MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9518bbb8733188879069262811a90b041d800479edbb1b0be4a7526deb47bbed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9518bbb8733188879069262811a90b041d800479edbb1b0be4a7526deb47bbed
SHA3-384 hash: d6b9d616dd9ca27b3615ded897512d2b7a7143bbd54482a9c3895ea555434127e1a1821cb5a998602706ee9c9bf84449
SHA1 hash: 1e2ac063df757aef5e40d5dfb6d691081e5dd176
MD5 hash: a904868887655565a03ffb102af7d191
humanhash: seventeen-equal-oranges-massachusetts
File name:vbc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:696'832 bytes
First seen:2023-03-30 13:47:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:c1Tw8vQlZPiPPw+gC4VsbtpJv29kl8s0uIAjZxJj8imOMt+:c11VPdglgv2mlTIA/d8imX
Threatray 2'441 similar samples on MalwareBazaar
TLSH T15BE4F1203AE98609D02A973E91E5D1B1A7B8DCC4D2B3C7274FD9BCC3739E356552A086
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vbc.exe
Verdict:
Suspicious activity
Analysis date:
2023-03-30 13:48:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1076db6d-a445-4b7c-b2d0-8a9d972a84ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/378839/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Reading critical registry keys
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/64259312a5923ba84699437b/reports/135e9e4a-b056-4126-803e-05af5682b424/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9518bbb8733188879069262811a90b041d800479edbb1b0be4a7526deb47bbed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/313aeae8-fec8-4b55-b6fa-1103db430ad5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1205197
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 838111 Sample: vbc.exe Startdate: 30/03/2023 Architecture: WINDOWS Score: 100 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus detection for URL or domain 2->35 37 Yara detected FormBook 2->37 39 2 other signatures 2->39 8 vbc.exe 3 2->8         started        process3 file4 25 C:\Users\user\AppData\Local\...\vbc.exe.log, ASCII 8->25 dropped 11 RegSvcs.exe 8->11         started        14 RegSvcs.exe 8->14         started        16 RegSvcs.exe 8->16         started        process5 signatures6 53 Modifies the context of a thread in another process (thread injection) 11->53 55 Maps a DLL or memory area into another process 11->55 57 Sample uses process hollowing technique 11->57 59 Queues an APC in another process (thread injection) 11->59 18 explorer.exe 5 6 11->18 injected process7 dnsIp8 27 www.fashiontwin.info 184.94.212.57, 49727, 49728, 49729 VXCHNGE-NC01US United States 18->27 29 www.zservers.xyz 103.42.108.46, 49748, 49749, 49750 SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU Australia 18->29 31 22 other IPs or domains 18->31 41 System process connects to network (likely due to code injection or exploit) 18->41 43 Performs DNS queries to domains with low reputation 18->43 22 cscript.exe 13 18->22         started        signatures9 process10 signatures11 45 Tries to steal Mail credentials (via file / registry access) 22->45 47 Tries to harvest and steal browser information (history, passwords, etc) 22->47 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9518bbb8733188879069262811a90b041d800479edbb1b0be4a7526deb47bbed/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2023-03-30 13:46:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sumlxodtggeipedjeyubdkilaqoyabdz5w5rwc7eu5jg322hxpwq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3e86387adbdd180e176ef1f444d80ce89ef89155e5fc41c6637c6ebb26c7f5f5
Formbook
4adcc8ef0f0f441cf8e44f0c3c446f620409dbf79353811fa4d6526c6752f6ae
Formbook
597979053a51f37ffa0cbeb1847f707b2dd3b3cdbcc5c0a5e66a1f15b5419b8e
Formbook
6368884fc56f3c1b926949574690a9f0842632406a7d91d821971d04b4245cd8
Formbook
9580bddf76a3d9179e760fba40850e85f6dc3baad1356165b78cf160bad11f28
Formbook
a0e5c335f0f479fec56a0e214fe7657e8d9b6f77cf5db53280ec1033c1dd2693
Formbook
a97aa6604d2ad5146a8ef252e571d4b0c1e2ee8566964be8086532ef049b10d4
Formbook
bedb5ef007caf41eb52f0331f1fdf5997271a828df7adb1e1132063129eba99e
Formbook
d69b13f1276594f9f10cf722a15179b0d71911a92d15a726e1bdd234a880cf92
Formbook
f3197cca74f60c552d9d3b4d04d99996ceca8c8dc6ad845a468c10c65062a0fc
Formbook
+ 2'431 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230330-q34btsch66/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Blocklisted process makes network request
Unpacked files
SH256 hash:
524f87a66be4679c591a5d3b822f7ab19f42049f6471d8e80c5229b1a0cfa308
MD5 hash:
fab4a8db9b8e2cedc894b9d0d2461e79
SHA1 hash:
3845700497ac915cf72ce8392ad3c73977294b21
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/23a2ddaa-58b9-4ebb-8ee1-0d2864acab16/
Parent samples :
9518bbb8733188879069262811a90b041d800479edbb1b0be4a7526deb47bbed
a3159a3432f7655c72a5189f65dac42733dba6d39955aabd16e395b50f6ffaa3
SH256 hash:
3caff88ee4a8a36d480afcf7ee7366a649a8b00042dd7366ad724bda91d9ef67
MD5 hash:
d68bf934bfaee5b27f2b6e032f0d84b3
SHA1 hash:
94a9b105b238eccd9a23c890f1843495a356a2fe
Link:
https://www.unpac.me/results/23a2ddaa-58b9-4ebb-8ee1-0d2864acab16/
SH256 hash:
5062f99a5460cbd448d7f9c35d5c05aafa3ce36357be73268367d779dd92396e
MD5 hash:
c499b0e057f46db9f5ad9f0e9181830e
SHA1 hash:
fda2b448e6c7a411e1baed2a8bca7050b9b769ef
Link:
https://www.unpac.me/results/23a2ddaa-58b9-4ebb-8ee1-0d2864acab16/
SH256 hash:
3e0d37643bb30ec0bb5cdbfa9117b8ca1dadaaa87d83aa676501109e8249a3cb
MD5 hash:
da5421424c36042a2e7fd67f97bd8c1d
SHA1 hash:
f6422c2efa54430bd2c1c2cf29187e0473e36eb4
Link:
https://www.unpac.me/results/23a2ddaa-58b9-4ebb-8ee1-0d2864acab16/
SH256 hash:
acf2544856ec328eeccbf129abc65886433fb3f58cea83ec63fd978dc1167662
MD5 hash:
8179c1c941f25ed0b7b6e574238c3a28
SHA1 hash:
700beccf495c9111ddceb62da8254b03422ab41e
Link:
https://www.unpac.me/results/23a2ddaa-58b9-4ebb-8ee1-0d2864acab16/
SH256 hash:
ea2cbe289b879e93fec367ffba9610ec731fd8296d5ad1de1329b09b0bec42a8
MD5 hash:
6ddd4690fd10dfc2e3ff5e18f39efa6b
SHA1 hash:
5ac520ba808c70d6ab7f310f0a311f0b62211a1e
Link:
https://www.unpac.me/results/23a2ddaa-58b9-4ebb-8ee1-0d2864acab16/
SH256 hash:
9518bbb8733188879069262811a90b041d800479edbb1b0be4a7526deb47bbed
MD5 hash:
a904868887655565a03ffb102af7d191
SHA1 hash:
1e2ac063df757aef5e40d5dfb6d691081e5dd176
Link:
https://www.unpac.me/results/23a2ddaa-58b9-4ebb-8ee1-0d2864acab16/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9518bbb87331/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9518bbb8733188879069262811a90b041d800479edbb1b0be4a7526deb47bbed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/378839/

Comments