MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b0e4c0a6259aa239b6c344b705dea5fbb487b680bd754453f07b9b016ec581e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b0e4c0a6259aa239b6c344b705dea5fbb487b680bd754453f07b9b016ec581e
SHA3-384 hash: c966711a6ff4ef15ca0f44893bbf818bba602d7297aae89feecf036f4a8edb4b21251876400c10047402710fa9de7166
SHA1 hash: 6d0b6ecce1eb9d26dd77552ca5b0ad737fe6e7b9
MD5 hash: 250d5a609ef789d81a32fa3acee75e41
humanhash: idaho-bacon-crazy-mississippi
File name:250d5a609ef789d81a32fa3acee75e41
Download: download sample
Signature Formbook
Create hunting rule
File size:407'552 bytes
First seen:2022-01-18 17:31:12 UTC
Last seen:2022-01-18 19:29:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:WyoRG7JOTETQx2MQKnw9fY7VQQdXtzH0dLJS/OhpRRRRRER3R:Wyoc7Jha2Rc7VtLUdCkRRRRRER
TLSH T1E284126D9398F32BC5F50B71F8E1110586B9D9A33B45E38FCA88BA5D5E8375208132B2
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220276/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.FSG.genEldorado.5059.32170.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/61e6f999d32385db63030390/reports/85683c00-7381-42cd-b2b3-59e8414b9e38/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5280be8e-168c-45dd-8d2c-5119a2269235
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/922672
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 555146 Sample: T2WPzoxof7 Startdate: 18/01/2022 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 7 other signatures 2->42 9 T2WPzoxof7.exe 3 2->9         started        process3 file4 30 C:\Users\user\AppData\...\T2WPzoxof7.exe.log, ASCII 9->30 dropped 54 Tries to detect virtualization through RDTSC time measurements 9->54 13 T2WPzoxof7.exe 9->13         started        16 T2WPzoxof7.exe 9->16         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 13->56 58 Maps a DLL or memory area into another process 13->58 60 Sample uses process hollowing technique 13->60 62 Queues an APC in another process (thread injection) 13->62 18 WWAHost.exe 13->18         started        21 explorer.exe 4 158 13->21         started        24 explorer.exe 13->24 injected process8 dnsIp9 44 Self deletion via cmd delete 18->44 46 Modifies the context of a thread in another process (thread injection) 18->46 48 Maps a DLL or memory area into another process 18->48 50 Tries to detect virtualization through RDTSC time measurements 18->50 26 cmd.exe 1 18->26         started        32 www.lootproject.club 21->32 34 parkingpage.namecheap.com 198.54.117.216, 49806, 80 NAMECHEAP-NETUS United States 21->34 52 System process connects to network (likely due to code injection or exploit) 21->52 signatures10 process11 process12 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9b0e4c0a6259aa239b6c344b705dea5fbb487b680bd754453f07b9b016ec581e/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-01-18 15:14:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tmheyctclgvchg3mgrfxaxpkl65uq63ibplvirj7a643afxmlapa._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:qugo rat spyware stealer trojan
Link:
https://tria.ge/reports/220118-v4a4wsccb6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
8995963e6cd0f365fc545572145fbe99132b3a2a4311deb1de6be6cf676f54da
MD5 hash:
9d0dcb3ac59dcf93c703cf2a96b6d8d3
SHA1 hash:
1c58a237720c3236ecd7dcdd3749400c133ee6aa
Link:
https://www.unpac.me/results/aefd0cbf-c5f0-40e6-89fa-2a36b29ea2f6/
SH256 hash:
b9c575a36bc80e08609b7e4d2e9e180f0c2375d0443d3bad1bba98f60716ab28
MD5 hash:
aaf01b8cb6827ebb607767c752abcd47
SHA1 hash:
3a52cbb4a92c3410f6ce6d1fbc08785c58153356
Link:
https://www.unpac.me/results/aefd0cbf-c5f0-40e6-89fa-2a36b29ea2f6/
SH256 hash:
fd1cb547ff1500174018e7ab3eea419a830d951b2d43ae31d3828d2a2da6a63d
MD5 hash:
4bf2f0d3497ff405174d0c95e000f829
SHA1 hash:
d7e7f210d1f854b3e99ced28e977bc0cb4e49b33
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/aefd0cbf-c5f0-40e6-89fa-2a36b29ea2f6/
Parent samples :
9b0e4c0a6259aa239b6c344b705dea5fbb487b680bd754453f07b9b016ec581e
00a78edf157a3c87ad4b115c94882b77e110d51bd2bd4f59c41781b83620ed7e
fccb02b0403cae9441c58753519e4c216735cf2bdce838c8ad2b26b35fd59493
3090eb9593159bb7832f0d55b935396e585d8095b4c7c5f07922848a41a20d70
96de11fc0f948fc3039f297475ba8abfcedaa7a9718634359286fe49156cd216
8c16cbf4df8137db774d2cb97cc386b052ca7a0b77ee1572fe7a5fc9a5a22ae0
6420ceb34588ec91292aa6fcaa2b77b99a4b492a009f51a409fd240d138c7856
db4fa159359fbe0ba9857ae0e971dd206f23a7522b14073151b27bb030db8f5f
3ae87042d27ff3dc60afa754c3aaeef419a19a4a7d67a090ad8991b5892c62d6
SH256 hash:
9b0e4c0a6259aa239b6c344b705dea5fbb487b680bd754453f07b9b016ec581e
MD5 hash:
250d5a609ef789d81a32fa3acee75e41
SHA1 hash:
6d0b6ecce1eb9d26dd77552ca5b0ad737fe6e7b9
Link:
https://www.unpac.me/results/aefd0cbf-c5f0-40e6-89fa-2a36b29ea2f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/9b0e4c0a6259aa239b6c344b705dea5fbb487b680bd754453f07b9b016ec581e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9b0e4c0a6259aa239b6c344b705dea5fbb487b680bd754453f07b9b016ec581e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1986800/
Cape
Cape
https://www.capesandbox.com/analysis/220276/

Comments


Avatar
zbet commented on 2022-01-18 17:31:13 UTC

url : hxxp://peak-tv.tk/successzx.exe