MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eeec380bc0e54fa466fb2a4c112338a331605eee2d72e6a02b43d0722bb5ff05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eeec380bc0e54fa466fb2a4c112338a331605eee2d72e6a02b43d0722bb5ff05
SHA3-384 hash: 833c9e8757a98bd2a11d5c837524dacde5aa58074ad06c1ee7d3dec728adec93b8fb15d26845bbbef858c83d30af8b64
SHA1 hash: f9e557a2a1c1afaffe9fe552894fac5d20e8b996
MD5 hash: edbf4842d10360edac2a88c3ae864066
humanhash: zulu-gee-wisconsin-pennsylvania
File name:file.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'435'609 bytes
First seen:2024-05-21 03:44:27 UTC
Last seen:2024-05-21 04:28:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0560f063e7363d920c1f0f9c018c6a15 (14 x AgentTesla, 2 x Formbook, 2 x RemcosRAT)
ssdeep 24576:Xm8t+0HTQUpDZJH6s5KeqzLQ5yAl6uEweQq8TWQNojuemE9qkKi04BKP3cxw:7B29zLQ7zdWcfQnw3d
Threatray 12 similar samples on MalwareBazaar
TLSH T12065F11633AD42F6E4B3D13489528B91F6B2FC5A4324AB8703E552757F132A24EBF352
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
311
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
eeec380bc0e54fa466fb2a4c112338a331605eee2d72e6a02b43d0722bb5ff05.exe
Verdict:
Malicious activity
Analysis date:
2024-05-21 04:31:15 UTC
Tags:
formbook xloader stealer spyware
Link:
https://app.any.run/tasks/e1340526-2f13-4cae-bd70-608c0888113f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.28657.23289.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Tags:
Encryption Execution Network Static Swotter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint overlay packed
Link:
https://www.filescan.io/uploads/664c18c881ea6b1eef493988/reports/42039dfa-5ba9-442e-8aeb-fcc4cfd6a90e/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/eeec380bc0e54fa466fb2a4c112338a331605eee2d72e6a02b43d0722bb5ff05
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/69888b9b-0992-4d11-b653-041d7f9380ba
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1444733
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Creates multiple autostart registry keys
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1444733 Sample: file.exe Startdate: 21/05/2024 Architecture: WINDOWS Score: 100 78 www.teddycorner.com 2->78 80 www.scfl7xmdd.sbs 2->80 82 13 other IPs or domains 2->82 102 Malicious sample detected (through community Yara rule) 2->102 104 Antivirus / Scanner detection for submitted sample 2->104 106 Multi AV Scanner detection for submitted file 2->106 108 3 other signatures 2->108 10 file.exe 3 2->10         started        13 iexplore.exe 2->13         started        15 iexplore.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 signatures5 112 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->112 114 Writes to foreign memory regions 10->114 116 Allocates memory in foreign processes 10->116 118 Injects a PE file into a foreign processes 10->118 19 iexplore.exe 10->19         started        22 WerFault.exe 19 16 10->22         started        24 conhost.exe 10->24         started        26 iexplore.exe 73 111 13->26         started        28 iexplore.exe 15->28         started        30 msedge.exe 17->30         started        32 msedge.exe 17->32         started        process6 signatures7 110 Maps a DLL or memory area into another process 19->110 34 WQIDjWHrvlmqXwpwiac.exe 19->34 injected 37 ie_to_edge_stub.exe 1 26->37         started        39 iexplore.exe 31 101 26->39         started        42 ssvagent.exe 26->42         started        44 2 other processes 26->44 process8 dnsIp9 100 Found direct / indirect Syscall (likely to bypass EDR) 34->100 46 upnpcont.exe 1 13 34->46         started        49 msedge.exe 37->49         started        84 code.jquery.com 151.101.66.137, 443, 49788, 49789 FASTLYUS United States 39->84 86 sb.scorecardresearch.com 18.244.18.27, 443, 49782, 49783 AMAZON-02US United States 39->86 53 ie_to_edge_stub.exe 39->53         started        55 ssvagent.exe 39->55         started        signatures10 process11 dnsIp12 122 Tries to steal Mail credentials (via file / registry access) 46->122 124 Creates multiple autostart registry keys 46->124 126 Tries to harvest and steal browser information (history, passwords, etc) 46->126 130 2 other signatures 46->130 57 WQIDjWHrvlmqXwpwiac.exe 46->57 injected 61 firefox.exe 46->61         started        76 239.255.255.250 unknown Reserved 49->76 72 C:\Users\user\AppData\Local\...\Login Data, SQLite 49->72 dropped 128 Maps a DLL or memory area into another process 49->128 63 msedge.exe 49->63         started        66 msedge.exe 49->66         started        68 identity_helper.exe 49->68         started        70 identity_helper.exe 49->70         started        file13 signatures14 process15 dnsIp16 88 parkingpage.namecheap.com 91.195.240.19, 49742, 49812, 49813 SEDO-ASDE Germany 57->88 90 www.huangpositive.site 188.114.96.3, 64562, 64563, 64565 CLOUDFLARENETUS European Union 57->90 96 2 other IPs or domains 57->96 120 Found direct / indirect Syscall (likely to bypass EDR) 57->120 92 clients2.googleusercontent.com 63->92 94 13.107.246.40, 443, 49793 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 63->94 98 6 other IPs or domains 63->98 74 C:\Users\user\AppData\Local\...\Cookies, SQLite 63->74 dropped file17 signatures18
Score:
21%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/eeec380bc0e54fa466fb2a4c112338a331605eee2d72e6a02b43d0722bb5ff05
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eeec380bc0e54fa466fb2a4c112338a331605eee2d72e6a02b43d0722bb5ff05/
Threat name:
Win64.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2024-05-20 03:00:42 UTC
File Type:
PE+ (Exe)
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=53wdqc6a4vh2izx3fjgbcizyumywaxxofvzoniblipihek5v74cq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0cb284abb63cf61b070bfa0a5250ff536f92907bbf5eec07070b9aeafa4ac2bd
Formbook
19b86526b9c8b33ee230bba95c8a02fc47db4d230933c3ebcb6888e0dd344f77
Formbook
29800c0a75aa0fddc4541b917a5ed7f7b95872b55af6ec7fc4cdf33d396573d5
Formbook
37fd7b8035bd49b8dfad405a793428dda8cbf623de0133818756d05a1191d8b7
Formbook
7aca6825bcc57d37bd12f4975818ef6fb846766a335c1fd5f79b154d4ea89842
Formbook
be1046110b922bbe809bd0260b095cd571abc0376b1d3f716bd104401b20eb07
Formbook
bf1f882e2a1d0e35207cd7cab867bffe933e134e43ff317acf2db538bd4d7210
Formbook
cfd0a18e7de8110fe285486bebb1b1671d09cf95dc73494e6ee37da0297751fe
Formbook
d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0
Formbook
f7decb942c4d2f001d2f810978463780697403597ed4f5102a19c27edd649ce3
Formbook
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/240521-ea4aksgh2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds policy Run key to start application
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a1caebcd-b598-4631-a994-b309d7491236
Unpacked files
SH256 hash:
eeec380bc0e54fa466fb2a4c112338a331605eee2d72e6a02b43d0722bb5ff05
MD5 hash:
edbf4842d10360edac2a88c3ae864066
SHA1 hash:
f9e557a2a1c1afaffe9fe552894fac5d20e8b996
Link:
https://www.unpac.me/results/361a1b01-cf20-4da3-83d8-2389ea41ce53/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments