MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a21938b14051d84ce270628a87593634366b0eb2f864e261cca25a062d860ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments 1

SHA256 hash:	9a21938b14051d84ce270628a87593634366b0eb2f864e261cca25a062d860ae
SHA3-384 hash:	d3c096905c0c3b4730c1b636b566b392c356c021c533e27248dfe549cf15de41453c0bc4a4e990481971be41000dde34
SHA1 hash:	cd0fe8ef6c8710ff25e1a80e0fbb2950f336f705
MD5 hash:	72f99c537d61d38a113e121348cce0dd
humanhash:	comet-vegan-salami-coffee
File name:	72f99c537d61d38a113e121348cce0dd
Download:	download sample
Signature	Formbook Create hunting rule
File size:	254'511 bytes
First seen:	2023-05-13 07:14:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:/Ya69yR2Ibj4TC/aVucDdIM5qdwQ7jsXyZzCuBI0V7DI:/YvyR3CqaocdrodB4iJCaI0V/I
Threatray	2'831 similar samples on MalwareBazaar
TLSH	T18D44124137B1D653DCA10AB01E7DBB7AFEFAEE3514F1631717406F097D286A2A60A342
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

272

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

signed Contract.xls

Verdict:

Malicious activity

Analysis date:

2023-05-13 06:16:50 UTC

Tags:

opendir exploit cve-2017-11882 loader stealer formbook trojan

Link:

https://app.any.run/tasks/37ab9893-e929-488c-b14a-70665cd925ac

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/388880/

Detection(s):

SecuriteInfo.com.Gen.Variant.Nemesis.22782.20135.208.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a file

Unauthorized injection to a recently created process

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/83838/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo nemesis overlay packed remcos shell32.dll

Link:

https://www.filescan.io/uploads/645f38c0fe2f8f2723bac91b/reports/bf150ab5-fbf3-4d51-aadb-6380a5fe291d/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9a21938b14051d84ce270628a87593634366b0eb2f864e261cca25a062d860ae

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a5a9c257-cba4-4e85-94d1-bd3e5ee1d8bc

Result

Threat name:

NSISDropper, FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1232068

Signature

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9a21938b14051d84ce270628a87593634366b0eb2f864e261cca25a062d860ae/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-05-12 18:42:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tiqzhcyuauoyjtrhayukq5mtmnbwnmhlf6de4jq4zis2aywymcxa._file

Verdict:

malicious

Label(s):

formbook

Formbook

1c120ac2bc08fbd5455f3d5a47dd87ce73e40fa4b0f7a3cdb2d41a85c800e603

Formbook

3202d0bbb79b0d8c4b261059386a1a2471dd8aac7957889ade0e0f8971791529

Formbook

3290889312a146f7ed60102439cb580f84057c98c530c31cae7461b2764f5ad4

Formbook

492cabb55a2f649ce32194e8f9737a51f071b370bc9cd527aa8cd0b844ee7ea8

Formbook

4ddb6586016ebaaa1601830f308bba390a40db9bb74babffb407824f64a43ea6

Formbook

652948efee89fdc5c6d3dc7f65a16aafabd0d224c9fcd55e5f86573f1b2c4aa1

Formbook

8dd634edea7c470fe551cc425ff6851db72af868b04b747e5c516d4743fa3055

Formbook

b6fe7602e8f288c48cf04e60306dc9349c5b9ebeb8faf35905abede7d0525480

Formbook

ffb63b1c0f03e57910b1f9b67f89bfe69768e5121ed5a0ecfc3af93dd6bc4c1f

Formbook

+ 2'821 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230513-h2phaaaa3t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Unpacked files

SH256 hash:

01401f0456787cf8b4aafc3055730b64ba243b95bb408cca74e1ae5c6957c8f0

MD5 hash:

366fe2321aaf44759ce9d12aeeb64274

SHA1 hash:

09c98ee91c6008a54db3248e6fecfcbad536403f

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/bd4f44fe-f254-4b7d-9b2c-4c727aeffc99/

Parent samples :

3202d0bbb79b0d8c4b261059386a1a2471dd8aac7957889ade0e0f8971791529
9a21938b14051d84ce270628a87593634366b0eb2f864e261cca25a062d860ae
172d54898a3dda39ec73f1c8df94d0ffc04d12af506caf5e916e1ae899448357
1a392a2f97faa5ba1a5c1802dc5cb1308566590322f42d9369a47bbf519ae030
4c1132e899179269d4277653474d464788d1ec77c004c8658959dc63f955482a

SH256 hash:

fb81cc59ea858962d5f4547ffba452babef64a1a9b984d4f58e1c6e4d68cd1e8

MD5 hash:

45a4152158ab7e74ba6bf43e6df04e48

SHA1 hash:

6b2ade2809cf39b966b5b69b98be413123063e8e

Link:

https://www.unpac.me/results/bd4f44fe-f254-4b7d-9b2c-4c727aeffc99/

SH256 hash:

f3595256f922b81a60ab51da9a6432f0001ef03902574c05d7ea06b87c83dd51

MD5 hash:

4ec0a8f45268658f197152b62a049bf6

SHA1 hash:

f5fef07216ac47f9d136f5b7bc7399623e3c1005

Link:

https://www.unpac.me/results/bd4f44fe-f254-4b7d-9b2c-4c727aeffc99/

SH256 hash:

9a21938b14051d84ce270628a87593634366b0eb2f864e261cca25a062d860ae

MD5 hash:

72f99c537d61d38a113e121348cce0dd

SHA1 hash:

cd0fe8ef6c8710ff25e1a80e0fbb2950f336f705

Link:

https://www.unpac.me/results/bd4f44fe-f254-4b7d-9b2c-4c727aeffc99/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9a21938b1405/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.