MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d9fc02237d06ae3ee5ea85ae14a05ab41ee99f03ac660e3f6360ac6864bf7fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d9fc02237d06ae3ee5ea85ae14a05ab41ee99f03ac660e3f6360ac6864bf7fd
SHA3-384 hash: e56472ed19c6a6a509426f1c84c3d913e0e06dee78859d4d9525a03f48f068c91b17f8b1128ce9090d1e0c4ca459b0f7
SHA1 hash: 33eb9c66bb959332f963ab928fdbd655ac9e5e4e
MD5 hash: 85be6547409011c0804230f2f09f7ca3
humanhash: autumn-five-river-snake
File name:85be6547409011c0804230f2f09f7ca3
Download: download sample
Signature Formbook
Create hunting rule
File size:656'896 bytes
First seen:2022-06-28 11:13:12 UTC
Last seen:2022-07-15 03:45:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:N7RjkdayNF6izPjVh/XXWrXgUEe4O60tvzwPU:xaaWzPf/WrPRfTZ
TLSH T178D4CF6616A49ECFEC7905F58018411043B8B6A935CBF3DE8FD1A1F89ADEFC2891345B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
5
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/283916/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62bae2be1ebc913a4204054c/reports/d413a553-5334-4ef0-8ebd-5467e77ecead/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d961dbe-a1d6-46a0-939d-0a9a7feaf6c7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1021129
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM3
Yara detected FormBook
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1d9fc02237d06ae3ee5ea85ae14a05ab41ee99f03ac660e3f6360ac6864bf7fd/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-06-27 18:48:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dwp4airx2bvoh3s6vbnocsqfvna65gpqhldgby7wgyfmnbsl676q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:nn40 loader rat
Link:
https://tria.ge/reports/220628-nbzhfshaar/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
280bca40638a68b18083e28cb44735bebb7ee370398608b9d05aea8f94e214a1
MD5 hash:
b05e3ec4b78c971c129b3dfa0098a8de
SHA1 hash:
c99464170a88888c2c8839f6e8f6ce8126069049
Link:
https://www.unpac.me/results/de75e306-d9dd-443e-8bab-b6b30a5a9d5f/
SH256 hash:
0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c
MD5 hash:
843aa6edf83bff7b61c6a5369ef41e95
SHA1 hash:
d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085
Link:
https://www.unpac.me/results/de75e306-d9dd-443e-8bab-b6b30a5a9d5f/
SH256 hash:
0aa8ea56f670ef5041fe87ee1a27b6623c2cf7996ed489214aa076996ca40cac
MD5 hash:
faf84cab64260654988db2f9157f8f89
SHA1 hash:
e1e6ebeaf252c78e74c1355cdefc6a2c52cfab70
Link:
https://www.unpac.me/results/de75e306-d9dd-443e-8bab-b6b30a5a9d5f/
SH256 hash:
e1ab3c5ccc442c9d9f1e1c2d3be0bc4fcdae946f9f05ba94a3b91dee92f32a65
MD5 hash:
118eb0ec0324e5d28d0feab8107a46eb
SHA1 hash:
fe2ab0096290a8281f50b9d9be8a5791b43dac3d
Link:
https://www.unpac.me/results/de75e306-d9dd-443e-8bab-b6b30a5a9d5f/
SH256 hash:
eb34d25f79cf69105cc87e8e8f902fce7bc2dc4c80d5c1dc510cf60b3859dfb3
MD5 hash:
f8fbac0b58d026c8dd80df878e2e7774
SHA1 hash:
69de8ce161c2fdd0d10aee01a20a1e3b2b51237c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
XLoader
Create hunting rule
Link:
https://www.unpac.me/results/de75e306-d9dd-443e-8bab-b6b30a5a9d5f/
Parent samples :
9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538
4413a2e6e778cdc5dd839816a62d25e68095be325a28036b45f85716405a2d18
c9777cb78779de98104f1a01584f9df07e39b7ace7d5e6686d225e7261bd9447
0cfac9ebd9e0bb5a2f128f38b9879e4f103208c8559a68a18bb099fa2b8bf18e
1d9fc02237d06ae3ee5ea85ae14a05ab41ee99f03ac660e3f6360ac6864bf7fd
d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d
35ddf428695769bb87459e0848cfae7eb62a86c91c8bb33a2caa23c5fbc43b73
d9953c25aba720427a7122609ba2ec3ed42861e9acd631dc5f2a0deb3d8508b5
SH256 hash:
1d9fc02237d06ae3ee5ea85ae14a05ab41ee99f03ac660e3f6360ac6864bf7fd
MD5 hash:
85be6547409011c0804230f2f09f7ca3
SHA1 hash:
33eb9c66bb959332f963ab928fdbd655ac9e5e4e
Link:
https://www.unpac.me/results/de75e306-d9dd-443e-8bab-b6b30a5a9d5f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d9fc02237d06ae3ee5ea85ae14a05ab41ee99f03ac660e3f6360ac6864bf7fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 1d9fc02237d06ae3ee5ea85ae14a05ab41ee99f03ac660e3f6360ac6864bf7fd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2249082/
  
URLhaus
https://urlhaus.abuse.ch/url/2252019/
Cape
Cape
https://www.capesandbox.com/analysis/283916/
  
URLhaus
https://urlhaus.abuse.ch/url/2252184/

Comments


Avatar
zbet commented on 2022-06-28 11:13:15 UTC

url : hxxp://107.172.76.188/h/kkk.exe