MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee89d22c597178daeea41330edb19ab7e0a2b0197d1d640440966cde25eeb7ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee89d22c597178daeea41330edb19ab7e0a2b0197d1d640440966cde25eeb7ed
SHA3-384 hash: 2caf7c66e9dcf3371e1294284d26341bfe875d3b95388df9a9f6503b879a7114405aed701f4ba31e3e8ae3b42568037d
SHA1 hash: 026a72165fbb163426536258e1cdbc4b3f01ca8a
MD5 hash: e0c2a2551c3eb5c944b73d39bb7d13b5
humanhash: beer-blue-venus-william
File name:Enquiry No. 1000341492.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:806'400 bytes
First seen:2023-07-24 08:39:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:ZcvJRBusy8Cx5KmNPhRj1WPKlwpuJdUOSwqn6qs+nNyBDHRuhMEw:AFutGmJhRxWClD2OSmoneRuhMEw
Threatray 3'371 similar samples on MalwareBazaar
TLSH T1A1051251377AAF55D5B8BFF49290652903B1A68A2823D38C4DF120DA0D32FC46F92BD7
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Enquiry No. 1000341492.exe
Verdict:
Malicious activity
Analysis date:
2023-07-24 08:41:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e046026f-2b73-45e9-a9c1-be7454474735

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/430610/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.31650.9474.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ee89d22c597178daeea41330edb19ab7e0a2b0197d1d640440966cde25eeb7ed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ccfdb59-bd14-4810-865c-23bac4060050
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1278144
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee89d22c597178daeea41330edb19ab7e0a2b0197d1d640440966cde25eeb7ed/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 08:18:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=52e5elczof4nv3vecmyo3mm2w7qkfmazpuowibcaszwn4jpow7wq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
24e91c3b0d477625a70c71ea05ad7e6ce3dd9582567bb7c33ed6ff537915490c
Formbook
363b5b951382bb7c9af26fadf9a61541d5a2d4e733adcb40fbc87e18579fd69f
Formbook
7510d23c5bd88ede2d8d2efbd6d851da1dfcdc1dfb089b80a4a310b7fb96df4a
Formbook
88b562c7a56631c4d9221faa41b327b797546ca3be4577438357ac63eaaa316d
Formbook
a65903f3968b96768cd2ca31af342c23b7f8c8b0d928b6a7f9119c80f105b3ee
Formbook
af093bd71cb66c24a34d31d6efa125d86e6ffa89bfbfad9d20658889553e133d
Formbook
b0504206461bb3a04bc80d299501c2d2765f097bc621a0e86e5b9e889f383287
Formbook
dce8dfa0fb0baeafb31cb8072e1f9421919a796f013d5dca81ab0697206a9762
Formbook
e5422aab2b092de22741f596fef6ec85bb285f9ddee4efd3b1e5a165f7bddbaa
Formbook
f9a62b5f1d116b8836b675eebb3c4b361b50a6b5600c70081cc0994285df9b8d
Formbook
+ 3'361 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230724-kkwldacd2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
953d221cd73f13ede6452b513b7bd8d4f5c2dd4f893feca68e94e2fbd82a7ef6
MD5 hash:
bd2cda531f1ae86498e99fecea592e03
SHA1 hash:
4e5da01a005e3ff59aa17844f08ec354b164b894
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/19002f18-7f13-4cbc-8a59-9833a6d8090b/
Parent samples :
ee89d22c597178daeea41330edb19ab7e0a2b0197d1d640440966cde25eeb7ed
eeef9f8539d9b599419583ef85788fbfe021e088a53ec61b11b4b47a807a9931
SH256 hash:
6e319d95c1e6036e2068766e543262f8085c1c5be40a77492710a651630d39f4
MD5 hash:
2e9d7c2b3b566de03cf0fe896de059b9
SHA1 hash:
e3138b4ac6feda519935692d76ab447910a769f0
Link:
https://www.unpac.me/results/19002f18-7f13-4cbc-8a59-9833a6d8090b/
SH256 hash:
7c743d979549f931d7101d1a14c14841ff47c848a3f30e31882d0d958bf5f941
MD5 hash:
508ba12479b3d78edb93f63b40ab3b7f
SHA1 hash:
d72b842c46546e4e494c9338b530e305dae1d5d2
Link:
https://www.unpac.me/results/19002f18-7f13-4cbc-8a59-9833a6d8090b/
SH256 hash:
f486eae34a4aa8240adbe0ae0c3a9cc125cc458f3e10334544f5c9942d0cc486
MD5 hash:
cae8720394d351905f3ad7ac9a155aaa
SHA1 hash:
655998152eafcba72ffa60a07232e91a340b4291
Link:
https://www.unpac.me/results/19002f18-7f13-4cbc-8a59-9833a6d8090b/
SH256 hash:
e6f6d4537b5a06dcaa639efb0f59ad138130ef4c513244de3546a5738c0ebed3
MD5 hash:
04c1c72fcdab1c3639a9bedb97400004
SHA1 hash:
0e02ae80df4243f81292cbfbed7037f171aaf544
Link:
https://www.unpac.me/results/19002f18-7f13-4cbc-8a59-9833a6d8090b/
SH256 hash:
ee89d22c597178daeea41330edb19ab7e0a2b0197d1d640440966cde25eeb7ed
MD5 hash:
e0c2a2551c3eb5c944b73d39bb7d13b5
SHA1 hash:
026a72165fbb163426536258e1cdbc4b3f01ca8a
Link:
https://www.unpac.me/results/19002f18-7f13-4cbc-8a59-9833a6d8090b/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ee89d22c5971/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee89d22c597178daeea41330edb19ab7e0a2b0197d1d640440966cde25eeb7ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ee89d22c597178daeea41330edb19ab7e0a2b0197d1d640440966cde25eeb7ed

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/430610/

Comments