MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b0a4dba4956bc341c94844a39cabed66757532bcdbc38de6fe0c2fc9a366482. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b0a4dba4956bc341c94844a39cabed66757532bcdbc38de6fe0c2fc9a366482
SHA3-384 hash: 2bafb1e286703922f510e792ad7e09461e4cd915dc6787121e6bf3dafee905df658c0e392605d24fb3802d8e2a2a55f8
SHA1 hash: 3b567f4a93b1f3f225dcce4366d5eafe8908eee4
MD5 hash: f4107079aba88ff0b058e8d827126625
humanhash: washington-texas-three-xray
File name:Se ataseaza factura proforma.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:753'664 bytes
First seen:2022-05-11 09:09:07 UTC
Last seen:2022-05-15 21:15:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:wMjdR7RRWXKiIHHmzTqyrei4ZC7rY1Znck9sesTzOI9za2X23y7WtxykKMOgvTRQ:9KaiyHIGAe7ZO87t9MO0tXs5TRkOn92
TLSH T194F48E9B7F846D64C1BD6A70966C31B4C3F050DF5BA9935F0882B1E86B363C97B806D2
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter pr0xylife
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269642/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1329.22830.20945.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Сreating synchronization primitives
Launching a process
Creating a file
Moving of the original file
Unauthorized injection to a recently created process
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cerbu fareit formbook obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/627b7d4df83e35ebf4f2a4ef/reports/21985caa-0407-4200-88dd-d90a0c19b27a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b55fe0da-cc0f-4f62-8a9b-91ddab2aaa6d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/991714
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 624215 Sample: Se ataseaza factura proforma.exe Startdate: 11/05/2022 Architecture: WINDOWS Score: 100 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 6 other signatures 2->63 9 Se ataseaza factura proforma.exe 4 2->9         started        process3 file4 47 C:\...\Se ataseaza factura proforma.exe.log, ASCII 9->47 dropped 71 Moves itself to temp directory 9->71 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->73 13 skype.exe 5 9->13         started        17 cmd.exe 1 9->17         started        signatures5 process6 file7 49 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 13->49 dropped 75 Antivirus detection for dropped file 13->75 77 Multi AV Scanner detection for dropped file 13->77 79 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->79 19 cmd.exe 3 13->19         started        81 Uses ping.exe to sleep 17->81 83 Drops PE files to the startup folder 17->83 85 Uses ping.exe to check the status of other devices and networks 17->85 23 reg.exe 1 1 17->23         started        25 PING.EXE 1 17->25         started        28 conhost.exe 17->28         started        signatures8 process9 dnsIp10 43 C:\Users\user\AppData\Roaming\...\skype.exe, PE32 19->43 dropped 45 C:\Users\user\...\skype.exe:Zone.Identifier, ASCII 19->45 dropped 65 Uses ping.exe to sleep 19->65 30 skype.exe 4 19->30         started        34 conhost.exe 19->34         started        36 PING.EXE 1 19->36         started        38 PING.EXE 1 19->38         started        67 Creates an undocumented autostart registry key 23->67 53 127.0.0.1 unknown unknown 25->53 55 192.168.2.1 unknown unknown 25->55 file11 signatures12 process13 file14 51 C:\Users\user\AppData\Local\Temp\skype.exe, PE32 30->51 dropped 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->87 40 AddInProcess32.exe 30->40         started        signatures15 process16 signatures17 69 Tries to detect virtualization through RDTSC time measurements 40->69
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b0a4dba4956bc341c94844a39cabed66757532bcdbc38de6fe0c2fc9a366482/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-05-10 11:04:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
42
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tmfe3osjk26diheuqrfdtsv62ztvouzlzw6drxtp4dbpzgrwmsba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220511-k41z7sgca7/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
3b1a82ce501782a363b32cd1092d9870b4737a87e5ea9a838f97d878163f6062
MD5 hash:
c78e8421cdf1b20148f12cbcdef5e2c9
SHA1 hash:
1b2b521c0b17c5de39659f87bbfcf9445f11acad
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/81a55d6b-b8b0-46af-a616-4d5f872ce186/
Parent samples :
3ecf3d1df831abf769bbb4121101d9c2ed9c736dd19f8c8f2ce361443b018a96
87946dcd976eb13af37e24ff68e36a03d2f46a9ae474f336207cf03cbbb0b508
9b0a4dba4956bc341c94844a39cabed66757532bcdbc38de6fe0c2fc9a366482
f073049a0bb7d1e370d603841469d9b6070da559d9721a018a6ace155d2d7b3a
SH256 hash:
c9f94bb4417ce2adda39a059ae7e3fdcfe40af754442104e15976a2b86d68656
MD5 hash:
37115d6b0f0fa85cd9695187f3b1f0ab
SHA1 hash:
4258cae891f8ab8a42f71eda10846ae78ab1b5ff
Link:
https://www.unpac.me/results/81a55d6b-b8b0-46af-a616-4d5f872ce186/
SH256 hash:
c611a6ceb263401ed18ff93961bd6d0cdf8757e48d8e76b13943e85b9d3b5a0b
MD5 hash:
f9b293305bd04eee511c0ffd0e7f29d7
SHA1 hash:
fd981a9537a903422311f582defc1c8fd97248af
Link:
https://www.unpac.me/results/81a55d6b-b8b0-46af-a616-4d5f872ce186/
SH256 hash:
7d170109f352f251d7ac012882e005b059b0db5ecce7520acf7be2ba8f13792a
MD5 hash:
72403055ee098f50bcc8a238fdbef878
SHA1 hash:
eb5ed9b38f5a23bb00b221acf3f7233aa2e9299d
Link:
https://www.unpac.me/results/81a55d6b-b8b0-46af-a616-4d5f872ce186/
SH256 hash:
de946071f5ce37d7bd121d1d7123a795c6111bb37715139a956110b97b0ba98a
MD5 hash:
ee5770ede963b3444343d074820acf46
SHA1 hash:
8863ca4d0e2f49f93c5325135931a163d652ab73
Link:
https://www.unpac.me/results/81a55d6b-b8b0-46af-a616-4d5f872ce186/
SH256 hash:
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
MD5 hash:
0e362e7005823d0bec3719b902ed6d62
SHA1 hash:
590d860b909804349e0cdc2f1662b37bd62f7463
Link:
https://www.unpac.me/results/81a55d6b-b8b0-46af-a616-4d5f872ce186/
SH256 hash:
157b74d1cfc7e9449e350770742da19e790336519a12df1b1058f7dba20832ee
MD5 hash:
f5545c47d737b90bb956e310ea788a8c
SHA1 hash:
fd4f31c0bb8183915003513f25b01344a1752270
Link:
https://www.unpac.me/results/81a55d6b-b8b0-46af-a616-4d5f872ce186/
SH256 hash:
9b0a4dba4956bc341c94844a39cabed66757532bcdbc38de6fe0c2fc9a366482
MD5 hash:
f4107079aba88ff0b058e8d827126625
SHA1 hash:
3b567f4a93b1f3f225dcce4366d5eafe8908eee4
Link:
https://www.unpac.me/results/81a55d6b-b8b0-46af-a616-4d5f872ce186/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9b0a4dba4956/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b0a4dba4956bc341c94844a39cabed66757532bcdbc38de6fe0c2fc9a366482

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269642/

Comments