MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b4df9f66fdc83879d2ce5c5077f51e0ca02af50050fdeaccaca982bc0c59b52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	9b4df9f66fdc83879d2ce5c5077f51e0ca02af50050fdeaccaca982bc0c59b52
SHA3-384 hash:	e8fb83ef15d004acba2d35ce6a63be6a6514df2a663724e26347dc00ae9f26e16fe9e5c40c6daebae69a742fd0c82e37
SHA1 hash:	daa9da9fedad87b33a9d2e89259629235bb2b015
MD5 hash:	17afae8266f4de31b69aa5bde0892dad
humanhash:	jupiter-hamper-freddie-magazine
File name:	shipping document_pdf.gz.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	781'312 bytes
First seen:	2022-11-10 08:57:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:ZYjdLVY4jMBtwfhTehM/YQkIEDKLyuiOzBpBF1HFkBoq:lCTMQrE+LjZ3T1H2uq
TLSH	T128F48C68A152C999F69F537290ECFFB023F271E3D1C9C71792A86184D7C9F960D8128E
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13097/50/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0ce4d09ecefc799a (13 x Formbook, 9 x AgentTesla, 6 x SnakeKeylogger)
Reporter	cocaman
Tags:	exe FormBook Shipping

Intelligence

File Origin

# of uploads :

# of downloads :

199

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

shipping document_pdf.gz.exe

Verdict:

Malicious activity

Analysis date:

2022-11-10 09:00:50 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/d55314d4-adb4-4ca2-baf2-4e7ab97ff53b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/331797/

Detection(s):

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed rundll32.exe

Link:

https://www.filescan.io/uploads/636cbd1d82dd9f2e26534e8c/reports/a63ac97a-b601-4f8b-9fd9-439c0f8e9e2a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cab8e0c6-1e63-47d7-bc58-1c3b7333fd5e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1110203

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9b4df9f66fdc83879d2ce5c5077f51e0ca02af50050fdeaccaca982bc0c59b52/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-10 07:12:50 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 41 (46.34%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tng7t5tp3sbyphjm4xcqo72r4dfafl2qauh55lgkzkmcxqgftnja._file

Verdict:

malicious

Label(s):

formbook

cobaltstrike

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:sy01 rat spyware stealer trojan

Link:

https://tria.ge/reports/221110-kw6kqagdg3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook payload

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d564075a-fe8e-4d13-8a17-eaab38bf0e4b

Unpacked files

SH256 hash:

5a6b9e753d9f7078ec399721c6aa0405159c63219b217f222f6f20d1240091e5

MD5 hash:

8c34087ed573b47ee050dd24fb30eb52

SHA1 hash:

d46acf9eed2b7c6afd87e189d33b5e05785dc199

Detections:

FormBook

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/9b724df6-aaad-4cff-9d1e-1a61aacae15b/

Parent samples :

260f5a6aff298b7aec332ba6500169a52412145dbe6d487f61970d34e7b69c57
2aa2b861c5fad54e2a32fa2cc376871cd2d80a1485412073f5b5f461a7723e29
1edd52620047de1ae4461b1184c25a995a8b0f924582db0ec808e0f9763b5cfc
e2f2df406e05d13e2245e2fe9da7128c257a7bb11464dce77ce386b51470abd8
b29e424c006aa87230a73e1289e52016446e85dc18dd7d60e79dbb8942ce57d4
9b4df9f66fdc83879d2ce5c5077f51e0ca02af50050fdeaccaca982bc0c59b52
071b55748a4bf8024c8db0de1a1e0201eb18bac7def0ceb902f0ff18039dfb2e
8a5eebc7b8520bde5c361db7249fe0d5286e9074dc7e0bfc555f3f2a1166bb2a
4422661ccc0d1ca90ea0427fbe9eacc398d819ef1f557c163a686fa127444c3a

SH256 hash:

bc444c4ec803b91da7af06cb0eb233fe69f565067f89544bf750fc17a9ede6dd

MD5 hash:

b52058082749f08bbcb7036b0d4189e8

SHA1 hash:

90365baf6b18ff3139da00cd5caf30660643110e

Link:

https://www.unpac.me/results/9b724df6-aaad-4cff-9d1e-1a61aacae15b/

SH256 hash:

14d6e307d50c4754bf52fa926d794aaef853420a3c35ae18f853c8a3431650e7

MD5 hash:

6c8198b2bb48402b671d979ea661d908

SHA1 hash:

6ebb9a79433a69b6abad565f185f7ec3b2399bf6

Link:

https://www.unpac.me/results/9b724df6-aaad-4cff-9d1e-1a61aacae15b/

SH256 hash:

e77c0e5bbe7c1fe2de316a03b698072ac0a8c2b6a47b053327217e6b716d1ee6

MD5 hash:

4aa410b0dd71a3848f475ed94cabfad1

SHA1 hash:

56a829f0ac98f28340cbc8f618db7e138f9332cf

Link:

https://www.unpac.me/results/9b724df6-aaad-4cff-9d1e-1a61aacae15b/

SH256 hash:

ab19f28c700d64814b0c55df868c30dfb94e0a1f9fb6f7bca05bac6eb78a4e52

MD5 hash:

1f2a6c02dcf9aa00a28a5039fb5b8ce0

SHA1 hash:

1ef480867d39b98368af7586a8e6ba38c0c3893a

Link:

https://www.unpac.me/results/9b724df6-aaad-4cff-9d1e-1a61aacae15b/

SH256 hash:

9b4df9f66fdc83879d2ce5c5077f51e0ca02af50050fdeaccaca982bc0c59b52

MD5 hash:

17afae8266f4de31b69aa5bde0892dad

SHA1 hash:

daa9da9fedad87b33a9d2e89259629235bb2b015

Link:

https://www.unpac.me/results/9b724df6-aaad-4cff-9d1e-1a61aacae15b/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9b4df9f66fdc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/9b4df9f66fdc83879d2ce5c5077f51e0ca02af50050fdeaccaca982bc0c59b52

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.