MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee898ae9ed7d7bf404b1a3de63e2f0a0d01a420a08cf15b21294fa6ea0ddc93b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	ee898ae9ed7d7bf404b1a3de63e2f0a0d01a420a08cf15b21294fa6ea0ddc93b
SHA3-384 hash:	5d33c2fc878320caffd5e831910e907346035cb7da3e75f4cf03396355200d63ad783e865cacf1bb1b55fc72d34880f8
SHA1 hash:	959b972a0f7539a35f791e6162994103b1a1f681
MD5 hash:	c93a1148d1965096d56c2ad87698a0f0
humanhash:	bulldog-bluebird-twelve-nitrogen
File name:	DCK-JULY 2023_COFFE-ORDER #6553DQQW67786TTRMAG.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	722'432 bytes
First seen:	2023-07-13 17:46:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:SS1BrqYA51SBxjCwhYeB3JsM7joSkDs8bzGfP:SS1wYA51gw0NtkDs8/Gn
Threatray	3'529 similar samples on MalwareBazaar
TLSH	T1F5E4F194603D0F6BD53AD7FA5424153053F96A9F256DE3860EC270D70EB6B088BA1F2B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

326

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

DCK-JULY 2023_COFFE-ORDER #6553DQQW67786TTRMAG.exe

Verdict:

Malicious activity

Analysis date:

2023-07-13 17:47:46 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/62f2406c-d00e-4e7f-9e0d-62c5f9dd8e4f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/418002/

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.23053.13422.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Restart of the analyzed sample

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ee898ae9ed7d7bf404b1a3de63e2f0a0d01a420a08cf15b21294fa6ea0ddc93b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bfe51d25-8fb3-490e-8dd2-4ce0d89c6e49

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1272662

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/ee898ae9ed7d7bf404b1a3de63e2f0a0d01a420a08cf15b21294fa6ea0ddc93b/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-07-13 16:50:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 37 (62.16%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=52eyv2pnpv57ibfruppghyxqudibuqqkbdhrlmqsst5g5ig5ze5q._file

Verdict:

malicious

Label(s):

formbook

Formbook

222ac0f60af8e72efb8053f721f55d3c6f23ee465f20c5c02d7e1b8897e95c07

Formbook

3077abc4b785271fc43389f94cee024de4fd4d3d7f4ada5c569a9aca09374a9d

Formbook

4dce4459e53e569a20c892efadb0424a4698bf5f67d16e7b73668dc2e172663e

Formbook

5032142ba20b1c3203fb0b6c8c5f6d52c4546b233b3d11b885b4296e4887d6a8

Formbook

67ff25062bd960e50c4b3fcfc82c3029aa1e3302fa453c0fecb76176494cc496

Formbook

a803baeae3e3a6d11b39b8a3df5bd4454fb50a3d950c19071e7f8d4ecd545237

Formbook

a993e52917b124010519fcf6adb63124d87c0cc594cea58b1dce686bf85d7cf9

Formbook

bbcb225a7c276aeb6f8dc8126d020327dff57ef23a80ff47eaba2cd2392c7f25

Formbook

ea2bca0128d9498a9905b3408ceb8edecefbc96891ae4bf4403739d21fc98c52

Formbook

+ 3'519 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:ed05 rat spyware stealer trojan

Link:

https://tria.ge/reports/230713-wcvjwsaf4s/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook payload

Formbook

Unpacked files

SH256 hash:

c2bfe3cf49d8f58f67d038098d05a96a179f655214af343e76e86d4c41efa503

MD5 hash:

3094d31787bddcf36fb1e7c57ed65350

SHA1 hash:

781284b231e8ada8180d4ec18841aa8da79680b0

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/a8d33005-6667-42fc-8e63-4f3bed5ae862/

Parent samples :

a993e52917b124010519fcf6adb63124d87c0cc594cea58b1dce686bf85d7cf9
67ff25062bd960e50c4b3fcfc82c3029aa1e3302fa453c0fecb76176494cc496
ee898ae9ed7d7bf404b1a3de63e2f0a0d01a420a08cf15b21294fa6ea0ddc93b
e4072afd21da31150629928a4916d6635fa499bd9ff0f551a0c6d5add6d877b3
5ad354e8575a8c5c293f1fa8a1a25de41078a35c843b330a4b7529ec9b042d9b

SH256 hash:

6eea0cdbd959498de46a2217d41073be97223108ac36d105ead967581dd05e0f

MD5 hash:

5fb1db82e1631af408d1a47a92d4d4c4

SHA1 hash:

d508694094d273e23ddc22175f30de14ffd0bfbd

Link:

https://www.unpac.me/results/a8d33005-6667-42fc-8e63-4f3bed5ae862/

SH256 hash:

53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77

MD5 hash:

37e82d3e2864e27b34f5fbacaea759c3

SHA1 hash:

a87024a466e052bff09a170bb8c6f374f6c84c32

Link:

https://www.unpac.me/results/a8d33005-6667-42fc-8e63-4f3bed5ae862/

SH256 hash:

3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9

MD5 hash:

a5228b97b33467ac41fac5cac2718252

SHA1 hash:

28bb020c8a53b046fc8e8106f2913e62c5941a0d

Link:

https://www.unpac.me/results/a8d33005-6667-42fc-8e63-4f3bed5ae862/

SH256 hash:

ee898ae9ed7d7bf404b1a3de63e2f0a0d01a420a08cf15b21294fa6ea0ddc93b

MD5 hash:

c93a1148d1965096d56c2ad87698a0f0

SHA1 hash:

959b972a0f7539a35f791e6162994103b1a1f681

Link:

https://www.unpac.me/results/a8d33005-6667-42fc-8e63-4f3bed5ae862/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ee898ae9ed7d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/418002/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample