MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09c27812888f54ebc6a9f691eed461d3276427e56e318bcc4a65fe00ba8ae363. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09c27812888f54ebc6a9f691eed461d3276427e56e318bcc4a65fe00ba8ae363
SHA3-384 hash: fb12f1d7c24f4e9742096589039675080a1bc17ea0b5e9440d505b874bbcfad09a828c1ef6eb0150f1b79d82c49a8d2d
SHA1 hash: 9a1cdd9b053610422726e8e173321178d5941d37
MD5 hash: e226e3976f7603ff2d61c15e022809c8
humanhash: bluebird-magnesium-network-idaho
File name:Order No. BCM #03122020.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:849'408 bytes
First seen:2021-06-22 06:32:26 UTC
Last seen:2021-06-22 07:51:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:dExOhlm4S4F3M9yQa/vmhLsGbLfZsLtwoORHfXwgSqaVyQI4ODdFmY:dHWrEvc/Lfa2RwgKxIvPm
Threatray 6'070 similar samples on MalwareBazaar
TLSH FC05C0202EE95119F177EF755FD075959BAEBF237702E48E1891338B1B32A81CD9023A
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order No. BCM _03122020.arj
Verdict:
Malicious activity
Analysis date:
2021-06-18 08:36:28 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/ffdcf63c-8079-4f38-80a9-08f98698c3e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167453/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.852.24978.24427.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3fe9488a-29bb-4a81-8f66-781f561739d9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805755
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 438166 Sample: Order  No. BCM #03122020.exe Startdate: 22/06/2021 Architecture: WINDOWS Score: 100 31 www.cooperstandard-isg.info 2->31 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 8 other signatures 2->55 9 Order  No. BCM #03122020.exe 3 2->9         started        13 explorer.exe 2->13         started        signatures3 process4 dnsIp5 29 C:\Users\...\Order  No. BCM #03122020.exe.log, ASCII 9->29 dropped 57 Injects a PE file into a foreign processes 9->57 16 Order  No. BCM #03122020.exe 9->16         started        19 Order  No. BCM #03122020.exe 9->19         started        21 Order  No. BCM #03122020.exe 9->21         started        33 www.eliteworldcars.com 217.160.0.62, 49726, 80 ONEANDONE-ASBrauerstrasse48DE Germany 13->33 35 www.wjlst.com 23.82.205.169, 49717, 80 LEASEWEB-USA-SEA-10US United States 13->35 37 8 other IPs or domains 13->37 59 System process connects to network (likely due to code injection or exploit) 13->59 23 cscript.exe 13->23         started        file6 signatures7 process8 signatures9 39 Modifies the context of a thread in another process (thread injection) 16->39 41 Maps a DLL or memory area into another process 16->41 43 Sample uses process hollowing technique 16->43 45 Queues an APC in another process (thread injection) 16->45 47 Tries to detect virtualization through RDTSC time measurements 23->47 25 cmd.exe 1 23->25         started        process10 process11 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/09c27812888f54ebc6a9f691eed461d3276427e56e318bcc4a65fe00ba8ae363/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 02:08:56 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bhbhqeuir5koxrvj62i65vdb2mtwij7fnyyyxtckmx7abouk4nrq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0e5e0b70c6db438a67db5ac483b0a4fc904742bc98ffb6d02b0595c868f3cdf0
Formbook
23cc105fad71d71dced93e63fdbab55354b4dc9700fb0de855acedaf5723ed9c
Formbook
44328ff389f8b9fb0679290b9848395d930dd57cf30eb76d16af61289e6ba2c7
Formbook
63b94415ccf2fabff3be3a811ded9a5306d68ac197adc07d7c2be3b313e8a665
Formbook
a1783d0a9f787d819b960b55c8ebfb227459bcb7daab55996720e8279751736f
Formbook
a18c72dd002da72c81258cf4e85a7a013233d16556472d78cd84d984e74edd6b
Formbook
a9c3d37d324e9b6a0ebf9f9369c68cc288117edc4657d086b0fbc0cbafee9e64
Formbook
bc348990c0e735b8de2b3a92a45d1025d62b8e0ce23c364cdc9467aa566efc48
Formbook
d797bbe1f6d58628e5c9d45b38c10ff983064c3230f3222ffa3a17a80172be94
Formbook
ddaa3b6f19f3e7b9a6e8ebe8188ceea0d1bb0c285a0b2d783c8d0cc7005e37a6
Formbook
+ 6'060 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210622-9klk1hklts/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.innercriticarchetypes.com/h388/
Unpacked files
SH256 hash:
6d67f15f5de3ac18c4a24d693d37c9df82e42ecc44bd624a14bca8fdfc413dca
MD5 hash:
d8d715d270ae8bdc252aa363a21b7ac0
SHA1 hash:
fc71fa9e543a44f455e930f7de3255eb342efd9d
Link:
https://www.unpac.me/results/dde5ae54-1de7-41fa-b26f-bdd3fd6c5530/
SH256 hash:
09c27812888f54ebc6a9f691eed461d3276427e56e318bcc4a65fe00ba8ae363
MD5 hash:
e226e3976f7603ff2d61c15e022809c8
SHA1 hash:
9a1cdd9b053610422726e8e173321178d5941d37
Link:
https://www.unpac.me/results/dde5ae54-1de7-41fa-b26f-bdd3fd6c5530/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/09c27812888f54ebc6a9f691eed461d3276427e56e318bcc4a65fe00ba8ae363

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 09c27812888f54ebc6a9f691eed461d3276427e56e318bcc4a65fe00ba8ae363

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/167453/

Comments