MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9577df8b7e48bb30b9bd48e49c548d45cc5cc4a9bf1b93aa79f4ab35fc977cb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments 1

SHA256 hash:	9577df8b7e48bb30b9bd48e49c548d45cc5cc4a9bf1b93aa79f4ab35fc977cb3
SHA3-384 hash:	22ae7ceb54175e08af64c15508e942d5d8868600bca4ba3630648b81244a45f23ba0e6cfa3d0783af1912a17abf5927f
SHA1 hash:	7718b7e624ad54643cc240c42f8f336f9511f62b
MD5 hash:	b73fd744a06524f04f0582822348f1bc
humanhash:	asparagus-oscar-hydrogen-quiet
File name:	b73fd744a06524f04f0582822348f1bc
Download:	download sample
Signature	Formbook Create hunting rule
File size:	933'376 bytes
First seen:	2022-03-01 18:02:17 UTC
Last seen:	2022-03-01 19:55:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:I3+PfG+loLiIT3HK+QAc504h16ZLIEGa:h6O2XKJ5nh1wI
Threatray	14'355 similar samples on MalwareBazaar
TLSH	T1BB15BF4835D5103DE8368BB1CAD4EFE09B2DFA21D54A60B250023D1BA63D7BD8A45EFD
File icon (PE):
dhash icon	68686cdcc6a6d2e1 (13 x AgentTesla, 5 x Formbook, 4 x AZORult)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

206

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/245956/

Detection(s):

SecuriteInfo.com.Variant.Lazy.144950.13494.17511.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/621e5fdbdfdfa8501c727abb/reports/0498638d-5ccc-47eb-b9d3-2a4bc0b2eba4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9b7fe028-9f7f-46d3-bd58-b61e7ed105e8

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/948471

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/9577df8b7e48bb30b9bd48e49c548d45cc5cc4a9bf1b93aa79f4ab35fc977cb3/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-01 18:03:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

2b61cfb00cc8a45fdae91c176c8e68be4ac7cefbe0fab5781e5fa44d2ec4ca9f

Formbook

6d1ae3278059d592ae7c4426df9456553b8abfbc3bd90ce0f8d1792e94ae95c2

Formbook

76c2944d78f0dac034e5a7cc6a916c30e66a88aaaaf3481b9af71db7bcdf9ca6

Formbook

8392408d685d10ddf024a7e4f47976e03a00fd787bd4ee0932766c4b9b278bc0

Formbook

9b9e383f7635be680129b113ad1e827c61e2e2cf1ce7ccccd2f09b9a0a546494

Formbook

daac858e9ca5b0c8044385c2d94cbef17c41b0bd5c569ad7e03f0a51b4caab7a

Formbook

dcec29b67b720887c02915f7eb210942445a64e450f03bf12ca03ed345bc300a

Formbook

f136f4f9c59c4ff2582063222c6df106a3d1e3d7d9220ff73e3cb2ec487fe1db

Formbook

f2d58fc68302fb9cfc6ba93ca4f01f17c8baf7fef4cdfef59638e61fa4f54ad4

Formbook

+ 14'345 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:g2e7 rat spyware stealer trojan

Link:

https://tria.ge/reports/220301-wm1tnacehj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Unpacked files

SH256 hash:

6f290dff7c68f73aff45d09c3ea10847f1305b59ca09bba6b87b0bfb24cf6553

MD5 hash:

bb9017e04aab48de8eba50f5704933f5

SHA1 hash:

85cdd5fed8703d98af059b9b3892ccc7a2a5bf0c

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/f1b5114a-c5ce-48df-8c4e-7f098531d1fd/

Parent samples :

9577df8b7e48bb30b9bd48e49c548d45cc5cc4a9bf1b93aa79f4ab35fc977cb3
81ca38001ad9f05b6f89e4e956cbd1efce397ebdb516b6e381c777e28b6dadbb
059bdd3a82690647000d29fd9d7957782518cf71ab9c848666992508c4bb0c2e
154e83d504788a5a1a35d1758157daefaed1810f8752601cf4dd5577d626b59b
c6a3fd36f07d97fb287fbac946ae8b8d12d1fcde36fa87395de79d59f0c3fb77
b71ecfd70a10c73be177dd8fb3a3dcfbc39dc06e7e3646b43c2901e75a79f4a9
3e3ccb3b130c86bb2d82a52f8a7e191efa9499577ba0a3d3f335d5a1e1597b76
9cfa1deda62a35bf8c2211bf4c1996d880c84c4242308a5d74403a570d70e066
9e3075aeadf4672cd6edfeb02d197a31a05be6330e3d179125c68c9d60893d18

SH256 hash:

d401d9493a4729970ce44006ddbc86a07c891e28e0d77f381e1d25ae22e84729

MD5 hash:

103f6f7162a7bfbcdc6d2ff229c66787

SHA1 hash:

ffd04643594b85c0255174d8cb2eb6a0b849976d

Link:

https://www.unpac.me/results/f1b5114a-c5ce-48df-8c4e-7f098531d1fd/

SH256 hash:

6430a8d721cd87cbd7ee2e8915cbbfa23c24a3d7c821d1d61ae3b2101f05dacc

MD5 hash:

038f965e98000b054e66c76c654a98f0

SHA1 hash:

750a363d5016551fe060e280d76a8e088f74463b

Link:

https://www.unpac.me/results/f1b5114a-c5ce-48df-8c4e-7f098531d1fd/

SH256 hash:

e3bdaf9e98eb65a070cf4424bc123e57ade151c41e4a0d375e769749155c1715

MD5 hash:

78a25e75b94923e889ecd100349facbe

SHA1 hash:

6b3f8db525d3c98f92ed480e664ab8ee9458340b

Link:

https://www.unpac.me/results/f1b5114a-c5ce-48df-8c4e-7f098531d1fd/

SH256 hash:

9577df8b7e48bb30b9bd48e49c548d45cc5cc4a9bf1b93aa79f4ab35fc977cb3

MD5 hash:

b73fd744a06524f04f0582822348f1bc

SHA1 hash:

7718b7e624ad54643cc240c42f8f336f9511f62b

Link:

https://www.unpac.me/results/f1b5114a-c5ce-48df-8c4e-7f098531d1fd/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/9577df8b7e48/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/9577df8b7e48bb30b9bd48e49c548d45cc5cc4a9bf1b93aa79f4ab35fc977cb3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 9577df8b7e48bb30b9bd48e49c548d45cc5cc4a9bf1b93aa79f4ab35fc977cb3

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2069200/

Cape

https://www.capesandbox.com/analysis/245956/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-03-01 18:02:18 UTC

url : hxxp://142.93.227.231/emezx.exe