MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 9a9d7a41c404b9044a82727996d53222d996f03d71e4839245dbeeaf4c685f77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 15
| SHA256 hash: | 9a9d7a41c404b9044a82727996d53222d996f03d71e4839245dbeeaf4c685f77 |
|---|---|
| SHA3-384 hash: | e0dfede98767ccf2cee6e2cb076161480fc00d2f073f3da17f9420d1753dc5e800742ecf29de1a9ee46c1ca8bd564896 |
| SHA1 hash: | 4787a9f2537452a8ef008ed74f568a346215e4e1 |
| MD5 hash: | 04fec8ba993e5f1f1b6d1120a2ea9613 |
| humanhash: | failed-mockingbird-apart-stairway |
| File name: | Proforma Invoice P101092292891 TT slip pdf.rar.exe |
| Download: | download sample |
| Signature | Formbook |
| File size: | 471'040 bytes |
| First seen: | 2023-01-27 14:32:56 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 7d5633a42ffd76ee13357d3fff276d91 (1 x Formbook) |
| ssdeep | 6144:i4zkqkPg9nAWDYkldwjjVAL+g/cSjx5WXGanNhEUnr:i4TJ9np/ldwjRALZ3x5WznNhv |
| TLSH | T172A402D5AF3E994DF42098784B3AD80F495A6E7034489D4FAA95B6C424FBF4280F0F5B |
| TrID | 82.3% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 5.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.5% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) 2.0% (.EXE) OS/2 Executable (generic) (2029/13) |
| File icon (PE): |  |
| dhash icon | 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger) |
| Reporter |  abuse_ch |
| Tags: | exe FormBook |
Intelligence
File Origin
# of uploads :
1
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
ID:
1
File name:
Proforma Invoice P101092292891 TT slip pdf.rar.exe
Verdict:
Malicious activity
Analysis date:
2022-12-02 15:57:11 UTC
Tags:
formbook xloader trojan
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Searching for the window
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with system ini files
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
lokibot
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Verdict:
Malicious
Result
Threat name:
FormBook
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected FormBook
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Threat name:
Win32.Infostealer.PonyStealer
Status:
Malicious
First seen:
2017-12-15 08:47:47 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
33 of 39 (84.62%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
formbook
Result
Malware family:
formbook
Score:
10/10
Tags:
family:formbook campaign:ob persistence rat spyware stealer trojan
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Executes dropped EXE
Formbook payload
Formbook
Unpacked files
SH256 hash:
92d48739126e1ed4f092eedaaff60e222ca1e1f06cc9cb37d55900f5d574bc2b
MD5 hash:
48f81c8a99b8f6e4efc6efa5b39c697b
SHA1 hash:
dbe8e90ac91c72b963c8148f3bc548364ab5b52e
Detections:
FormBook
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_auto
win_formbook_g0
SH256 hash:
9a9d7a41c404b9044a82727996d53222d996f03d71e4839245dbeeaf4c685f77
MD5 hash:
04fec8ba993e5f1f1b6d1120a2ea9613
SHA1 hash:
4787a9f2537452a8ef008ed74f568a346215e4e1
Malware family:
FormBook
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.