MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9202b35448e653781c1e8d04a5f1266e40116832675be9b096034f4e0861c78c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments 1

SHA256 hash:	9202b35448e653781c1e8d04a5f1266e40116832675be9b096034f4e0861c78c
SHA3-384 hash:	405bee1a7e79279f0edff1650ff4943a3275d33413f61b7dc732a9e3d956f0ac084eb3c194311a97f0c006a956f51cbe
SHA1 hash:	a9476ce40e333110eed445baa50dbf521e67cc68
MD5 hash:	410dec2d786b542c67397ab8cc7ecaf3
humanhash:	west-nebraska-jupiter-queen
File name:	410dec2d786b542c67397ab8cc7ecaf3
Download:	download sample
Signature	Formbook Create hunting rule
File size:	616'960 bytes
First seen:	2023-07-25 18:06:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'614 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:QXPZnHKseMuZOGDF63CfEntCqpl6h9qWELhIvKjoD:EahDDFQC56rC
Threatray	3'354 similar samples on MalwareBazaar
TLSH	T1A3D4120233DC970AD4FDA3BE595188594FF0FE9B8061E3042F9C48DA9E2A7608664F67
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	2d6dbd754d4d71b2 (8 x AgentTesla, 6 x Formbook, 1 x SnakeKeylogger)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

260

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

410dec2d786b542c67397ab8cc7ecaf3

Verdict:

No threats detected

Analysis date:

2023-07-25 18:29:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/933a4562-e08d-479d-8a0a-7516b3a33111

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/432965/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.14156.21327.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9202b35448e653781c1e8d04a5f1266e40116832675be9b096034f4e0861c78c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a2e5d8c3-9d52-46aa-88e5-999258088d02

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1279544

Signature

.NET source code contains potential unpacker

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9202b35448e653781c1e8d04a5f1266e40116832675be9b096034f4e0861c78c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-07-25 18:07:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=siblgvci4zjxqha6ruckl4jgnzabc2bsm5n6tmewanhu4cdby6ga._file

Verdict:

malicious

Label(s):

formbook

Formbook

5069d4603ed9201d98988deb46e1e5627d622f47a498b3decb96ae1b02da3496

Formbook

69390302e6a82cad49f3eabbba2f274a63202c9df899709de1d78d7f8a9a9584

Formbook

6c5d418831206f110eac092468ea4197e3253f3350e48b0986e130995bd46451

Formbook

99cd4e51fb0f2d9ba76ee4d12afd5c3cd096f0c390ecf657ea3a3d78158451ef

Formbook

9b856353b8035076d471e5d49541384c399c546ac325f7d5a68f3f7aa6935496

Formbook

9cfa472702dbedc0f87b0e594d3c8ace16e1c9952d8d7e44be8aa9114b214c45

Formbook

9e6e021c6deed0f7538b92df6a47667f2c52919628fa4886c6948860720f9214

Formbook

be2475ea44f278e69a3ac0e3c4e159011d3e44fd79630ea44318c67fae703a2a

Formbook

c1e64e86dd89a5820bbb518ead2176741f91d3bf5c579e154533d44e816c1f76

Formbook

+ 3'344 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230725-wqa3eafd3v/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Drops file in System32 directory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

0db9b51a608d7465c020bc2d00f9f8224afb60a05daa167c80e1228848269334

MD5 hash:

ad06d9a94b2bba799912112ad610ebf7

SHA1 hash:

2ae0d29c052ac1b08bb8895a725ec1ecc4709bcd

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/0907df76-6f17-4f62-bdaf-2e5316e1957a/

Parent samples :

9cfa472702dbedc0f87b0e594d3c8ace16e1c9952d8d7e44be8aa9114b214c45
9202b35448e653781c1e8d04a5f1266e40116832675be9b096034f4e0861c78c

SH256 hash:

089d7c71a2e943df7604037ae31d39e3417a8c6a3d71a919ee4bd98651877d60

MD5 hash:

f35e7a0b07e100aa05eabc2cd5c3ec02

SHA1 hash:

d3bb2c24a4c47372048fb1e2b154d3bc6347f097

Link:

https://www.unpac.me/results/0907df76-6f17-4f62-bdaf-2e5316e1957a/

SH256 hash:

06de07d76dc7e697a9c986ccae30992e49e688b61478d656f406a7176da0d925

MD5 hash:

1a8a1140161e9988da36f7a3305330eb

SHA1 hash:

f235ad37983aa0ca0e89f4d6febfb7c44d77e13f

Link:

https://www.unpac.me/results/0907df76-6f17-4f62-bdaf-2e5316e1957a/

SH256 hash:

3f68cc843eb3b2a764dc02355e2e3f97dce8f1164d6f18a4f77e850410dfc137

MD5 hash:

60126f10641986bbcefca9ed6159994b

SHA1 hash:

df584155d49b10805f1f0d81a758e98b23990815

Link:

https://www.unpac.me/results/0907df76-6f17-4f62-bdaf-2e5316e1957a/

SH256 hash:

b9a20d6a037273d22acfef040a5ee5eaf300f8ed3cfa174ef8a7c400b3753105

MD5 hash:

f2ddeb90f1d02f7f07a7d4784907f037

SHA1 hash:

03ecca6a926462f1559c29e0d59dd99ed62b60fa

Link:

https://www.unpac.me/results/0907df76-6f17-4f62-bdaf-2e5316e1957a/

SH256 hash:

9202b35448e653781c1e8d04a5f1266e40116832675be9b096034f4e0861c78c

MD5 hash:

410dec2d786b542c67397ab8cc7ecaf3

SHA1 hash:

a9476ce40e333110eed445baa50dbf521e67cc68

Link:

https://www.unpac.me/results/0907df76-6f17-4f62-bdaf-2e5316e1957a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9202b35448e6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/9202b35448e653781c1e8d04a5f1266e40116832675be9b096034f4e0861c78c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 9202b35448e653781c1e8d04a5f1266e40116832675be9b096034f4e0861c78c

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2689784/

Cape

https://www.capesandbox.com/analysis/432965/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-07-25 18:06:53 UTC

url : hxxp://87.121.221.212/secdukaszx.exe