MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee2ced66adeccfe45722c49efd8b99fd032d0426ff74cd10fc1e182521431404. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	ee2ced66adeccfe45722c49efd8b99fd032d0426ff74cd10fc1e182521431404
SHA3-384 hash:	ec3836634f86fa5fdd4508746d86b3320ad9aecd8436cca5e188a0ca15713f9d589aad6b91e528703fbbeb2d92c20016
SHA1 hash:	3dd4c91bd3891a987bb14e553645be0dce769be3
MD5 hash:	64b12ea2b1bfbf71cd0ab82dae4a2a2b
humanhash:	cat-eleven-harry-pasta
File name:	64b12ea2b1bfbf71cd0ab82dae4a2a2b.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	714'752 bytes
First seen:	2022-08-18 06:36:21 UTC
Last seen:	2022-08-18 07:36:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f9f8a4f5d6af22b8a5196d501f8619d8 (2 x DBatLoader, 2 x Formbook)
ssdeep	12288:vGJufSEN4Nb+cuuUkyFnhPTWT5OWZdavN2HuEGlemz5z:vGqN4Nb9SmL4Fvz
TLSH	T19BE47BAD51B1D037D13B5E398D0716F8B522BED13A18A8C63FEA3E095B792806D1B173
TrID	51.9% (.EXE) InstallShield setup (43053/19/16) 17.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.7% (.SCR) Windows screen saver (13101/52/3) 5.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	27d0d8d4d4d8f007 (5 x RemcosRAT, 5 x DBatLoader, 4 x FormBook)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

299

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

64b12ea2b1bfbf71cd0ab82dae4a2a2b.exe

Verdict:

Malicious activity

Analysis date:

2022-08-18 06:39:50 UTC

Tags:

installer formbook trojan stealer

Link:

https://app.any.run/tasks/c9dc3f98-f9f5-49f1-b7a6-30b4a2c826f1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/299506/

Detection(s):

PUA.Win.Packer.BorlandDelphi-15

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Sending a custom TCP request

DNS request

Launching a process

Searching for synchronization primitives

Forced shutdown of a system process

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/29371/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm keylogger overlay

Link:

https://www.filescan.io/uploads/62fdde1a2093f7352868de1f/reports/f548d341-9a50-475e-aea0-b447938ece7d/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/be87729c-01c6-4f9d-b774-6458e014f940

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj.expl

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1053587

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Yara detected UAC Bypass using ComputerDefaults

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ee2ced66adeccfe45722c49efd8b99fd032d0426ff74cd10fc1e182521431404/

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2022-08-18 06:37:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5ywo2zvn5th6ivzcyspp3c4z7ubs2bbg752m2eh4dymckikdcqca._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/220818-hdgsjadfe9/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

7984c6d5d9c34c45857243a72d76b2f82c27cbf3d202d478efc693e8eede7075

MD5 hash:

81fd3ae23410ef7846043591e4dfc2ba

SHA1 hash:

588327f8f406348c8e081fd04cb20fb969d526f6

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/b2399f26-a84e-45d3-b8ff-f1065b183b5b/

Parent samples :

07af9a8905e2947a60d954b7f974b2fbe4a62223302c86eb866f447e61ce4245
2fe6e7ac5c699248c6f80259e23782d718bea739b0687a91e949cbdf486a4abf
ce97cec6d38eb389785a1987f52261fb466274e69522f6cdbebac7095f2cc972
c7c1a88e84bb85e9437b450de1e701473081b8cf7e45dcf62fd317262bfb2970
3b68e962b5129b08db1e475b47df5c2f1a6375a3adaa9b776f9d02ae13462e34
d88a2f2dc41473cc633251eefe4aa458fa9311b71c9a5aae4b33cb0fd268d562
0ef5c827d7b4bd9a40906909a27902b3ddcd8e3b2181d2d0df02834c96925033
357d7791398ff5681a24bf65fd84deb8067d8ff1365d2c00cd6672fd0e5ff4f9
6555c0d7b9acbff665b84aec9164dd1cf01740a10e735791f25c28a5da830740
ee2ced66adeccfe45722c49efd8b99fd032d0426ff74cd10fc1e182521431404
6c232920b9bb1f2c3bf71124f93f06f49fdf41c3bae35237f7b031bebba14cc5
c2062d2d3ac3815d7a050a1bfb261c98581e7398f8b0c7ca670d7ddb328611d2
8de6ed84b73447703a0ddf14eb89ffcbe4a6095e4826cf07253ca04fb38d90d6
f3eed67f2ce421acee035ac4b3eeaa02fc548a485882c573d671355dfcf03a8a

SH256 hash:

ee2ced66adeccfe45722c49efd8b99fd032d0426ff74cd10fc1e182521431404

MD5 hash:

64b12ea2b1bfbf71cd0ab82dae4a2a2b

SHA1 hash:

3dd4c91bd3891a987bb14e553645be0dce769be3

Link:

https://www.unpac.me/results/b2399f26-a84e-45d3-b8ff-f1065b183b5b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ee2ced66adec/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/ee2ced66adeccfe45722c49efd8b99fd032d0426ff74cd10fc1e182521431404

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe ee2ced66adeccfe45722c49efd8b99fd032d0426ff74cd10fc1e182521431404

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2263999/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/299506/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample