MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09c909d826f67375085a88c5a85bd863d6df12765f7584ed2d439af77afc4c21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09c909d826f67375085a88c5a85bd863d6df12765f7584ed2d439af77afc4c21
SHA3-384 hash: 6a4aac9e16ab8d7b23e4de589dbb2bb36e108d94637f4e981a4bde781031ce34c3bd2a772425915ed0fa8db28f9bf744
SHA1 hash: f00ada6641a7a8c9d6d6336cfa1c439ee94ef16f
MD5 hash: 04b7c885a1ee80be9d8bcf67134d1595
humanhash: sink-grey-cup-uranus
File name:Hesaphareketi-01.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:700'416 bytes
First seen:2023-05-09 06:44:22 UTC
Last seen:2023-05-15 10:22:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:hZks3yj3gAvCtoSdhTMn55IaZ3HDBLTi6gsmXuaweqzrtm:9WvZSdg5DBLTiCmfwey
Threatray 2'840 similar samples on MalwareBazaar
TLSH T1E4E4E04962A58B62F9678FF42938744407763CE7E8E4D9480CD771CE5BFAB403980DAB
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 1535756961754d45 (2 x Formbook, 1 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook geo TUR

Intelligence

File Origin
# of uploads :
3
# of downloads :
242
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Hesaphareketi-01.exe
Verdict:
Malicious activity
Analysis date:
2023-05-09 06:48:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3c072774-5bac-4e06-b3fc-f7901c5ca9ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/387683/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6459ebf0b664422b69d5f020/reports/667e1a62-8925-4246-aca8-b894ff2d36dd/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/09c909d826f67375085a88c5a85bd863d6df12765f7584ed2d439af77afc4c21
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07267104-2356-47be-a96c-dfc86d55627a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229046
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 862014 Sample: Hesaphareketi-01.exe Startdate: 09/05/2023 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 6 other signatures 2->42 10 Hesaphareketi-01.exe 3 2->10         started        process3 file4 28 C:\Users\user\...\Hesaphareketi-01.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 14 Hesaphareketi-01.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 1 1 14->17 injected process8 dnsIp9 30 www.assuraf.world 46.30.211.38, 49700, 80 ONECOMDK Denmark 17->30 32 www.hydeding.top 45.207.39.193, 49699, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 17->32 34 www.thresholdshift.co.uk 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmstp.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09c909d826f67375085a88c5a85bd863d6df12765f7584ed2d439af77afc4c21/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-08 09:28:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bheqtwbg6zzxkcc2rdc2qw6ympln6etwl52yj3jnionpo6x4jqqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
48dcf0afe635fd456a6914465d2b79e61ddbd57d304203eeeb14cafbf5dd1e81
Formbook
51054c5181fc248a1642dc3a5cdb7f353aaf5d136aa20bdc59084970e74c5a8b
Formbook
53176c142b4a57f89c57ed969d3a578640841c09db2a58bc9f360a636c8d5947
Formbook
9d1779f9a627d5d1cd19c2a1f74f71eddb92cc11d8757d4ea3a2e7b315f4186d
Formbook
a96ec414b99747cf8859a77e2d05ea24053db3fa343474a007180dfefda658ca
Formbook
bf03cd8e5554ec62c98931069f436ec71ac21d57a8922b1bb3c1958a0a9256f3
Formbook
c11514fce0720af2328f702e0a42aaea3b9d4ef635de46d638a9ca0629e5f75d
Formbook
c1a8208a8af8fb2ab397e586ea8a7f265921e6f21eb592af42a8f5c805d18557
Formbook
e014baadd84bece77f1f8366ea528671bf0bd70fcee974fe1a262bb0ec0a2565
Formbook
ebb76e46e178491fd48787e80ce952910124d6f1a00c92744a5f84278192030c
Formbook
+ 2'830 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:bm49 rat spyware stealer trojan
Link:
https://tria.ge/reports/230509-hh292aee99/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
80cea87702f5b178108354f6c95a9ecc23ea15020f61618a6daece8c07420e4e
MD5 hash:
780f1bc48924eab9f522099f9333746b
SHA1 hash:
f0adcc95ea04485ed21eb9b94c62c14a460e9459
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e88bd19a-1c1a-4941-9873-c22729fa999c/
Parent samples :
09c909d826f67375085a88c5a85bd863d6df12765f7584ed2d439af77afc4c21
1fe93bcce0611f7025ad13add45a4f37516a1e9b3f348e553fa27d184bf441c7
SH256 hash:
55e4f1ba826f13c7f2bce4ab71c5132b37cc26e1fc866ec551fb530a294e5a99
MD5 hash:
ecc0e610e74a1071bb2b71bd17ec3f59
SHA1 hash:
bbb5126b51e1c209f4b217cc550d5d85abd77869
Link:
https://www.unpac.me/results/e88bd19a-1c1a-4941-9873-c22729fa999c/
SH256 hash:
b52c29ba9ef8996bdf721950d900db96f1befb9883eb38c2075528e60c7aabd4
MD5 hash:
7b6143d9d94c8b80d191b77d8b6d1ba2
SHA1 hash:
1c91704ff6da2a9dd8aaa2ff2d5a5f69a445f76b
Link:
https://www.unpac.me/results/e88bd19a-1c1a-4941-9873-c22729fa999c/
SH256 hash:
7d4d2727af16bd43a8b84684fcf9471ffac7adb5a99bab3476951c16dcdfa4c3
MD5 hash:
48f25f70764858909ab7fa96721f9d01
SHA1 hash:
1a8628d1c7ea6cf1d06dbfc58cbca14d32139fbd
Link:
https://www.unpac.me/results/e88bd19a-1c1a-4941-9873-c22729fa999c/
SH256 hash:
6849b64daa2fff3ba8926f36a36b0855cc0223a7500ae96181af112caeb2febe
MD5 hash:
bd6bf80d32ed1f49afee9abdea1ef57c
SHA1 hash:
12394d58f5d5358d96fa6f05bb99606f987d424b
Link:
https://www.unpac.me/results/e88bd19a-1c1a-4941-9873-c22729fa999c/
SH256 hash:
09c909d826f67375085a88c5a85bd863d6df12765f7584ed2d439af77afc4c21
MD5 hash:
04b7c885a1ee80be9d8bcf67134d1595
SHA1 hash:
f00ada6641a7a8c9d6d6336cfa1c439ee94ef16f
Link:
https://www.unpac.me/results/e88bd19a-1c1a-4941-9873-c22729fa999c/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/09c909d826f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 09c909d826f67375085a88c5a85bd863d6df12765f7584ed2d439af77afc4c21

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/387683/

Comments