MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9784d4f3af63382e92105496844b25bc4e42e92305b7707c3fd6451c98c391f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9784d4f3af63382e92105496844b25bc4e42e92305b7707c3fd6451c98c391f6
SHA3-384 hash: 2f5e193da76b9dc1c6aed11692ecabcd4054ae03ad704765812e5718abf18af82ed37a17865f8ba33afb02dfa76f33bc
SHA1 hash: 613cf1c86321deac5a0a172b4290ca9b2fe1196a
MD5 hash: 22b7779314863ab98fdb44998b720eda
humanhash: video-black-leopard-mirror
File name:22b7779314863ab98fdb44998b720eda
Download: download sample
Signature Formbook
Create hunting rule
File size:1'052'672 bytes
First seen:2023-03-13 11:09:47 UTC
Last seen:2023-03-13 12:43:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:Wpl1K8tUyZmMRxEy0g6DxV54CRNCxOR3Is2OTo65dwWm2OKQqEsPEDigaDNlhXIg:FVC8hRMOTo65dwW1OKZ7PEDqNv4WaEw
Threatray 2'427 similar samples on MalwareBazaar
TLSH T185256AC69334480EFD601E7D335474B3DE538C99E8EBB2AF1A93BC2A64F944405DE962
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
22b7779314863ab98fdb44998b720eda
Verdict:
Suspicious activity
Analysis date:
2023-03-13 11:12:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/45681b32-4e05-4120-bc71-f12d6d986af5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/374001/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1878.19511.3657.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/640f048d56d2bc8d80b724ed/reports/f23da926-a6c9-4128-afad-057bede4d4e6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9784d4f3af63382e92105496844b25bc4e42e92305b7707c3fd6451c98c391f6
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02c6319f-23de-439a-982d-dc034934f481
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1192427
Signature
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 825330 Sample: aaYFJC4N64.exe Startdate: 13/03/2023 Architecture: WINDOWS Score: 100 30 Malicious sample detected (through community Yara rule) 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected FormBook 2->34 36 2 other signatures 2->36 10 aaYFJC4N64.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\aaYFJC4N64.exe.log, ASCII 10->28 dropped 40 Tries to detect virtualization through RDTSC time measurements 10->40 14 aaYFJC4N64.exe 10->14         started        17 aaYFJC4N64.exe 10->17         started        signatures5 process6 signatures7 42 Modifies the context of a thread in another process (thread injection) 14->42 44 Maps a DLL or memory area into another process 14->44 46 Sample uses process hollowing technique 14->46 48 Queues an APC in another process (thread injection) 14->48 19 explorer.exe 3 6 14->19 injected process8 process9 21 msdt.exe 19->21         started        signatures10 38 Tries to detect virtualization through RDTSC time measurements 21->38 24 cmd.exe 1 21->24         started        process11 process12 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9784d4f3af63382e92105496844b25bc4e42e92305b7707c3fd6451c98c391f6/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2023-03-13 11:10:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6cnj45pmm4c5eqqksliiszfxrhef2jdaw3xa7b72zcrzggdsh3a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
25f2b36dc8b2fb7c4d2694c9d4293de356f39d61732414be8b87e772aadcb30d
Formbook
29558d0c124ef9f0b3b801e37c0b2c652930158fc94d110444b3f0d43be8329f
Formbook
2fb0a24e905687a5443fbe50d21033e4318da3275260bd82d016a9af346bb09b
Formbook
342215db36f2fa15a4b72d54cb4e7a7179462dcaab9dc9f791336df867d6d286
Formbook
686802626b55d584dba9bb97f1a9c6b61cdb1f56ab9362cb57b333109ed3a486
Formbook
6a766e75516bc67b48fc8b521bb77c09f67a00baeaf20555e0630001d9ebdd90
Formbook
93e9640423fb4afef5c9255f3489af80b7961696350cf0c30cb295711bb50a8e
Formbook
ae1f2c8fd75695601dbe0f3b3fd00922495add9f623a81c0989c0fd17f10776b
Formbook
b2c983f76b02245e87e5b264f1a89fae3f3fba72772f11615de582d1804acce9
Formbook
c1b6263682ff4c894af9df16a4f6c63bcd49248f2a580b3a3c86012d44388437
Formbook
+ 2'417 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:dr62 rat spyware stealer trojan
Link:
https://tria.ge/reports/230313-m9qgrscb31/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
d8f0232a14c9ab086e670933be20e0e50598fbbcbf6971b45e2b2913e1330a86
MD5 hash:
8255e269995d02bb36722998bf8077b5
SHA1 hash:
4b6df72b84f912b11d0289e05d95cf9335e34e79
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/ca8fcb2c-f733-496d-aaf3-553681940900/
Parent samples :
9784d4f3af63382e92105496844b25bc4e42e92305b7707c3fd6451c98c391f6
a158cb66af4de52a4845e42738378e8548dbed62f816084554dfb20deeb4058d
9cd7ca54fc2b418d2f82093ed798cdd02478830c5b3fb956e59dd2d325e55682
d47eb4bff603d2015f8dc6512a51e8b37e42c53d7760ceb0bcf34ea875200d14
9895575b7f29abeddb92d3c078a06929876212e7980605727e46b2e88974a7ec
SH256 hash:
e500556ed0ecaeeb6eb1a7cc0035a22bd847bd62157cb1c28cc60a9cb6bd7f4a
MD5 hash:
d7bc273b689f9b01031c613eb523df42
SHA1 hash:
bee648df9bc95e2aebefc3acf4e673ec2804889c
Link:
https://www.unpac.me/results/ca8fcb2c-f733-496d-aaf3-553681940900/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/ca8fcb2c-f733-496d-aaf3-553681940900/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
697564e6a8e1c9ff14388fad01eb3290ff22ebdd81cae94f766599fd04fb5117
MD5 hash:
fe32343d02dc82f4408f9122568094d0
SHA1 hash:
53319c116ca098381cae608db7a9fc2c7525971e
Link:
https://www.unpac.me/results/ca8fcb2c-f733-496d-aaf3-553681940900/
SH256 hash:
64739cb58e4f4858a0fc85b36b64dffb36c282a224ef290e2193956bc587aee1
MD5 hash:
24f1cc2d152856bd61c5ac8adc00b443
SHA1 hash:
1f511ae753338312292449ea1b8d6076c294af86
Link:
https://www.unpac.me/results/ca8fcb2c-f733-496d-aaf3-553681940900/
SH256 hash:
9784d4f3af63382e92105496844b25bc4e42e92305b7707c3fd6451c98c391f6
MD5 hash:
22b7779314863ab98fdb44998b720eda
SHA1 hash:
613cf1c86321deac5a0a172b4290ca9b2fe1196a
Link:
https://www.unpac.me/results/ca8fcb2c-f733-496d-aaf3-553681940900/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9784d4f3af63/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9784d4f3af63382e92105496844b25bc4e42e92305b7707c3fd6451c98c391f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9784d4f3af63382e92105496844b25bc4e42e92305b7707c3fd6451c98c391f6

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/374001/
  
URLhaus
https://urlhaus.abuse.ch/url/2568449/

Comments


Avatar
zbet commented on 2023-03-13 11:09:50 UTC

url : hxxp://208.67.105.179/dialozx.exe