MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eeb16dba4a307c8f966cb1f0f63acfa026bbb306e32fc0bc56a5f56b5e446a67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eeb16dba4a307c8f966cb1f0f63acfa026bbb306e32fc0bc56a5f56b5e446a67
SHA3-384 hash: c7af557fce628a6c162a10f6511c2659b5d30fe69c50e73361208adcc237c7871407ec0ba6299a51bfc33d20e7cd5c29
SHA1 hash: 26a3b1ccc9aa47152774fb7b414d64281ce6bbf7
MD5 hash: fdfd4b38db83dda53b5f69c06ecd25a7
humanhash: alabama-blue-neptune-lion
File name:eeb16dba4a307c8f966cb1f0f63acfa026bbb306e32fc0bc56a5f56b5e446a67
Download: download sample
Signature Formbook
Create hunting rule
File size:698'880 bytes
First seen:2025-02-07 14:29:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 12288:JYV6MorX7qzuC3QHO9FQVHPF51jgc9hiySigQJpWHpxkxR6LQhu2pW:+BXu9HGaVHXPZgQyjkXAF
Threatray 215 similar samples on MalwareBazaar
TLSH T117E423C06FD5CDA6C4693779C43A8DA0A431A8F0DAD83B6A53A8F61EBC70B47D85341D
TrID 31.3% (.EXE) UPX compressed Win32 Executable (27066/9/6)
30.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
12.1% (.EXE) Win64 Executable (generic) (10522/11/4)
7.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
435
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
eeb16dba4a307c8f966cb1f0f63acfa026bbb306e32fc0bc56a5f56b5e446a67
Verdict:
Suspicious activity
Analysis date:
2025-02-07 18:16:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a467f65d-2e89-45c7-8b4d-f8522b2dd400

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.Autit-8177147-0
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a61a75dbfc8aaee8cd8070
Tags:
autorun spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/eeb16dba4a307c8f966cb1f0f63acfa026bbb306e32fc0bc56a5f56b5e446a67
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/64dc7c8e-1242-4499-9a1f-23737545ef86
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1609398
Signature
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1609398 Sample: 8BU0MOmoNl.exe Startdate: 07/02/2025 Architecture: WINDOWS Score: 100 44 www.erectus.xyz 2->44 46 www.globalcase.website 2->46 48 3 other IPs or domains 2->48 68 Suricata IDS alerts for network traffic 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 Yara detected FormBook 2->72 76 5 other signatures 2->76 11 8BU0MOmoNl.exe 6 2->11         started        15 wscript.exe 1 2->15         started        signatures3 74 Performs DNS queries to domains with low reputation 44->74 process4 file5 42 C:\Users\user\AppData\Local\...\Fonda.exe, PE32 11->42 dropped 82 Binary is likely a compiled AutoIt script file 11->82 84 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->84 17 Fonda.exe 3 11->17         started        86 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->86 21 Fonda.exe 2 15->21         started        signatures6 process7 file8 40 C:\Users\user\AppData\Roaming\...\Fonda.vbs, data 17->40 dropped 56 Multi AV Scanner detection for dropped file 17->56 58 Binary is likely a compiled AutoIt script file 17->58 60 Machine Learning detection for dropped file 17->60 66 3 other signatures 17->66 23 svchost.exe 17->23         started        62 Writes to foreign memory regions 21->62 64 Maps a DLL or memory area into another process 21->64 26 svchost.exe 21->26         started        signatures9 process10 signatures11 80 Maps a DLL or memory area into another process 23->80 28 5c6EXKxrajvxdMGoVUb.exe 23->28 injected process12 signatures13 88 Found direct / indirect Syscall (likely to bypass EDR) 28->88 31 net.exe 13 28->31         started        process14 signatures15 90 Tries to steal Mail credentials (via file / registry access) 31->90 92 Tries to harvest and steal browser information (history, passwords, etc) 31->92 94 Modifies the context of a thread in another process (thread injection) 31->94 96 3 other signatures 31->96 34 5c6EXKxrajvxdMGoVUb.exe 31->34 injected 38 firefox.exe 31->38         started        process16 dnsIp17 50 www.globalcase.website 192.64.118.221, 49981, 49982, 49983 NAMECHEAP-NETUS United States 34->50 52 www.adjokctp.icu 104.21.35.208, 49985, 49986, 49987 CLOUDFLARENETUS United States 34->52 54 2 other IPs or domains 34->54 78 Found direct / indirect Syscall (likely to bypass EDR) 34->78 signatures18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/eeb16dba4a307c8f966cb1f0f63acfa026bbb306e32fc0bc56a5f56b5e446a67
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eeb16dba4a307c8f966cb1f0f63acfa026bbb306e32fc0bc56a5f56b5e446a67/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-01-29 11:24:37 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=52yw3oskgb6i7ftmwhypmowpuatlxmyg4mx4bpcwux2wwxsenjtq._file
Verdict:
malicious
Label(s):
unknown_loader_036
Create hunting rule
Similar samples:
274630241532399b2f1ad5d02752b6159f816accc92d8a4351e40be8f7e113f8
Formbook
7c0e48c541969359c64b262854ae7172b9e3fc0debdd019fa85b3bc67f38db61
Formbook
9bd66b6fa9050edf01d12180e4569c464f47e3235d5a912c9d2e91b6461e8f23
Formbook
dfade43b170cbeefcb58db57df4095fb2c109f85af3dd6bc514cbf2a9d86b2b9
Formbook
ee9ed4987fb571fe5694f7b4d56b722c2b9c7d4bdd390c405a97b8a907405ebd
Formbook
error
Formbook
f366a3ae7288d8c79063044af4427617ec227ebc960cf143dc0a020f3827b92e
Formbook
+ 205 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery upx
Link:
https://tria.ge/reports/250207-rvda4svjcz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
UPX packed file
Drops startup file
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
trojan Win.Dropper.Autit-8177147-0
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/fdb3161d-70eb-4626-9d74-9076709ac3e5
Unpacked files
SH256 hash:
eeb16dba4a307c8f966cb1f0f63acfa026bbb306e32fc0bc56a5f56b5e446a67
MD5 hash:
fdfd4b38db83dda53b5f69c06ecd25a7
SHA1 hash:
26a3b1ccc9aa47152774fb7b414d64281ce6bbf7
Link:
https://www.unpac.me/results/e7ce21f7-23e3-42b4-a3f8-e3ed42ce331e/
SH256 hash:
b22e8b83478ab484adc240d3780c63bf0fa221df558328c049b754149517b965
MD5 hash:
36f557e202abe0aef8c533193d13bc79
SHA1 hash:
903b9392a8d7fd4b8bec1e6fdbf02fe994ad700b
Link:
https://www.unpac.me/results/e7ce21f7-23e3-42b4-a3f8-e3ed42ce331e/
SH256 hash:
2fa0c1936640db5906e6cf32ba0ed7008c782db172254e4cca1b1e90e15a107f
MD5 hash:
3674fb8c8a3eb50e2fcf8fdbb1dba609
SHA1 hash:
f8ea05884570011f4a2a82964288a3f01b983c0b
Link:
https://www.unpac.me/results/e7ce21f7-23e3-42b4-a3f8-e3ed42ce331e/
SH256 hash:
edbe85ed4e7e58b223cff5745d2f1359f995c541cb0eb3102f5744a448a0e898
MD5 hash:
ed6ab7b1bef82691869547d0860f03b2
SHA1 hash:
b24e309bb37136d2d362e58db84dde04fe20be91
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/e7ce21f7-23e3-42b4-a3f8-e3ed42ce331e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetUseConnectionW

Comments