MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9973a0ac74f8649b431499862359352cc0e8639f4f46ae5ae2371fcdaaf31320. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9973a0ac74f8649b431499862359352cc0e8639f4f46ae5ae2371fcdaaf31320
SHA3-384 hash: 254f753f4d6e20b2248641ea2879d84da96f599e6562018553445d8de7cd4dca8f435da8bdcc34c3473a3b8c24efc47a
SHA1 hash: 2700a38ef604d78793da302664afc7d27bbb0b1c
MD5 hash: fc317530c3a698867861a965caa34bad
humanhash: muppet-comet-cold-july
File name:092726376263728.DOC.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:817'152 bytes
First seen:2023-05-10 18:48:14 UTC
Last seen:2023-05-13 22:40:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eb49758b652eedff910503837727781 (2 x ModiLoader, 2 x Formbook)
ssdeep 12288:TNLhcjoS4FC7ITh3IBPmOt50Pbkttml53kbXJ2zlLj0:T9hcsFCMTaFCKIsbZ2h
Threatray 2'790 similar samples on MalwareBazaar
TLSH T15805CF32B2E19173D0B32538AD5A571AF4397FE00A187759EFDA7E0C2B391A0396D342
TrID 84.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.1% (.SCR) Windows screen saver (13097/50/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74e0d4c2d4c6c0d4 (6 x ModiLoader, 3 x Formbook, 1 x AveMariaRAT)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
250
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
092726376263728.DOC.exe
Verdict:
Malicious activity
Analysis date:
2023-05-10 18:52:06 UTC
Tags:
dbatloader formbook xloader trojan stealer
Link:
https://app.any.run/tasks/070db66e-8ce6-4ae9-a6f3-e89b93c90091

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/388262/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.15169.17254.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/83421/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger overlay packed
Link:
https://www.filescan.io/uploads/645be71f4698ab2675290583/reports/8bac3e21-d96c-45d7-8efe-428c4719876b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/9973a0ac74f8649b431499862359352cc0e8639f4f46ae5ae2371fcdaaf31320
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6b59e55-6f05-4d54-8c04-70202464d4f6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1230325
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 863307 Sample: 092726376263728.DOC.exe Startdate: 10/05/2023 Architecture: WINDOWS Score: 100 53 www.huangse5.com 2->53 55 expired.namebright.com 2->55 57 cdl-lb-1356093980.us-east-1.elb.amazonaws.com 2->57 101 Multi AV Scanner detection for domain / URL 2->101 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 8 other signatures 2->107 12 092726376263728.DOC.exe 1 3 2->12         started        signatures3 process4 dnsIp5 77 web.fe.1drv.com 12->77 79 ph-files.fe.1drv.com 12->79 81 2 other IPs or domains 12->81 49 C:\Users\Public\Libraries\Wkoaggmq.exe, PE32 12->49 dropped 51 C:\Users\...\Wkoaggmq.exe:Zone.Identifier, ASCII 12->51 dropped 133 Creates multiple autostart registry keys 12->133 135 Writes to foreign memory regions 12->135 137 Allocates memory in foreign processes 12->137 139 2 other signatures 12->139 17 logagent.exe 12->17         started        file6 signatures7 process8 signatures9 83 Modifies the context of a thread in another process (thread injection) 17->83 85 Maps a DLL or memory area into another process 17->85 87 Sample uses process hollowing technique 17->87 89 2 other signatures 17->89 20 explorer.exe 14 9 17->20 injected process10 dnsIp11 59 www.trendiddas.com 5.183.8.187, 49711, 80 INTERXSCH Germany 20->59 61 www.sueyhzx.com 45.200.220.24, 49712, 80 Africa-on-Cloud-ASZA Seychelles 20->61 63 3 other IPs or domains 20->63 109 System process connects to network (likely due to code injection or exploit) 20->109 24 Wkoaggmq.exe 20->24         started        28 systray.exe 20->28         started        30 Wkoaggmq.exe 20->30         started        32 2 other processes 20->32 signatures12 process13 dnsIp14 65 web.fe.1drv.com 24->65 67 ph-files.fe.1drv.com 24->67 73 2 other IPs or domains 24->73 111 Multi AV Scanner detection for dropped file 24->111 113 Machine Learning detection for dropped file 24->113 115 Writes to foreign memory regions 24->115 34 SndVol.exe 24->34         started        117 Tries to steal Mail credentials (via file / registry access) 28->117 119 Creates multiple autostart registry keys 28->119 121 Tries to harvest and steal browser information (history, passwords, etc) 28->121 131 2 other signatures 28->131 37 cmd.exe 28->37         started        39 cmd.exe 28->39         started        69 web.fe.1drv.com 30->69 71 ph-files.fe.1drv.com 30->71 75 2 other IPs or domains 30->75 123 Allocates memory in foreign processes 30->123 125 Creates a thread in another existing process (thread injection) 30->125 127 Injects a PE file into a foreign processes 30->127 41 logagent.exe 30->41         started        129 Tries to detect virtualization through RDTSC time measurements 32->129 signatures15 process16 signatures17 91 Modifies the context of a thread in another process (thread injection) 34->91 93 Maps a DLL or memory area into another process 34->93 95 Sample uses process hollowing technique 34->95 97 Tries to detect virtualization through RDTSC time measurements 34->97 99 Tries to harvest and steal browser information (history, passwords, etc) 37->99 43 conhost.exe 37->43         started        45 conhost.exe 39->45         started        process18 process19 47 conhost.exe 45->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9973a0ac74f8649b431499862359352cc0e8639f4f46ae5ae2371fcdaaf31320/
Threat name:
Win32.Trojan.XLoader
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 17:41:57 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tfz2bldu7bsjwqyutgdcgwjvftaoqy47j5dk4wxcg4p43kxtcmqa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
109ab3837f865b4ba288ca4a1fa4e8d416c04b3686376c55128553d4a4db55b5
Formbook
1d8e5ebbfd116c875add08d4a4b4a37ef0361b28f9e9cbfd0690bc81206338c6
Formbook
60e62d5459b1971893914ca21242c08a31cdc2dcdeed79e92c0b594e43bf8ec5
Formbook
6ffcc5061fbafa5eeee756b0292d6ec83109623b786b8e2f5ca5ecbd92a816c0
Formbook
8545a266a50d8b5dc65790c7ce2b6d74f89641c731d53b44bc5b89cd143c3303
Formbook
cc137e83cd1540c8025151f56b4f667de6c89e605f242ec77a709ca7672daf78
Formbook
deac6a9d624a09826ac4d090bc20ae437e90b78a8a7b51a6c2d83a939dc2fdb8
Formbook
e171d573b4ead60f41683d0360376fdf531a8d58b60efe8389c05291407e60f5
Formbook
+ 2'780 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader family:xloader campaign:uj3c loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230510-xgbs1shg89/
Behaviour
Modifies Internet Explorer settings
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Reads user/profile data of web browsers
Adds policy Run key to start application
ModiLoader Second Stage
Xloader payload
Formbook
ModiLoader, DBatLoader
Xloader
Unpacked files
SH256 hash:
69c6e002de44c905e93aeb42e8af8a84d9226521e522eb395abdd809e10cb5c0
MD5 hash:
72b5a2c66c44725d2ae8fc95f1eb1bb3
SHA1 hash:
af52f3f5287833d59948d72e5ec1c5b5d336146d
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/3df8c95a-4f51-4294-acec-2711126fd69e/
Parent samples :
deac6a9d624a09826ac4d090bc20ae437e90b78a8a7b51a6c2d83a939dc2fdb8
229acb9011d2cf600c9112b5f7d19cba56d9bf5ecc20880a6c760e10f685b244
9973a0ac74f8649b431499862359352cc0e8639f4f46ae5ae2371fcdaaf31320
fcc333cc2afdf31c58e273f1ffe429fa7a765479582f9508867517c23d51a9f4
9e07cf78963257e6dfbec89916c91aa264325bb5d1fe117879f7abcb7b08c77d
SH256 hash:
9973a0ac74f8649b431499862359352cc0e8639f4f46ae5ae2371fcdaaf31320
MD5 hash:
fc317530c3a698867861a965caa34bad
SHA1 hash:
2700a38ef604d78793da302664afc7d27bbb0b1c
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/3df8c95a-4f51-4294-acec-2711126fd69e/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9973a0ac74f8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9973a0ac74f8649b431499862359352cc0e8639f4f46ae5ae2371fcdaaf31320

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 9973a0ac74f8649b431499862359352cc0e8639f4f46ae5ae2371fcdaaf31320

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/388262/

Comments