MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9681746b0d72e882c0949fcbdd3005b15720d66b4a8795b9d7c8c98a59048582. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9681746b0d72e882c0949fcbdd3005b15720d66b4a8795b9d7c8c98a59048582
SHA3-384 hash: 6f306171be71617a69835fb9c7173bd9b19fa361d1266ab7fd8cdc6a9f93130a52d4ec81a735987c20e67b193c5ef04d
SHA1 hash: 8cf5f95ecf8cd58dcea48e320953de54b2004bdc
MD5 hash: 6256453ccc02f406d675a15038d6ea98
humanhash: butter-happy-comet-apart
File name:SecuriteInfo.com.Trojan.PWS.Siggen2.61618.657.10537
Download: download sample
Signature Formbook
Create hunting rule
File size:2'553'856 bytes
First seen:2021-02-16 10:54:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 49152:CqoZ0ajbQzlq5O+l4QOnn8jeX+l8uvlhfNf5lWLPNyeL9+hw/USGy7Xk/51HwgGF:AX0zlC6m4985m0sQ1a7
Threatray 3'838 similar samples on MalwareBazaar
TLSH 98C51D7C882D986277C1126FDC5E07830FDAA7F5EB552C4D4A23836DCA8363B671846E
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
WAFPASSION + PDA_NOTICE.xlsx
Verdict:
Malicious activity
Analysis date:
2021-02-16 08:15:06 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/8f9d692e-33e7-42b0-a36d-9de3ab92a98f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117319/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61618.657.10537.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/608829
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected Beds Obfuscator
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9681746b0d72e882c0949fcbdd3005b15720d66b4a8795b9d7c8c98a59048582/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2021-02-16 07:43:00 UTC
AV detection:
24 of 47 (51.06%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
09715a97873a089c9dc80219175d50508628f4f794639c2e725bad85d68804c2
Formbook
0a2e7c9ad53b5355f4f723912d07f9dae7d1e2d72ac62758cdc44196f124945e
Formbook
1382bae50eece1846b8d858d0f975b900eb1a5908f789333c55b1341b1b0d57b
Formbook
170eb254fe7cae506272dd7f934000734f55648fcefab6843eca50311a98a07d
Formbook
67bf85e54212cc6dd8e3f3bdfe292d7440ae7f7ad5f131f9c8b5ea51a86c1e96
Formbook
691f4ceec58c748e1dd6535281cacf8dcb3f2f5907796dbeefec03c975dbb28e
Formbook
b8392aaf409d89fe323576fdf09bf3320094962da9812918d23bb47b3d8d53f8
Formbook
bf07178f2c85eed5d1e0feafc5c312fce344c6ad7666b5be2abf736e6af94169
Formbook
c848b9f81ec7dcc330cc57ede3482805ccad25143eac801f7f56fc5cc0ccace5
Formbook
c88ff1a1487ac7559ec7f8104f6b1cd8231b6a7f0a52020c356c460d2b608d9a
Formbook
+ 3'828 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210216-t42vxfh7gj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Beds Protector Packer
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.digitalneeds.tech/ivay/
Unpacked files
SH256 hash:
d76e5c33779735fbf61b04f547475259b887971c0678e7333855458e0d0d30bb
MD5 hash:
d178580c2dbc0bdbd9df6d7a21e92133
SHA1 hash:
f4187c5962d7d01624f2df8f613ab9ec512b4c1c
Link:
https://www.unpac.me/results/9d7555ce-d224-4243-aa69-788df7a68ee2/
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/9d7555ce-d224-4243-aa69-788df7a68ee2/
SH256 hash:
6371265c1e6b6a39d54a7bb9485b7ef14bf338c13e0f0e8e4e81f3ac802eaac8
MD5 hash:
4449dbe70422f2dbc5b21121c18ba3d6
SHA1 hash:
be147522e8dd0198a8f4478c5b02550893331d45
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9d7555ce-d224-4243-aa69-788df7a68ee2/
Parent samples :
c88ff1a1487ac7559ec7f8104f6b1cd8231b6a7f0a52020c356c460d2b608d9a
691f4ceec58c748e1dd6535281cacf8dcb3f2f5907796dbeefec03c975dbb28e
bfeb54e5c139165386b0a468366c012d13562376cc4a82f3cd7d69723fee96a0
ba036ae8ea1f0edb73e54c34031ae4eb52862512054e014ee9d21ed04fdca86c
9681746b0d72e882c0949fcbdd3005b15720d66b4a8795b9d7c8c98a59048582
6a37a2a65393b805bbe4e7e4e42b642da433e9caa7436aaeb9df8ab0fc6679b9
9ab3bb93a6d39ab709c9b2369cde749ccbe7f3796c7c3e2fc39aa4715c3bb0fd
0e2a77f131f7d624f3c067e4b58124ccf1c85b4e16bf839fd2a6e9fde02a3f43
SH256 hash:
9681746b0d72e882c0949fcbdd3005b15720d66b4a8795b9d7c8c98a59048582
MD5 hash:
6256453ccc02f406d675a15038d6ea98
SHA1 hash:
8cf5f95ecf8cd58dcea48e320953de54b2004bdc
Link:
https://www.unpac.me/results/9d7555ce-d224-4243-aa69-788df7a68ee2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9681746b0d72e882c0949fcbdd3005b15720d66b4a8795b9d7c8c98a59048582

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9681746b0d72e882c0949fcbdd3005b15720d66b4a8795b9d7c8c98a59048582

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/117319/
  
URLhaus
https://urlhaus.abuse.ch/url/1012361/
  
Delivery method
Distributed via web download

Comments