MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bbf5d9bbd2233a988ab0404217e8750154c3f93aef5555ba7cdbc94d23257b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bbf5d9bbd2233a988ab0404217e8750154c3f93aef5555ba7cdbc94d23257b1
SHA3-384 hash: dc0c44c8172324e7dddbcf4b32604f0092da6f2d4c422f88a12e638cd6f591216a113a855f1c0517be874acd7075796c
SHA1 hash: 301a8be850ab646a2ce57048c9fe916643123231
MD5 hash: 6f8a7615b6b594d3dde6af23ebb0f335
humanhash: uniform-papa-nuts-fillet
File name:SecuriteInfo.com.Trojan.DownLoader36.37393.27958.13375
Download: download sample
Signature Formbook
Create hunting rule
File size:8'704 bytes
First seen:2021-01-26 11:05:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 96:8IcPtv5pnUgiC6XJriV2ga3y5v/Lh6CdGz+moKuR78ztYwVhw4j+:hcPtv5pnMCGJa5XLh6MYjo1R78qKnj
Threatray 3'631 similar samples on MalwareBazaar
TLSH 07026208F38C9F23D87F77797353251733B786D62B67DA315E9C86A1A8025C60A0D746
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.DownLoader36.37393.27958.13375
Verdict:
Malicious activity
Analysis date:
2021-01-26 11:12:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a89ec7b2-8354-4cb4-b51d-e5ba437e03c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/113865/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader36.37393.27958.13375.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
Sending an HTTP GET request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/590509
Signature
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9bbf5d9bbd2233a988ab0404217e8750154c3f93aef5555ba7cdbc94d23257b1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-26 07:27:39 UTC
File Type:
PE (.Net Exe)
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
148007b32a311769a958c3f87c6c836b14457f17dbe6a9a0188b0f68b3c30b40
Formbook
17560799b5c280bc9c03210bc5173826c9de6ea7d488f5ead4441933872ea690
Formbook
180444e71cfbd639cea07e4cdc28099a444839f5ad3eb024b87dc9664fdfd5ec
Formbook
29c9884d02cba2c6ab0a72af878c9f1c2768d96b912f5847608fc040f5f98083
Formbook
41440a2e9db109558bde920dddba0eee3a5f269eef4c0d80eedf6a0bf0445a70
Formbook
65ca40e44ab6171794b0c81d8b80122604eff3aca4614901fcd30db1a5329cfb
Formbook
7efe680d329762b0cf9918684edc265625b6d3681ed1a7d636bf51909d197e6c
Formbook
ceb2632fac30996ac58a50455d968873321f7a18972db02e9535b485a3b0e2f7
Formbook
dca4c9a7846a3ebb066c08583388adeb4b05e464f20abd10409ccf47164d8635
Formbook
e49c51a6864bf50e27baca58c5a2420046cae1803c5e0338af152b50d0dcc215
Formbook
+ 3'621 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210126-cjdb3ghh92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.ubrandt.com/2n2m/
Unpacked files
SH256 hash:
9bbf5d9bbd2233a988ab0404217e8750154c3f93aef5555ba7cdbc94d23257b1
MD5 hash:
6f8a7615b6b594d3dde6af23ebb0f335
SHA1 hash:
301a8be850ab646a2ce57048c9fe916643123231
Link:
https://www.unpac.me/results/869b210d-9d5c-4f16-a112-626a0b8508f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9bbf5d9bbd2233a988ab0404217e8750154c3f93aef5555ba7cdbc94d23257b1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9bbf5d9bbd2233a988ab0404217e8750154c3f93aef5555ba7cdbc94d23257b1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/978550/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/113865/

Comments