MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee24a04b1dfb099dba9c6ea59d5225ad4f9a626d622475f5a77f2d325ff260b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee24a04b1dfb099dba9c6ea59d5225ad4f9a626d622475f5a77f2d325ff260b8
SHA3-384 hash: 05e7c5e3587a491b1428d8924cee3a73da84019470f4f3387ca2813b68578b3a8bed0dce9f7bd04afce4e291f56ceebc
SHA1 hash: 9e0a27b48675b12c23c16e609e3f8d1e64973761
MD5 hash: d9b4ffd038389990ab9a069dc8cd8591
humanhash: georgia-oxygen-burger-potato
File name:d9b4ffd038389990ab9a069dc8cd8591
Download: download sample
Signature Formbook
Create hunting rule
File size:453'120 bytes
First seen:2022-07-20 13:50:16 UTC
Last seen:2022-07-20 14:42:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:LexgfavT3fAluU1IegfzcPUrmuS9ziSd67GKxmslLoy/WrtbJkqHV3NJgtsaG:LAZoO75TS9zi9qWjBcJqqg
TLSH T1BFA42299B6A84B16C53C8BF56923EE5093F06316D619E3185CC0F9C92E97B810B2D3A7
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 44e288ae8ace7898 (3 x Formbook, 3 x SnakeKeylogger, 2 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://208.67.105.179/rexzx.exe
Verdict:
No threats detected
Analysis date:
2022-07-20 18:34:28 UTC
Tags:
loader
Link:
https://app.any.run/tasks/6e1de8c3-b626-48d3-b70a-7c980e3c6eb7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/292936/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.25752.26197.32479.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d80848ef2b0e63a829e1b8/reports/9fe13c47-5176-466a-bd23-3dcb791b5375/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1037579
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee24a04b1dfb099dba9c6ea59d5225ad4f9a626d622475f5a77f2d325ff260b8/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-07-19 17:29:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5yskasy57mez3ou4n2sz2urfvvhzuytnmishl5nhp4wtex7smc4a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220720-q5sywagbcq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
e26fd77e5cfaecb8249352b9a5eb5bee56d603d313ea78c02146a801eddde39d
MD5 hash:
e7885349a3454e27ca2dce8c1df18ac9
SHA1 hash:
52460c4e9a8697f34cf05cae868a71033504af7a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e9cb5fa3-d2ed-4f5d-b61f-442ca11c6778/
Parent samples :
4d69d40bb281b4f3e23d1a12e060e7705b2b4ac67ede8ea6ec593d1a5991d960
f3fed1b0555a01cd3e481c2cd164f8cca01df0e461a0378fba8b7a1f53469a3d
bcdb1cf55758eba1f5a2af93e137ce0bf004969e59419c576b2781f80659da55
ee24a04b1dfb099dba9c6ea59d5225ad4f9a626d622475f5a77f2d325ff260b8
cc241fc34501296b9d528cc1a58bee76407a68a811f26705d868c76f496981d3
d524deece8493db69c10101c080269bbac5054a3d5740d21d50d536753df0c9a
dea4c28b344a778b2d1e880d4d52a69e4fabd2c62657143368fddb8302dccaff
7aeb7b7c9709aa5f1ec6e42ee76aa4a9791999e5f838de009b86bc840a031eab
4ed7500498bf6e841d2089acf3ae49e8a9a29c67926c390ebcc1a36a17cd6329
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/e9cb5fa3-d2ed-4f5d-b61f-442ca11c6778/
SH256 hash:
b0bcd809f99e63fcf7eb278ba5035f1f9a7d0c23989895ed993a688f7b12f5cc
MD5 hash:
4d8463efa65a2c5d1e94d24272a14218
SHA1 hash:
a18ee58ff313a268ed28becc47940c4f8173978e
Link:
https://www.unpac.me/results/e9cb5fa3-d2ed-4f5d-b61f-442ca11c6778/
SH256 hash:
f6d1cda2efe2622064025631b2a1ee8e5bdc057798de203ed5841916e662b4a1
MD5 hash:
fb7cc194309b03e66b160fe20f371762
SHA1 hash:
7b6fe95b9b6af1328d43ef9fff27919d807b9c47
Link:
https://www.unpac.me/results/e9cb5fa3-d2ed-4f5d-b61f-442ca11c6778/
SH256 hash:
e2ced6166d453a37b1358c5790a1cbe04eab3730a08ea80954537689c1013416
MD5 hash:
b1db796911613f51ab6fab6c4752f341
SHA1 hash:
1048536bdbe84a256689ed21dac767f6f7858152
Link:
https://www.unpac.me/results/e9cb5fa3-d2ed-4f5d-b61f-442ca11c6778/
SH256 hash:
ee24a04b1dfb099dba9c6ea59d5225ad4f9a626d622475f5a77f2d325ff260b8
MD5 hash:
d9b4ffd038389990ab9a069dc8cd8591
SHA1 hash:
9e0a27b48675b12c23c16e609e3f8d1e64973761
Link:
https://www.unpac.me/results/e9cb5fa3-d2ed-4f5d-b61f-442ca11c6778/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee24a04b1dfb099dba9c6ea59d5225ad4f9a626d622475f5a77f2d325ff260b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe ee24a04b1dfb099dba9c6ea59d5225ad4f9a626d622475f5a77f2d325ff260b8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2259318/
Cape
Cape
https://www.capesandbox.com/analysis/292936/

Comments


Avatar
zbet commented on 2022-07-20 13:50:20 UTC

url : hxxp://208.67.105.179/rexzx.exe