MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 096919dfc9600c9942e5ae37ac5526c85ffde3d38c7d000eb01d2d0ded514bbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 096919dfc9600c9942e5ae37ac5526c85ffde3d38c7d000eb01d2d0ded514bbb
SHA3-384 hash: 1e04c7ebdf5980413d6b59abd801f73f3b6be379b2681dc472bc90605cdfa0377bbf1e7a251de1a4e828a4f57863b732
SHA1 hash: ed1dfeb19e7703ae432232f3b42ae851489bd255
MD5 hash: cef00c31ecebb5994e9fff037fd95145
humanhash: nevada-cold-july-september
File name:We8uqPnF94hDlzF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:659'968 bytes
First seen:2023-09-12 09:37:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:X0U05fVsbR2MJCaIN1+JPM2ODsbVhktvi+qa2Cm+kEcX/tXYXn:Xh0tO2VY3NJhqida2L5E
Threatray 1'899 similar samples on MalwareBazaar
TLSH T145E4CEF83150E3DEC766C3BF89575C70A9137C661236828A727F36988D9D9C78E118B2
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
We8uqPnF94hDlzF.exe
Verdict:
Malicious activity
Analysis date:
2023-09-12 09:40:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6d6f18c4-71ba-4fd4-a68b-da2c2c3b7e54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/448129/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Restart of the analyzed sample
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6500317ab572d5a2189a7a4a/reports/180b89d5-8688-4b68-ada9-1472548f114b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/096919dfc9600c9942e5ae37ac5526c85ffde3d38c7d000eb01d2d0ded514bbb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/17d2ba08-fbf7-4d06-9421-d0a34475b4f4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/096919dfc9600c9942e5ae37ac5526c85ffde3d38c7d000eb01d2d0ded514bbb/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-09-07 12:26:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bfurtx6jmagjsqxfvy32yvjgzbp73y6trr6qadvqduwq33krjo5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2ea94454b1acb888df318792b9a81e621b95e54619d3306a4a11e26148fb3fe3
Formbook
4339763c2998a0b0a63f0a1e0034decd766d3fc8d3cf35e946a7b12c9e34ab3e
Formbook
6695e4331e8ce9706466a68a03272ca2e09fa21141d08fede561a93eb8962c9f
Formbook
837fc8d2a3e348e96ea2db94abbe3319b380496b7329cde30519b26f51c1de88
Formbook
8510156c681956fa592f4e2f346a7cd02ce7a00a31264dc2106e6e0b5a4b267b
Formbook
8dbb132dccc8fb8a83062fec3840b1556a75862c07d22a0740ca095698ed0f6d
Formbook
bee949c5192f46467c2fb76490dd2407f4206639c2e5e824c74e879c02fcc342
Formbook
cc3282f638a0bf6f5d3246310825760861f1ad6a78e3146c47c3e454e594c909
Formbook
f72a8d106b976bd572e54e14f09ac3faed9c776395680f5689e412e62239409f
Formbook
+ 1'889 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:u1r9 rat spyware stealer trojan
Link:
https://tria.ge/reports/230912-ll2z8abd7w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
23efea5d8036ebaa4561e6064811e1b7d9058826e3275a7fd61f757b0db123ed
MD5 hash:
937a94e2e4800640936de0bf346e1948
SHA1 hash:
012c3d00fd783c05d3f347df12771501ed078ad4
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/032d0c44-b4c7-4f38-857b-bf196b22a8de/
Parent samples :
2ea94454b1acb888df318792b9a81e621b95e54619d3306a4a11e26148fb3fe3
cc3282f638a0bf6f5d3246310825760861f1ad6a78e3146c47c3e454e594c909
85e06fedb8cdd8ea049ec9b62d480e58e55356953fc02694863c916d204f5614
cda350f17f9da84bd3c76f325656630c4724eeaa08949d9d99941859bf8f0315
bee949c5192f46467c2fb76490dd2407f4206639c2e5e824c74e879c02fcc342
f72a8d106b976bd572e54e14f09ac3faed9c776395680f5689e412e62239409f
6695e4331e8ce9706466a68a03272ca2e09fa21141d08fede561a93eb8962c9f
096919dfc9600c9942e5ae37ac5526c85ffde3d38c7d000eb01d2d0ded514bbb
0192232934b2f9ae2a37ac4c8188f70804acd4c6718c95a47710f49e2f9ae9b1
SH256 hash:
1c605804692717613fad2611749834b065b5643e190dea0c9293bd45c7502637
MD5 hash:
42030966ae394e6fb45922926ed72e26
SHA1 hash:
a55f4ff51725a95f5a10fca3ea87a2aa8db46a39
Link:
https://www.unpac.me/results/032d0c44-b4c7-4f38-857b-bf196b22a8de/
SH256 hash:
dc6050184c59164b4cefb69ad835c788f7e4577cc04ba0014450e36be611df71
MD5 hash:
291a20f21a1fad15067f65efd0f27242
SHA1 hash:
63d1cc9924baf931c6481b3ff9fa8f42327eb519
Link:
https://www.unpac.me/results/032d0c44-b4c7-4f38-857b-bf196b22a8de/
SH256 hash:
0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198
MD5 hash:
f559a9abbd849eb977d262d597d6e4fd
SHA1 hash:
0a8769b40b026852690c89b913c2812817ef43c8
Link:
https://www.unpac.me/results/032d0c44-b4c7-4f38-857b-bf196b22a8de/
Parent samples :
cef72412a1dd9486bae5f7e606d4330660fba98575ba1c939559ccc83536f41a
81ccf158093718305b3499d0f16d8a82bcad69f2740066daca8d5b5ca9979688
SH256 hash:
096919dfc9600c9942e5ae37ac5526c85ffde3d38c7d000eb01d2d0ded514bbb
MD5 hash:
cef00c31ecebb5994e9fff037fd95145
SHA1 hash:
ed1dfeb19e7703ae432232f3b42ae851489bd255
Link:
https://www.unpac.me/results/032d0c44-b4c7-4f38-857b-bf196b22a8de/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/096919dfc960/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 096919dfc9600c9942e5ae37ac5526c85ffde3d38c7d000eb01d2d0ded514bbb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/448129/

Comments