MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9943e60998044146cd134ea065dec2fbad102c3f807844f549c49835339a4320. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 12 File information Comments

SHA256 hash:	9943e60998044146cd134ea065dec2fbad102c3f807844f549c49835339a4320
SHA3-384 hash:	ceea9569a236fea64997dfd0d1f2d41a8293f79fb74131ebaef9ef9f4d892ee1510360007e8707c7e576d5643648f078
SHA1 hash:	2e62f1d0185e4f51bb6074068fd0594a522572e3
MD5 hash:	9c2394f874c0283e8749c94aa85ece91
humanhash:	pennsylvania-potato-uniform-vegan
File name:	PO_8877727726.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	798'784 bytes
First seen:	2023-07-19 12:34:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:vRk36u9NkS9cIcBe9vIrEdQriPBr4WsRsuuantwOhyUgW:0OBQ1Br4LBuK
Threatray	3'417 similar samples on MalwareBazaar
TLSH	T1AF052E2939AA500DB3729E656BFC75B6C15EF6F226364C7B0DF7020620129F0DB9C53A
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

275

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO_8877727726.exe

Verdict:

No threats detected

Analysis date:

2023-07-19 12:36:45 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/44b11f6d-0b00-4825-9e8b-8a4a779f80ba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/424802/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.68237934.7643.8889.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

aspnet_compiler confuserex control lolbin lolbin overlay packed packed packed replace

Link:

https://www.filescan.io/uploads/64b7d8788ca71f19e0893ff3/reports/7b918f00-7be3-4a9c-9bb9-faf246fdd4f3/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9943e60998044146cd134ea065dec2fbad102c3f807844f549c49835339a4320

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5b590623-dc8f-43a8-a571-6b7bbdcffc02

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1275938

Signature

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9943e60998044146cd134ea065dec2fbad102c3f807844f549c49835339a4320/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-07-19 12:33:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 25 (80.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tfb6mcmyarauntitj2qglxwc7owralb7qb4ej5kjysmdkm42imqa._file

Verdict:

malicious

Label(s):

formbook

Formbook

3ee58f59d9f63943f9b78d31c503027f416c7f5cb4ed606768c4c8767133c854

Formbook

4053220e58d30e514ab543a64e3854e7c411bfa084c000172cdfe6d3e8f65875

Formbook

4c7657ab48af02eaee9aced386140d9be5b6a77fd1aea45563d480ec28bdba49

Formbook

7bf47a92fadd875caa70db94a8ef153f7e63296357619e23a27b2d4e0a6a2bde

Formbook

8904fe72b770215a4e3bc82f6e1fda9756a147fb86bdac2fec7ebac577866764

Formbook

c9913540ced2148e50e55dbbb6c2fac3d0f909646f18f22b974b52f33641e812

Formbook

d402a53f58b386e523432ddf1c94e44cea111587c6a2714681b0669f2304cb30

Formbook

f3a16fbf76dc776eb61b55b5a5aa8d3203e77effc2e05d85f93df96612323095

Formbook

+ 3'407 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230719-psb9xsee44/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

abc939cf0b02960588e86c0c58e0195f9fc09dea2035acf4dba244f50a2ded67

MD5 hash:

abc6225797e7d2dbedfc47d846cf6030

SHA1 hash:

4e184f622b5423de805fdb52f24432b2781794d6

Detections:

XLoader

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/2d3b9324-745f-402e-a986-bc5104f25f2b/

Parent samples :

d88b5bb03d499cee62afae5d7c4b7dece78434f5fbaa667fe397093aa60c4dd3
9943e60998044146cd134ea065dec2fbad102c3f807844f549c49835339a4320
9442fbb4a8b6fff536bf913966cf56849bd7808397a8426ce01fbe1c0577a2ef

SH256 hash:

20fe392538a559bb39bdef18a3018d55d6518c869e95705dce75f94ba4e5bbfd

MD5 hash:

89f8c39a333e78086440ae890a4617f8

SHA1 hash:

1589552011f4efa03ad5bec49e68b6925602b2fb

Link:

https://www.unpac.me/results/2d3b9324-745f-402e-a986-bc5104f25f2b/

SH256 hash:

faaae4322148f518df079221a284affc0c048913750d76baa6371d3631101360

MD5 hash:

757de7f9faa8f3a5d85c25b86eacb64f

SHA1 hash:

77bbd7c6082b5e9ae83017f56551c42dd62666d2

Link:

https://www.unpac.me/results/2d3b9324-745f-402e-a986-bc5104f25f2b/

SH256 hash:

9943e60998044146cd134ea065dec2fbad102c3f807844f549c49835339a4320

MD5 hash:

9c2394f874c0283e8749c94aa85ece91

SHA1 hash:

2e62f1d0185e4f51bb6074068fd0594a522572e3

Link:

https://www.unpac.me/results/2d3b9324-745f-402e-a986-bc5104f25f2b/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9943e6099804/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/9943e60998044146cd134ea065dec2fbad102c3f807844f549c49835339a4320

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/424802/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample