MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 093c9880327e9d62375ecf97f0ad48ef14739ffb62bba7a26ec2cdfa5f18b814. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 12 File information Comments

SHA256 hash:	093c9880327e9d62375ecf97f0ad48ef14739ffb62bba7a26ec2cdfa5f18b814
SHA3-384 hash:	0af22287b8add871b6ac8399dd61e7ba922c62624352209fd219e7dea909e1df9d860acd02f6097ae4edb9103a13f576
SHA1 hash:	ab241bb1cd971c6eae948f3b38b51f85432cb7a3
MD5 hash:	bee7ee5d75f9162ec7f5ce9d882fcec7
humanhash:	north-snake-three-kentucky
File name:	SecuriteInfo.com.Variant.Strictor.286733.21656.5618
Download:	download sample
Signature	Formbook Create hunting rule
File size:	781'824 bytes
First seen:	2024-01-17 15:27:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	21371b611d91188d602926b15db6bd48 (61 x Formbook, 23 x AgentTesla, 20 x RemcosRAT)
ssdeep	12288:bsHzOUNUSB/o5LsI1uwajJ5yvv1l2B/PNcSrxXntXvkP9uxGwtRJWk4Lb2TvjvUf:KiUmSB/o5d1ubcvmHN9BtXvk9GvtrWdh
Threatray	2'109 similar samples on MalwareBazaar
TLSH	T1DFF412236543DCBDE1BF02F4146C35B18A02BD34D8276D6E66D7FA8687BC2A4E527381
TrID	39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6) 38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.5% (.EXE) Win32 Executable (generic) (4505/5/1) 2.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	a065646aeec646ec (21 x AgentTesla, 13 x Formbook, 5 x DarkCloud)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

455

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/471338/

Detection(s):

SecuriteInfo.com.Variant.Strictor.286733.21656.5618.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

autoit control greyware keylogger lolbin lolbin masquerade packed packed packed shell32 upx

Link:

https://www.filescan.io/uploads/65a7f20bd1ae2d05b96c11df/reports/607b2581-289c-4485-b517-cd941692dc0b/overview

Verdict:

Malicious

Labled as:

Strictor.Generic

Link:

https://www.hybrid-analysis.com/sample/093c9880327e9d62375ecf97f0ad48ef14739ffb62bba7a26ec2cdfa5f18b814

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b7cd44ca-b244-4c0a-b7b3-f208cd75f3f6

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1376150

Signature

Antivirus / Scanner detection for submitted sample

Binary is likely a compiled AutoIt script file

Contains VNC / remote desktop functionality (version string found)

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/093c9880327e9d62375ecf97f0ad48ef14739ffb62bba7a26ec2cdfa5f18b814

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/093c9880327e9d62375ecf97f0ad48ef14739ffb62bba7a26ec2cdfa5f18b814/

Threat name:

Win32.Trojan.Strictor

Status:

Malicious

First seen:

2024-01-17 15:28:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=be6jrabsp2owen26z6l7blki54khhh73mk52pitoylg7uxyyxaka._file

Verdict:

malicious

Label(s):

formbook

Formbook

583a2d1876ab1fe9703ac09dcd8a6a67cc86482f443691f343f4b2b4ec29dd0e

Formbook

8a153debc69f1d51f36df5763d50971a0f6b0ff6d88012abfc619a9633cc2818

Formbook

9c6536ae2b9588bf5dada49dc918a668a204e0903fc091bf1a5ebaacb9b5559f

Formbook

a56b22a39525ddd24a449fca6f955fa6618312e93a0e3bdac810eee9efc4616e

Formbook

bd758aa670944cc071a2e6f6d6eb2ad4faabb5f8b2b88dd325944685b6e9e1d2

Formbook

c125c422c6534f72a342ec54231c2caaff61cb2f649bb764913ff76e25705d4c

Formbook

d49d447fe7c79330af30e34a5657916d2ebd856bf314596fdf8dec6ebd58dbab

Formbook

fb5e0a41602403a20017973b3e0af1b742e32ecfbbf6f565b4ddc271e0c0350a

Formbook

+ 2'099 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

upx

Link:

https://tria.ge/reports/240117-swbdkshgek/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

Unpacked files

SH256 hash:

75b54f2b1ac4c10556366a286091d39ddc499ed66e46ea889f504d89780c8a56

MD5 hash:

6989526364483ae536329719c2c266ac

SHA1 hash:

34a42d3f94f30d527f57c22f7ee0cdc5640030e2

Link:

https://www.unpac.me/results/bd626470-aa45-493d-b679-7a4e41b81412/

SH256 hash:

a2d849cbecb3dc496f35171e95512b83b1589ef788e178533cff772fa8a33a40

MD5 hash:

d11599cfbb84913f133096912f642a92

SHA1 hash:

16e239b541f11c603aecd6839c603ca3a8312c55

Link:

https://www.unpac.me/results/bd626470-aa45-493d-b679-7a4e41b81412/

SH256 hash:

bc2ff405c34409977cae8207304cf3a5372a7f462821ec935b4483df0446db48

MD5 hash:

2df0dbd707472ab9a87d378c8b213d0c

SHA1 hash:

b7097890830a34b43fac8d7dc1e77093a7c044f8

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/bd626470-aa45-493d-b679-7a4e41b81412/

SH256 hash:

093c9880327e9d62375ecf97f0ad48ef14739ffb62bba7a26ec2cdfa5f18b814

MD5 hash:

bee7ee5d75f9162ec7f5ce9d882fcec7

SHA1 hash:

ab241bb1cd971c6eae948f3b38b51f85432cb7a3

Link:

https://www.unpac.me/results/bd626470-aa45-493d-b679-7a4e41b81412/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/093c9880327e9d62375ecf97f0ad48ef14739ffb62bba7a26ec2cdfa5f18b814

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	kevoreilly
Description:	Formbook Payload

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/471338/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample