MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9606fd4c72596ac59b67b738dcb693daff05b981fcd98f56a481dbb749d3b78f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9606fd4c72596ac59b67b738dcb693daff05b981fcd98f56a481dbb749d3b78f
SHA3-384 hash: 2260b0b38bacc260b797a7351a2820e47badbaa0b59d5f1792e323377983913b25322ad50df052228643f605bdbf1d3a
SHA1 hash: 7ab8cb99cbd5e25866bc5f25cdaed6770ee3bc0b
MD5 hash: 604e6f454904b29a66e7385ec33da0ac
humanhash: orange-friend-emma-venus
File name:SecuriteInfo.com.Trojan.GenericKDZ.72694.688.1188
Download: download sample
Signature Formbook
Create hunting rule
File size:300'032 bytes
First seen:2021-01-26 11:05:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8f2b089a16b59299cd24d450810f3320 (2 x Formbook)
ssdeep 6144:IW4LzLg+Cz9RbVkPFa3R7Uy99fEWQaX6uqE6nrSfbQ2:ezVCh403JUSR6yTQ2
Threatray 3'595 similar samples on MalwareBazaar
TLSH 7F54CF017AD1C033D12361764A11C7B58E3E78716B766ACB7BC81AB81F356D2EB3634A
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Year Inquiry List.xlsx
Verdict:
Malicious activity
Analysis date:
2021-01-26 07:02:13 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/90579f23-b846-4c84-9804-1b7a2285637a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113857/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.72694.688.1188.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Firseria-6804617-0
Create hunting rule

PUA.Win.Adware.Firseria-6840971-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/590537
Signature
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9606fd4c72596ac59b67b738dcb693daff05b981fcd98f56a481dbb749d3b78f/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-01-26 07:27:53 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
220ab940326b10e217ed23f4806edd06fac3cf52cbd3c8863863eac6893b02ea
Formbook
38f3aadc65df16aed9f5bbaa5f42598d3fd9b29811429fcddd679a40b092fca0
Formbook
6fbc3e54a04aeadf268907b5041bdaf5af8980d76eafce3bc5d995c0fa779fd8
Formbook
7b5c683c8f9571d55f21bdd73cec4b0f39a169265e58c5877ca94203e61548af
Formbook
89c0e9f07b4245f97dccad1b925e19ad1a436b61c5fce2f2f12bc05c0042dcbe
Formbook
9166caa8818f4cc62ac7922d901d396e17c0ff0867c48d52bd891b05121abafd
Formbook
c4527be43e6ad0e3eb7e8ca1bf26c120c0c5eef996716178a87bbe2b807efa57
Formbook
ceb2632fac30996ac58a50455d968873321f7a18972db02e9535b485a3b0e2f7
Formbook
d81f4b6a0b8650415e2c2acfe4ee223f6826b3b6849393f4de2db4f3a814beaf
Formbook
dca4c9a7846a3ebb066c08583388adeb4b05e464f20abd10409ccf47164d8635
Formbook
+ 3'585 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210126-4ka7b865ln/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.hitchhikerfab.com/qjnt/
Unpacked files
SH256 hash:
104fed0b92c1f827c25de61c2fe932862dc222e02486e30039eb42f470d102c3
MD5 hash:
d53716133bc40f8b78b45a3c93a17677
SHA1 hash:
72549806a279dd277b287153f742e99eb7f5821e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/39fd77b9-c2d7-472d-8daa-c09d4315f682/
Parent samples :
d81f4b6a0b8650415e2c2acfe4ee223f6826b3b6849393f4de2db4f3a814beaf
9606fd4c72596ac59b67b738dcb693daff05b981fcd98f56a481dbb749d3b78f
SH256 hash:
9606fd4c72596ac59b67b738dcb693daff05b981fcd98f56a481dbb749d3b78f
MD5 hash:
604e6f454904b29a66e7385ec33da0ac
SHA1 hash:
7ab8cb99cbd5e25866bc5f25cdaed6770ee3bc0b
Link:
https://www.unpac.me/results/39fd77b9-c2d7-472d-8daa-c09d4315f682/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9606fd4c72596ac59b67b738dcb693daff05b981fcd98f56a481dbb749d3b78f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9606fd4c72596ac59b67b738dcb693daff05b981fcd98f56a481dbb749d3b78f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/978585/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/113857/

Comments