MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9266cbea03c00bd09e7bf997dee6635840bc2383a0f60c94a2e03b636ec23c84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9266cbea03c00bd09e7bf997dee6635840bc2383a0f60c94a2e03b636ec23c84
SHA3-384 hash: 992473302352f82c3142b082fbbbb995a6a1452a996c26ac3b80384d5f1f3e657737027d1e96ddda3d0fe8e418a4c92b
SHA1 hash: c36d55bdb0a862d7b7719fab0c8bfa77ce0523c7
MD5 hash: cc99dce3b9ff38e6d9dd3756e7473e97
humanhash: sodium-mexico-montana-autumn
File name:9266cbea03c00bd09e7bf997dee6635840bc2383a0f60c94a2e03b636ec23c84
Download: download sample
Signature Formbook
Create hunting rule
File size:406'016 bytes
First seen:2020-11-15 23:07:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5b6fd9945877b7e9d67b9e475c6d6ddf (16 x AgentTesla, 15 x AsyncRAT, 10 x Formbook)
ssdeep 6144:2XUtfB18BqSWI6r8+iO47TVAOm/te0m53mifb2vWm1vWyXRisuckGiz57eX1lqNI:AUtfBCB36rnIwKmDAyXRikrE141lkr0n
Threatray 2'927 similar samples on MalwareBazaar
TLSH B184E01870E2C433D0F9103819D4976794B479321BA5A8BFF7984B2E9F387D29772A27
Reporter seifreed
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Generic-9791231-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/537416
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 317805 Sample: AhoZAxHX4t Startdate: 16/11/2020 Architecture: WINDOWS Score: 100 38 www.palmasyplantas.com 2->38 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected FormBook 2->50 52 2 other signatures 2->52 12 AhoZAxHX4t.exe 1 2->12         started        signatures3 process4 signatures5 64 Tries to detect virtualization through RDTSC time measurements 12->64 15 AhoZAxHX4t.exe 1 12->15         started        18 conhost.exe 12->18         started        20 AhoZAxHX4t.exe 12->20         started        process6 signatures7 72 Injects a PE file into a foreign processes 15->72 22 AhoZAxHX4t.exe 15->22         started        process8 signatures9 54 Modifies the context of a thread in another process (thread injection) 22->54 56 Maps a DLL or memory area into another process 22->56 58 Sample uses process hollowing technique 22->58 60 Queues an APC in another process (thread injection) 22->60 25 explorer.exe 22->25 injected process10 dnsIp11 40 www.thekindnessprojecthickory.com 216.239.136.99, 49730, 80 OMNISUS United States 25->40 42 www.mannyaviles.net 104.28.15.36, 49736, 80 CLOUDFLARENETUS United States 25->42 44 www.vemlidylaunchcentralamerica.com 25->44 62 System process connects to network (likely due to code injection or exploit) 25->62 29 cmd.exe 25->29         started        32 colorcpl.exe 25->32         started        signatures12 process13 signatures14 66 Modifies the context of a thread in another process (thread injection) 29->66 68 Maps a DLL or memory area into another process 29->68 70 Tries to detect virtualization through RDTSC time measurements 29->70 34 cmd.exe 1 29->34         started        process15 process16 36 conhost.exe 34->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9266cbea03c00bd09e7bf997dee6635840bc2383a0f60c94a2e03b636ec23c84/
Threat name:
Win32.Trojan.Midie
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 23:09:54 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
29562212d731f51f5773e7996530971ccecfe84d6116bcbdbb3e41e6a2054b9a
Formbook
4d27c9f76ad56d0acf75219b5074f9d5cb43cd9b394904963352d55adb970368
Formbook
4e712f5df51bc5970b962b170cfde7a6cd20622ac67164a6f2101655a8a7d7f3
Formbook
5248643a130c832416245ea6b33ab3724a81c4e4a36b2ea424dd1a5fc1dd7ac2
Formbook
5718e1407d78fa10c9f60928d72d6c67e3555f740ae84f9d81c5516b2a466385
Formbook
5abc963a4cbaaee6582d5db264da8b2cb0c5a760115047a8df1e629c48dfc6e9
Formbook
68ea8e450d6a5df8ae9d671ac8f4d1f60548992e0e7b0ed32c1587fe7d7d14f2
Formbook
718d659864d771ebadf82d8b5461d39c2bd6bd514ea2d2273d2821a23ab28ed0
Formbook
9fa2ffcaaf492a5d9e68b376580871cce9d495d32934d90fe7e431b09de2c6d9
Formbook
d99b374a5972bbdeb57de9c8a41cc6b8c3f8928916151a40257967baa855917b
Formbook
+ 2'917 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201115-msrm37g9kx/
Unpacked files
SH256 hash:
9266cbea03c00bd09e7bf997dee6635840bc2383a0f60c94a2e03b636ec23c84
MD5 hash:
cc99dce3b9ff38e6d9dd3756e7473e97
SHA1 hash:
c36d55bdb0a862d7b7719fab0c8bfa77ce0523c7
Link:
https://www.unpac.me/results/901ed155-6f86-412a-a23d-e539e069a794/
SH256 hash:
5368ef39682fa91b7326a0cc58d46ab151a51dfa6a3390c415d51b71d151db73
MD5 hash:
69639d0ad54a141c6a25274b7b330a62
SHA1 hash:
a2aaf9798f33ea250a11e98eed9e9f8987928cab
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/901ed155-6f86-412a-a23d-e539e069a794/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments