MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eeb9ebbaf564800d692de3de873fafbfb9ed9f47459e83bc4a2ffdc1503a1799. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eeb9ebbaf564800d692de3de873fafbfb9ed9f47459e83bc4a2ffdc1503a1799
SHA3-384 hash: c323055a3346ac323c01a960f1c3165fff362cad57f44e019a7a9223bcd4c1c74eb6125988f5ef4e0afd3ffde343b14c
SHA1 hash: c01cb1db4983207dc9395b86cf2bcbfba3a4d050
MD5 hash: 9df143c9f9671c6f88b5d1d2aa0c8232
humanhash: bravo-speaker-item-rugby
File name:нова поръчкаi pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:692'224 bytes
First seen:2024-01-29 15:19:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:5uAoIFFHgeg/cKWCT+pIET2znEglXFD7V0YVODak93GlNUD8sNG1qJ:5uAXFxvQxEsnEglXFD7ZVODacqMS
Threatray 700 similar samples on MalwareBazaar
TLSH T1EFE4124177ACAB66DD7F87F2242254A09BB63A277A52E34C0E8560DF0E72F054362F17
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
eeb9ebbaf564800d692de3de873fafbfb9ed9f47459e83bc4a2ffdc1503a1799.exe
Verdict:
Malicious activity
Analysis date:
2024-01-29 15:23:52 UTC
Tags:
formbook xloader stealer spyware
Link:
https://app.any.run/tasks/164fabe0-b03b-48ac-beda-cff8a45897c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Filerepmalware-10019564-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Launching cmd.exe command interpreter
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/eeb9ebbaf564800d692de3de873fafbfb9ed9f47459e83bc4a2ffdc1503a1799
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e58788b4-2ccd-4e17-842c-41a1cfd63d23
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1382807
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1382807 Sample: #U043d#U043e#U0432#U0430_#U... Startdate: 29/01/2024 Architecture: WINDOWS Score: 100 55 www.acerola-anma.xyz 2->55 57 xiaoyue.zhuangkou.com 2->57 59 14 other IPs or domains 2->59 77 Snort IDS alert for network traffic 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 85 14 other signatures 2->85 11 #U043d#U043e#U0432#U0430_#U043f#U043e#U0440#U044a#U0447#U043a#U0430i_pdf.exe 7 2->11         started        15 bmyGuzzbyh.exe 5 2->15         started        signatures3 83 Performs DNS queries to domains with low reputation 55->83 process4 file5 51 C:\Users\user\AppData\...\bmyGuzzbyh.exe, PE32 11->51 dropped 53 C:\Users\user\AppData\Local\...\tmpF6F9.tmp, XML 11->53 dropped 93 Uses schtasks.exe or at.exe to add and modify task schedules 11->93 95 Writes to foreign memory regions 11->95 97 Allocates memory in foreign processes 11->97 99 Adds a directory exclusion to Windows Defender 11->99 17 RegSvcs.exe 11->17         started        20 RegSvcs.exe 11->20         started        22 powershell.exe 23 11->22         started        24 schtasks.exe 1 11->24         started        101 Multi AV Scanner detection for dropped file 15->101 103 Machine Learning detection for dropped file 15->103 105 Injects a PE file into a foreign processes 15->105 26 RegSvcs.exe 15->26         started        28 schtasks.exe 1 15->28         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 17->67 69 Maps a DLL or memory area into another process 17->69 71 Sample uses process hollowing technique 17->71 73 Queues an APC in another process (thread injection) 17->73 30 explorer.exe 40 1 17->30 injected 75 Tries to detect virtualization through RDTSC time measurements 20->75 34 WmiPrvSE.exe 22->34         started        36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 28->40         started        process9 dnsIp10 61 acerola-anma.xyz 156.67.71.229, 49722, 80 TESONETLT United States 30->61 63 www.admlorenzo.com 162.215.226.7, 49719, 80 PUBLIC-DOMAIN-REGISTRYUS United States 30->63 65 5 other IPs or domains 30->65 107 System process connects to network (likely due to code injection or exploit) 30->107 42 wlanext.exe 30->42         started        45 chkdsk.exe 30->45         started        signatures11 process12 signatures13 87 Modifies the context of a thread in another process (thread injection) 42->87 89 Maps a DLL or memory area into another process 42->89 91 Tries to detect virtualization through RDTSC time measurements 42->91 47 cmd.exe 42->47         started        process14 process15 49 conhost.exe 47->49         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/eeb9ebbaf564800d692de3de873fafbfb9ed9f47459e83bc4a2ffdc1503a1799
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eeb9ebbaf564800d692de3de873fafbfb9ed9f47459e83bc4a2ffdc1503a1799/
Threat name:
ByteCode-MSIL.Trojan.Marsilia
Create hunting rule
Status:
Malicious
First seen:
2024-01-29 13:27:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5246xoxvmsaa22jn4ppiop5px6463h2hiwpihpckf764cub2c6mq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
247c8156cf06c5d9dec7d5fa0b158339110b556d41b0750bff34d36086554746
Formbook
273926da6d093735ef6ce3c40741adeb2f0e0259205cda50ace55484a11d06cd
Formbook
4e888a7a812be647c1db3c45b41997976b81fcac54dbb3c2c53087518c036287
Formbook
56f2fe58468c40326131a779fb59a349bcba8e9953204fd2ea23c1285581cf5b
Formbook
78854920bdb00256902029bebce69365c42a97b0431ff35c48f6faf5951f24e3
Formbook
7da9294ba554d4c17ed9e4caac9836e303980814c7898b422ccde7a246ac26a5
Formbook
97989a17279bcd8fcfccf4fc1442517ff46eba38c08fa8dc3eac65b114ba8c32
Formbook
bb8548a744cd648172b769babfe7fb42aec25bc35e812f491af41d31c4c92d13
Formbook
fff4ae5faba33cf9265b80fb2cd328fbd08fd6649fe71c95a5e8bedb22036a7a
Formbook
+ 690 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:g22y rat spyware stealer trojan
Link:
https://tria.ge/reports/240129-sqq7vaebej/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
44a5589f59edbdbff9324606500daf7830ed519e1d824aee3263c1d5f18ef03f
MD5 hash:
3e92ee2394071dd0ca6c7c299e124c08
SHA1 hash:
7a16fa0c2e1412dbab8808749ed5667f0bc04357
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/f77408df-79fe-489a-a0e2-b5650d8a53a3/
Parent samples :
eeb9ebbaf564800d692de3de873fafbfb9ed9f47459e83bc4a2ffdc1503a1799
f22b47c47fa760c17cb3d6bfe7b034a6aeaa8258469d711b7e04c9e938b64e1a
SH256 hash:
a2c446bb4642bac3d695846003c01e4b585a155c43fb2fc0b51edba01750e87a
MD5 hash:
746067727eba0e61e758623fca07d78d
SHA1 hash:
f2e971eb4624f79b6ee643bc49475724ca558562
Link:
https://www.unpac.me/results/f77408df-79fe-489a-a0e2-b5650d8a53a3/
SH256 hash:
0c2b40d81811ac89da01669d6cce678aec95422a79b151d8068d25c4f5e82439
MD5 hash:
6961c015f931cd235e25226a05a24b66
SHA1 hash:
e92b0961db2aa46d9f509a67bc3b941d0fc7387d
Link:
https://www.unpac.me/results/f77408df-79fe-489a-a0e2-b5650d8a53a3/
SH256 hash:
3512e50a7509ca8b120d7835c69302e5d739fa3651dd65485e5739a1cc991ede
MD5 hash:
8bc76b6253fe4689a874767bdefec712
SHA1 hash:
4642b756487c2e1878e7e03e32e77b51df0b3b3e
Link:
https://www.unpac.me/results/f77408df-79fe-489a-a0e2-b5650d8a53a3/
SH256 hash:
eeb9ebbaf564800d692de3de873fafbfb9ed9f47459e83bc4a2ffdc1503a1799
MD5 hash:
9df143c9f9671c6f88b5d1d2aa0c8232
SHA1 hash:
c01cb1db4983207dc9395b86cf2bcbfba3a4d050
Link:
https://www.unpac.me/results/f77408df-79fe-489a-a0e2-b5650d8a53a3/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eeb9ebbaf564/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eeb9ebbaf564800d692de3de873fafbfb9ed9f47459e83bc4a2ffdc1503a1799

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe eeb9ebbaf564800d692de3de873fafbfb9ed9f47459e83bc4a2ffdc1503a1799

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments