MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09c9f5a39dc3e3ac12127313b688b22672dfc6db5a5acb5d3e9c5b6e257b5c17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09c9f5a39dc3e3ac12127313b688b22672dfc6db5a5acb5d3e9c5b6e257b5c17
SHA3-384 hash: 443bdfc844bb01f5861b8021d7494e41a6c24c613beed34abc83c919fd0f355a0c810bcf60ba65651ff5b8a31c42c1b5
SHA1 hash: 9febc08333038e212dabb5bdecad56cdb7c841e1
MD5 hash: 18bb5b67ef8ce137a7546acdce62ee5c
humanhash: may-skylark-chicken-mango
File name:SecuriteInfo.com.Variant.Jaik.195228.30803.30939
Download: download sample
Signature Formbook
Create hunting rule
File size:421'920 bytes
First seen:2023-11-02 06:16:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:U8LxBCXMMCNrCkPKikHzlZw7Il2AcNEL79mhxk6jC8fzhnz8w/hQ5Y5lrFvm7/VZ:urCNNK7Hzj2IQAYELGjD05YX5vIXsLGL
Threatray 2'129 similar samples on MalwareBazaar
TLSH T1A894232625C2D4ABC0EA07F0CE7AD73AE37B49146F44A54B47A81F3F3EE11834E9A115
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 78f9b898b8c2c940 (16 x Formbook, 15 x AgentTesla, 2 x AveMariaRAT)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/457746/
Detection(s):
SecuriteInfo.com.Variant.Jaik.195228.30803.30939.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Gathering data
Verdict:
Likely Malicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65433ede72356e4f29ea9d55/reports/5f6b5fcd-ae9e-4728-9b22-b9f3a53bc2e2/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/09c9f5a39dc3e3ac12127313b688b22672dfc6db5a5acb5d3e9c5b6e257b5c17
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a49f3110-4621-4050-b890-4ccccdad29f5
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1335831
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1335831 Sample: SecuriteInfo.com.Variant.Ja... Startdate: 02/11/2023 Architecture: WINDOWS Score: 100 36 www.youtube-manager.site 2->36 38 www.waveoflife.pro 2->38 40 11 other IPs or domains 2->40 56 Snort IDS alert for network traffic 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Found malware configuration 2->60 62 8 other signatures 2->62 12 SecuriteInfo.com.Variant.Jaik.195228.30803.30939.exe 17 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\...\micfoiqna.exe, PE32 12->34 dropped 15 micfoiqna.exe 1 12->15         started        process6 signatures7 74 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->74 76 Maps a DLL or memory area into another process 15->76 78 Tries to detect virtualization through RDTSC time measurements 15->78 18 micfoiqna.exe 15->18         started        21 conhost.exe 15->21         started        process8 signatures9 48 Modifies the context of a thread in another process (thread injection) 18->48 50 Maps a DLL or memory area into another process 18->50 52 Sample uses process hollowing technique 18->52 54 Queues an APC in another process (thread injection) 18->54 23 explorer.exe 39 1 18->23 injected process10 dnsIp11 42 quinshon4.com 15.197.204.56, 49723, 80 TANDEMUS United States 23->42 44 jon188.ink 198.54.116.237, 49721, 80 NAMECHEAP-NETUS United States 23->44 46 3 other IPs or domains 23->46 64 System process connects to network (likely due to code injection or exploit) 23->64 66 Uses netstat to query active network connections and open ports 23->66 27 NETSTAT.EXE 23->27         started        signatures12 process13 signatures14 68 Modifies the context of a thread in another process (thread injection) 27->68 70 Maps a DLL or memory area into another process 27->70 72 Tries to detect virtualization through RDTSC time measurements 27->72 30 cmd.exe 1 27->30         started        process15 process16 32 conhost.exe 30->32         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/09c9f5a39dc3e3ac12127313b688b22672dfc6db5a5acb5d3e9c5b6e257b5c17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/09c9f5a39dc3e3ac12127313b688b22672dfc6db5a5acb5d3e9c5b6e257b5c17/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-11-02 05:10:16 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bhe7li45ypr2yeqsomj3ncfsezzn7rw3ljnmwxj6trnw4jl3lqlq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
014ed741b83b7bd4572f9fb1285ebecf658b74eb367b712614034c28b9af4845
Formbook
09c9f5a39dc3e3ac12127313b688b22672dfc6db5a5acb5d3e9c5b6e257b5c17
Formbook
3dffc312e024e6daba1c3ff795a3070682341d9f99bd6e9f103d28234c695589
Formbook
46b721c436cd339be63937ca6b9912831af85f8fca25d0e752e900683f073a05
Formbook
97acc5c52513ead4ba018af7dd726edd3179f993099640681cd706db4d263f38
Formbook
9b9b02ea3c7c20a3b347712178063d70b93f8027bb5c57bd160692fbffe582ff
Formbook
ad5097f981c366a853537cc8a7d745da73615e051c523b92f6ca7dcb80ea82b7
Formbook
+ 2'119 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ge06 rat spyware stealer trojan
Link:
https://tria.ge/reports/231102-g1191sac46/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Formbook payload
Formbook
Unpacked files
SH256 hash:
bd27766fba30d2b0968b83369c90d36715cf98e77ce06fffced20310baa9cb4b
MD5 hash:
d85f122419c47a2d951ca93a266a336d
SHA1 hash:
87abb71c9a2e80a27f131ede433e4d4a315817c6
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/523877f6-b986-400b-9f01-0561e94c334e/
Parent samples :
9b9b02ea3c7c20a3b347712178063d70b93f8027bb5c57bd160692fbffe582ff
46b721c436cd339be63937ca6b9912831af85f8fca25d0e752e900683f073a05
09c9f5a39dc3e3ac12127313b688b22672dfc6db5a5acb5d3e9c5b6e257b5c17
b86cd11880add13d576f154fbadc2d97eb4fd21f05813c52dc427ddb7dd8cdde
SH256 hash:
400edacca3aaf969b9c18db05fccffd73a2b952e59c6dfe3e33fabcb4c4c56ce
MD5 hash:
420d0c5687114043441dabffc9ff9ee9
SHA1 hash:
74d66c2f6b86eb711a56aac655ec164b35580942
Link:
https://www.unpac.me/results/523877f6-b986-400b-9f01-0561e94c334e/
SH256 hash:
09c9f5a39dc3e3ac12127313b688b22672dfc6db5a5acb5d3e9c5b6e257b5c17
MD5 hash:
18bb5b67ef8ce137a7546acdce62ee5c
SHA1 hash:
9febc08333038e212dabb5bdecad56cdb7c841e1
Link:
https://www.unpac.me/results/523877f6-b986-400b-9f01-0561e94c334e/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/09c9f5a39dc3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09c9f5a39dc3e3ac12127313b688b22672dfc6db5a5acb5d3e9c5b6e257b5c17

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 09c9f5a39dc3e3ac12127313b688b22672dfc6db5a5acb5d3e9c5b6e257b5c17

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2726990/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/457746/

Comments