MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9545b9927196fd12d327c38b6f99dbfe3be7beeefb9e4c4a9d3b038c5c39c119. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9545b9927196fd12d327c38b6f99dbfe3be7beeefb9e4c4a9d3b038c5c39c119
SHA3-384 hash: 6151b73790c3d43867a7a3d0e54b5a58f6b640cfece5c57351b089d55658ccdbb9d1777085886c3a9baf97b9961cfd38
SHA1 hash: 9160e53758b8d41b96e417eaa412b4a4c895ce46
MD5 hash: 6644478c653327d0f4f7f35e7effd62c
humanhash: whiskey-kansas-violet-mountain
File name:payment..exe
Download: download sample
Signature Formbook
Create hunting rule
File size:657'408 bytes
First seen:2021-09-22 09:17:28 UTC
Last seen:2021-09-22 14:10:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:0hKmtiK5oBTF2TnFLm2rXsSCP7gBZUTu+qynGiNfPHU4nPf/u:0I+FoBoTtr7sCHUTu5eHU
Threatray 9'468 similar samples on MalwareBazaar
TLSH T184E40268B69071EFC917CA7AD8741C60EB60B4BB6307D207A053209D9A4E7DBCF165F2
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
6
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
payment..exe
Verdict:
Malicious activity
Analysis date:
2021-09-22 09:19:23 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/1bc457d9-ec01-4567-803c-4a9a0a92cce9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190115/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.26929.5941.12636.UNOFFICIAL
Create hunting rule

Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60e15005-7afa-4abc-948c-e0f8a8157e7f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855458
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 487889 Sample: payment..exe Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 31 www.jingkevip.com 2->31 33 hk1.mengb123.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 9 other signatures 2->47 11 payment..exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\payment..exe.log, ASCII 11->29 dropped 59 Writes to foreign memory regions 11->59 61 Allocates memory in foreign processes 11->61 63 Injects a PE file into a foreign processes 11->63 15 RegSvcs.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 2 other signatures 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.vinhnnph17909.xyz 18->35 37 lobbykw.com 162.241.252.161, 49829, 80 UNIFIEDLAYER-AS-1US United States 18->37 39 18 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Performs DNS queries to domains with low reputation 18->51 22 rundll32.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9545b9927196fd12d327c38b6f99dbfe3be7beeefb9e4c4a9d3b038c5c39c119/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 09:18:05 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=svc3tetrs36rfuzhyofw7go37y56ppxo7opeysu5hmbyyxbzyemq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0693c816986f73899e351e1989103e680c336f401cca1d14f5bce3b5865cfee6
Formbook
1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24
Formbook
2fc82f206abb0d6d6b4d7a916be93b408ab78f848531917b3968b066a5a31023
Formbook
5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8
Formbook
64c00be3d0bc5f000ee6d2d6d49e72c9e9f36090f19b7f9620ff0993a0e84025
Formbook
6acf1bec87a9b06a63ac3be623a527d7c419d17bb8a258b67e2f7cc2c607cc10
Formbook
7b4c1bf9a15a419080fe02866aa26f162f79d5e01763c6af5915b07988556223
Formbook
84236953e6059c7733ecd777604a225ee85dc96740a46aac1379d13b3d57630d
Formbook
b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb
Formbook
+ 9'458 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:etaf loader rat
Link:
https://tria.ge/reports/210922-k9lsgacag9/
Behaviour
Gathers network information
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.jingkevip.com/etaf/
Unpacked files
SH256 hash:
857d1f34774a5c7f5debe1e2a5efde128f12921247f167ba4a35a8eb6385cb47
MD5 hash:
2e649100656a063befb21d563d8da57c
SHA1 hash:
2b0683aec0553362a6f774bb26c8dd2324503fd5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/25ec8911-bba0-4ee8-abce-43bc1dd154a8/
Parent samples :
9545b9927196fd12d327c38b6f99dbfe3be7beeefb9e4c4a9d3b038c5c39c119
ef4a9aba2afcd39bbfbce4fde4f5b14869115984d430c2e73353e89e214feaa4
695b006f3b83048d47ea1fcae9d7cbacac8f82b4f3d2908ca20f06788e8b3b92
f67b56c419eaa4e3df12d7624c0ef0047fb7ca691a888e02225c9ba6610e8f96
SH256 hash:
2d1f8d8e4889c70ed674891161da69f63161c1658635b872aa5b96ae188db659
MD5 hash:
db94f3c818cd39799a0b0e3d161a7cda
SHA1 hash:
eb07309754ee3976fd75db8180a80db106033359
Link:
https://www.unpac.me/results/25ec8911-bba0-4ee8-abce-43bc1dd154a8/
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/25ec8911-bba0-4ee8-abce-43bc1dd154a8/
SH256 hash:
e2ffb3c69f2f3d84c0f75c4aa66702099ef73d808a944427f04e70ff52f2ec44
MD5 hash:
9d51975a1960a9786e7c5bdece192b8e
SHA1 hash:
b95d04a89d6c431766b242cc0c238630fa9f6d89
Link:
https://www.unpac.me/results/25ec8911-bba0-4ee8-abce-43bc1dd154a8/
SH256 hash:
9545b9927196fd12d327c38b6f99dbfe3be7beeefb9e4c4a9d3b038c5c39c119
MD5 hash:
6644478c653327d0f4f7f35e7effd62c
SHA1 hash:
9160e53758b8d41b96e417eaa412b4a4c895ce46
Link:
https://www.unpac.me/results/25ec8911-bba0-4ee8-abce-43bc1dd154a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/9545b9927196fd12d327c38b6f99dbfe3be7beeefb9e4c4a9d3b038c5c39c119

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 9545b9927196fd12d327c38b6f99dbfe3be7beeefb9e4c4a9d3b038c5c39c119

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/190115/

Comments