374dd49232f23b3667b52fdf770649bbd27a1abceaa16

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1187985/
  
Delivery method
Distributed via web download

Comments