MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9156ffdaa24940b38a6bac300ef18a2acaac9ed521d6968ff0477170e209b1fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9156ffdaa24940b38a6bac300ef18a2acaac9ed521d6968ff0477170e209b1fb
SHA3-384 hash: 5eca874987fb43b9c6cc72a1d5e1079aae726312dd0ea5953145c8686501ee512c08a1d439aa0938911ff5fa1708ad9c
SHA1 hash: b2bb0d188686939d74e80896bca38fbdae884c6f
MD5 hash: 7fe627a1683ec232399cb09e99995038
humanhash: wyoming-carpet-seventeen-blossom
File name:7fe627a1683ec232399cb09e99995038
Download: download sample
Signature Formbook
Create hunting rule
File size:402'944 bytes
First seen:2021-06-24 00:12:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 621d175e940c3f2ca7217a398b3c22a6 (11 x RedLineStealer, 2 x DarkVNC, 1 x ArkeiStealer)
ssdeep 12288:/dn6YWBZh4tbqI+kgzGhuzbV6HcI/BYl:/UYWBZsmRzx6
Threatray 5'984 similar samples on MalwareBazaar
TLSH 0584BF10FAA1C035F2F756F45A76A3ACA93E7AA1672450CF52D42AEE16347E0EC31317
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1.rtf
Verdict:
Malicious activity
Analysis date:
2021-06-21 06:06:10 UTC
Tags:
exploit CVE-2017-11882 trojan formbook stealer
Link:
https://app.any.run/tasks/64077c1c-6eea-47f8-b0fd-58be9bbb46c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Pwsx-9874160-0
Create hunting rule

Win.Packed.Zenpak-9874358-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8cbd5ab8-9d7f-47b2-810a-ad68976d5319
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806975
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439386 Sample: TW8o2zNu2Q Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 4 other signatures 2->38 9 TW8o2zNu2Q.exe 2->9         started        12 explorer.exe 2->12         started        process3 dnsIp4 40 Detected unpacking (changes PE section rights) 9->40 42 Tries to detect virtualization through RDTSC time measurements 9->42 15 TW8o2zNu2Q.exe 9->15         started        26 ofm-kuwait.com 50.116.109.135, 49732, 80 UNIFIEDLAYER-AS-1US United States 12->26 28 www.eufootball.xyz 195.234.215.67, 49730, 80 UN-UKRAINE-ASKievUkraineUA Ukraine 12->28 30 9 other IPs or domains 12->30 44 System process connects to network (likely due to code injection or exploit) 12->44 46 Performs DNS queries to domains with low reputation 12->46 18 chkdsk.exe 12->18         started        signatures5 process6 signatures7 48 Modifies the context of a thread in another process (thread injection) 15->48 50 Maps a DLL or memory area into another process 15->50 52 Sample uses process hollowing technique 15->52 54 Queues an APC in another process (thread injection) 15->54 20 taskhostw.exe 15->20         started        56 Tries to detect virtualization through RDTSC time measurements 18->56 process8 process9 22 cmd.exe 1 20->22         started        process10 24 conhost.exe 22->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9156ffdaa24940b38a6bac300ef18a2acaac9ed521d6968ff0477170e209b1fb/
Threat name:
Win32.Trojan.Johnnie
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 12:44:01 UTC
AV detection:
37 of 46 (80.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
456614711c0a92e9455fc588f27889ee37c509b2f5e8c901d351346e8cf6140c
Formbook
546a357750ec3b4f5f238d7e1e273f336d11c6ea5ef51976243e1fa1a8e335ec
Formbook
6e7f8ff3782bb90e21df7fd4f7b61369e10b3965cde2cab0c24d6876809afb4e
Formbook
9914c8ad9ea0318f57214c6eb2f2e3f891b71ba054a9de071432ec92eb6bfe0d
Formbook
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248
Formbook
9cf07e6cbf0321dc63141d5d14b6df920c9c90ee178636def703946324fec78b
Formbook
ab6a4abae4d494b05d58dcf9a354231d3c7ae78fec4a62fc1f5559febdc3995c
Formbook
b0762ca49381026932f488d2a816a18639c410ba45f456014861ac66b9b3f4e6
Formbook
ce399cb6f48a7daf6fd1ce9ffc9a0fe086d101fac2c11a1a636e1932d3303c90
Formbook
f1b2b93992ab956883815e6fea926d282fc3a423675fa1faf5ffb6cbb2ddbedb
Formbook
+ 5'974 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210624-k81j8jvm72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.mightymodistillery.com/e6qd/
Unpacked files
SH256 hash:
0d931d03a6154c42d7da33c3460bc62064979024bc3d232a6abe63a7df7d51ec
MD5 hash:
4fc75124d9edfea3f1fcf2a500b099a7
SHA1 hash:
64aebcd999b1d087a4d5434dc24c1667e26315f6
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/15a28340-81a5-4b28-b68c-8d58dfe47069/
SH256 hash:
9156ffdaa24940b38a6bac300ef18a2acaac9ed521d6968ff0477170e209b1fb
MD5 hash:
7fe627a1683ec232399cb09e99995038
SHA1 hash:
b2bb0d188686939d74e80896bca38fbdae884c6f
Link:
https://www.unpac.me/results/15a28340-81a5-4b28-b68c-8d58dfe47069/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9156ffdaa24940b38a6bac300ef18a2acaac9ed521d6968ff0477170e209b1fb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9156ffdaa24940b38a6bac300ef18a2acaac9ed521d6968ff0477170e209b1fb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1393009/

Comments