MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eef51981f7cdb215ed2578d443d27eddbed6dcaa37c568200edfc545b43ec69d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eef51981f7cdb215ed2578d443d27eddbed6dcaa37c568200edfc545b43ec69d
SHA3-384 hash: 9303c9c755cdcb21c2b1c9b200189207bb929970ec85bec07f0f7632ad45f095f6a6adbf023ad4cb445d21a88914b13e
SHA1 hash: 662dd7717e21aebe261d44b57842aea44c2c8939
MD5 hash: d08a460cac4ff3eea6484336953a0d08
humanhash: california-green-one-magnesium
File name:file
Download: download sample
Signature Formbook
Create hunting rule
File size:274'064 bytes
First seen:2023-06-14 14:20:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:PYa69YhsG4XwmevagvImdFMtRTNTpPx07s232DglOw:PYHYhs2XIvfTNNPx0rim
Threatray 1'802 similar samples on MalwareBazaar
TLSH T1C444121E2655D17BE06346722E352723CE9BB93304E48FAB1306BB59BEB3541B81E731
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter jstrosch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
US US
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
http://103.6.248.143/OneDrive/lsass.exe
Verdict:
Malicious activity
Analysis date:
2023-06-14 13:47:47 UTC
Tags:
opendir loader formbook trojan stealer
Link:
https://app.any.run/tasks/c4bc0f36-1d24-4f9b-bf73-869930b2a124

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398849/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.22790.14792.25217.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Сreating synchronization primitives
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90720/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6489cc99f4d4f3a26ce14d26/reports/d09643a7-03fb-4630-9c63-d27a1cd10d3f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/eef51981f7cdb215ed2578d443d27eddbed6dcaa37c568200edfc545b43ec69d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b7a83124-e598-4773-9b68-a97f7bdc5c7f
Result
Threat name:
NSISDropper, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1254656
Signature
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eef51981f7cdb215ed2578d443d27eddbed6dcaa37c568200edfc545b43ec69d/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-06-14 12:28:04 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=532rtapxzwzbl3jfpdkehut63w7nnxfkg7cwqiao37culnb6y2oq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0e83b40d751f735b6088f7c998ed7dd3321527adecf03ad156d91120adccd9eb
Formbook
25f2836e6f4bae031ac689a1110ff0416a104f3cf92f7278905ff9050a614ccc
Formbook
2d8e544f10af06bd50beb47f3b24b837e876bcf2464bf5048a578c4111a23d1d
Formbook
2e1feacb6a3980b6fe801af73c3eb68a60295d75e7a72fd0948091ba34a8d7d7
Formbook
428aee241022499cbd49907635162f116e24792b117490949fa3527dc130b90f
Formbook
5854ab7f0f8110bf900f6b86108ad8da461d85f04de5d99b61bc5d87a5a6868c
Formbook
9963c30bed4a82426aa769e6239f538dc038be8bd59b1d43534456b54b29880c
Formbook
9ada0ca121fe2b402b0da1728cd9f1fbb36d61a62fd40bbe8428756c329e04e8
Formbook
c236cad7d35cd458e9604968ab72c99eeeb838b8f3dbddc037f82a4952228dfe
Formbook
c448049c359c9ada55dbdefbb772020aa3962804d485ccf52adefb3a2030e3fb
Formbook
+ 1'792 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230614-rnf4esaa52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
4c52875c677587a4ee9818d10f3df172ea88ac3ddb79fc569bfeaf208fb8cb6f
MD5 hash:
d984b608a8e4a3e93c9a72a53f222837
SHA1 hash:
a3b9bae4d00eafaf0edf22d1f0c1eac6d148cdab
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/cb5fa04a-21ce-479a-a096-4b904a3d48e4/
Parent samples :
e323ee081dcd5002f4df050289a12efb32163aed062cae1e59d6ecc778215c96
9beccd0237c35c26218afd582b1c76606f1a9d0c9de1bf75cc555518ffd6d420
fedc599e2ac5deae790a550b54cc5f497e3f0d3e8519ce45202c7e5a05590830
a5de092cf0470e6194275e392a955b89bc00535d9180996da2a55b82f8215121
f4afad610ada8c98e0e1bf3907d6ae1b3ffe56d2060df106d9336aac195a5e31
081527de30dc241c82bb300d57a72a24a296db7eb7f8878baf40d634ec361549
392a3c13cc6f2803845bf0dc6bba16c5d56d0ee46aaaedab6c4de842cce50429
eef51981f7cdb215ed2578d443d27eddbed6dcaa37c568200edfc545b43ec69d
SH256 hash:
de20465fd3a111d40d14d3ca5f8c96425ed945da9756a8e65fddb0d3bbfe9bde
MD5 hash:
43d313fc3a0cd0520d1e573734bbabb0
SHA1 hash:
272f85c496e9789d55f34a203083dcd75f1bfe0b
Link:
https://www.unpac.me/results/cb5fa04a-21ce-479a-a096-4b904a3d48e4/
SH256 hash:
2327a2e070e40aa90e3534d9acbcebfc5af17a26eeb05a4d80faec633a3dff43
MD5 hash:
ae322cc2e6d5ef8496cb9057dee16ad1
SHA1 hash:
29081880652818f488394bcd3b0c3030db695e67
Link:
https://www.unpac.me/results/cb5fa04a-21ce-479a-a096-4b904a3d48e4/
SH256 hash:
eef51981f7cdb215ed2578d443d27eddbed6dcaa37c568200edfc545b43ec69d
MD5 hash:
d08a460cac4ff3eea6484336953a0d08
SHA1 hash:
662dd7717e21aebe261d44b57842aea44c2c8939
Link:
https://www.unpac.me/results/cb5fa04a-21ce-479a-a096-4b904a3d48e4/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eef51981f7cd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eef51981f7cdb215ed2578d443d27eddbed6dcaa37c568200edfc545b43ec69d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe eef51981f7cdb215ed2578d443d27eddbed6dcaa37c568200edfc545b43ec69d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/398849/

Comments