MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09ebcb323865c97c1303942fe7a07144ec7a505147f3b0548f621fa1a639ecee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09ebcb323865c97c1303942fe7a07144ec7a505147f3b0548f621fa1a639ecee
SHA3-384 hash: 16f3ce8bbec850b249fdeab045de6e8f947a2c10e883821924390741e723be2a8f2a3395e6ffca269247f5841ac1271e
SHA1 hash: 93a11f580e7d9aba08f06c48bea046886afa56ef
MD5 hash: d351703bda08a7ecedd5dc0567b2686c
humanhash: whiskey-tango-sink-solar
File name:d351703bda08a7ecedd5dc0567b2686c
Download: download sample
Signature Formbook
Create hunting rule
File size:167'424 bytes
First seen:2022-03-28 08:45:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:g3J2aj2FnQ8oFnBjMK1pJ3aGx0g9KF2PmN133NU3lBJLT6zuF5+Rs0L4:gMlIVMK1fKGf9Y2PmwT6qF5+Rs0L
Threatray 14'810 similar samples on MalwareBazaar
TLSH T18AF39E32D741C071E2A242F5B2AD1B7B893E0D34235560E6E7E219A56EF19E5F43930F
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
http://olypath.com/XRwzF.exe
Verdict:
Malicious activity
Analysis date:
2022-03-28 09:06:03 UTC
Tags:
loader formbook trojan stealer
Link:
https://app.any.run/tasks/b79a9143-67d7-4ec5-8b9d-ba9cf61d365e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/258521/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL
Create hunting rule

Win.Malware.Formbook-9802749-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
formbook overlay packed
Link:
https://www.filescan.io/uploads/624175d2a19c6494129e51e0/reports/32c8ccd3-8274-41e7-8ee9-559a741fef85/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/01737a98-9088-4684-a28f-a2450ed7d233
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965642
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 598124 Sample: HbaQWk3m1D Startdate: 28/03/2022 Architecture: WINDOWS Score: 100 28 www.nyonalshareq.com 2->28 30 www.lambangquangcao.net 2->30 32 nyonalshareq.com 2->32 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 6 other signatures 2->54 10 HbaQWk3m1D.exe 2->10         started        signatures3 process4 signatures5 56 Modifies the context of a thread in another process (thread injection) 10->56 58 Maps a DLL or memory area into another process 10->58 60 Sample uses process hollowing technique 10->60 62 2 other signatures 10->62 13 explorer.exe 10->13 injected process6 dnsIp7 34 dex-directory.xyz 185.61.153.97, 49775, 80 NAMECHEAP-NETUS United Kingdom 13->34 36 mallpay168.com 199.33.112.228, 49773, 80 CDSICA Canada 13->36 38 8 other IPs or domains 13->38 64 System process connects to network (likely due to code injection or exploit) 13->64 66 Performs DNS queries to domains with low reputation 13->66 17 raserver.exe 13->17         started        20 autofmt.exe 13->20         started        22 autofmt.exe 13->22         started        signatures8 process9 signatures10 40 Self deletion via cmd delete 17->40 42 Modifies the context of a thread in another process (thread injection) 17->42 44 Maps a DLL or memory area into another process 17->44 46 Tries to detect virtualization through RDTSC time measurements 17->46 24 cmd.exe 1 17->24         started        process11 process12 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/09ebcb323865c97c1303942fe7a07144ec7a505147f3b0548f621fa1a639ecee/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-28 08:46:09 UTC
File Type:
PE (Exe)
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bhv4wmrymxexyeydsqx6pidritwhuucri7z3avepmip2djrz5txa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
28562d1e97597dbe302d550277e91bd4aa6869bd3d356668bc7c48b2b6eaa3d1
Formbook
2f47cecb0ac0c17ad38f1e8b65e4bbb7180d87d750ed7e93ce9fc5db11e5cae5
Formbook
4083d4907b0926bbea1b80c0dd047d1e6c835dc259f9e698c4cfb7f2218b77d3
Formbook
4ba70a201f9aeed927954ccf79ebba102df5f50c437c278636b1905b3f71058f
Formbook
53685ac5f275b61fc580f2203e7d7e431d2b03b8e4320015b428745d68d5e333
Formbook
66ed20e609a1c10376f30415f4f2a03aa274fbdaaa12925dcc81ed74bfb7fdfa
Formbook
9d42e6621d13c43c63721e4f9b4f63c00ef1d7e97cb0fe061bd19cbcc6e2e735
Formbook
d91c911d4a21204591e37d9ffa82b0390d3ec8773344b3ebb442065bf3aaf4d0
Formbook
f633f414c34b4e34904904022c23b78fbb2093aa7f9ee9cd714dae9f4388883d
Formbook
+ 14'800 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:eoww rat
Link:
https://tria.ge/reports/220328-kpavgaddfl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Unpacked files
SH256 hash:
09ebcb323865c97c1303942fe7a07144ec7a505147f3b0548f621fa1a639ecee
MD5 hash:
d351703bda08a7ecedd5dc0567b2686c
SHA1 hash:
93a11f580e7d9aba08f06c48bea046886afa56ef
Detections:
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e798e4b4-21a2-4ccd-ad95-4287de4d23dc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/09ebcb323865c97c1303942fe7a07144ec7a505147f3b0548f621fa1a639ecee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 09ebcb323865c97c1303942fe7a07144ec7a505147f3b0548f621fa1a639ecee

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2117040/
Cape
Cape
https://www.capesandbox.com/analysis/258521/

Comments


Avatar
zbet commented on 2022-03-28 08:45:48 UTC

url : hxxp://olypath.com/XRwzF.exe