MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bd40dc608fbfece64be8707069dc0284f2b358d2c3a164e326e6e602914d4dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bd40dc608fbfece64be8707069dc0284f2b358d2c3a164e326e6e602914d4dc
SHA3-384 hash: b0cf69ce14fd82735a82a63759d56a49ffbef65240bae2e824d07af0b63e1a9c161fa63ac965ffd4d1bb9c8e648b7b1b
SHA1 hash: 3e830a7c59370b7c23d588a6806802219f2af058
MD5 hash: 191f75b9864da99f38b3b0fd0346d66a
humanhash: five-cold-montana-island
File name:191f75b9864da99f38b3b0fd0346d66a
Download: download sample
Signature Formbook
Create hunting rule
File size:734'720 bytes
First seen:2022-02-16 19:58:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:YM2dthfyUIuywkH22qla5w/yXbxghaFFoe0ENgcm:YlHfy6ypH0MW/IbxYENgH
Threatray 13'640 similar samples on MalwareBazaar
TLSH T118F49D48EBD559C0ECF946BE54F673242363EA748CCB824732DC787D83AE7A52E40A45
File icon (PE):PE icon
dhash icon 69d4b26868b2cc71 (23 x Formbook, 6 x SnakeKeylogger, 2 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/242054/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/620d578fa2660f3bb9e913a4/reports/e6d2cb0d-c91a-4fe4-a171-f745e51e1612/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c3a71faf-889b-4ff5-8ab4-e8f64f001c14
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941175
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 573653 Sample: 86WMKlng9f Startdate: 16/02/2022 Architecture: WINDOWS Score: 100 84 yahoo.com 2->84 112 Malicious sample detected (through community Yara rule) 2->112 114 Antivirus / Scanner detection for submitted sample 2->114 116 Multi AV Scanner detection for submitted file 2->116 118 4 other signatures 2->118 12 86WMKlng9f.exe 1 4 2->12         started        signatures3 process4 file5 78 C:\Users\user\AppData\Local\huss.exe, PE32 12->78 dropped 80 C:\Users\user\...\huss.exe:Zone.Identifier, ASCII 12->80 dropped 82 C:\Users\user\AppData\...\86WMKlng9f.exe.log, ASCII 12->82 dropped 126 Writes to foreign memory regions 12->126 128 Tries to detect virtualization through RDTSC time measurements 12->128 130 Injects a PE file into a foreign processes 12->130 16 cmd.exe 1 12->16         started        18 86WMKlng9f.exe 12->18         started        21 cmd.exe 1 12->21         started        23 8 other processes 12->23 signatures6 process7 signatures8 25 PING.EXE 1 16->25         started        28 conhost.exe 16->28         started        104 Modifies the context of a thread in another process (thread injection) 18->104 106 Maps a DLL or memory area into another process 18->106 108 Queues an APC in another process (thread injection) 18->108 110 Uses ping.exe to check the status of other devices and networks 21->110 30 PING.EXE 1 21->30         started        32 conhost.exe 21->32         started        34 PING.EXE 1 23->34         started        36 PING.EXE 1 23->36         started        38 PING.EXE 1 23->38         started        40 13 other processes 23->40 process9 dnsIp10 86 74.6.143.26 YAHOO-3US United States 25->86 42 explorer.exe 25->42 injected 88 yahoo.com 74.6.231.21 YAHOO-NE1US United States 30->88 90 74.6.143.25 YAHOO-3US United States 36->90 92 74.6.231.20 YAHOO-NE1US United States 40->92 94 192.168.2.1 unknown unknown 40->94 process11 process12 44 huss.exe 1 42->44         started        47 huss.exe 1 42->47         started        signatures13 120 Antivirus detection for dropped file 44->120 122 Multi AV Scanner detection for dropped file 44->122 124 Machine Learning detection for dropped file 44->124 49 cmd.exe 1 44->49         started        51 cmd.exe 44->51         started        53 cmd.exe 44->53         started        55 cmd.exe 44->55         started        57 cmd.exe 47->57         started        59 cmd.exe 47->59         started        process14 process15 61 PING.EXE 1 49->61         started        64 conhost.exe 49->64         started        66 PING.EXE 1 51->66         started        68 conhost.exe 51->68         started        70 PING.EXE 53->70         started        72 conhost.exe 53->72         started        74 PING.EXE 57->74         started        76 conhost.exe 57->76         started        dnsIp16 96 yahoo.com 61->96 98 yahoo.com 66->98 100 yahoo.com 70->100 102 yahoo.com 74->102
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9bd40dc608fbfece64be8707069dc0284f2b358d2c3a164e326e6e602914d4dc/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 19:59:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 27 (74.07%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1bc7ae65ce4613e96d19dcf560ec6bb47395431ed05480c42895002570c9cb3a
Formbook
26b71bbd2d7db3c56d4a9058a84233364b49150c3bb7b60edec35d37e34d06f3
Formbook
5dde67093b891df286e998912557fa598ebebc662bb30252fbe9ce7798e50242
Formbook
6bdb733cb3f2afe0506cd8959953fd4ade7efaf636e211f99fd6c6aea06e3bdd
Formbook
79215526b0229696bf3961e09918bca444cb43b079ca70834c54db52c49c51ac
Formbook
9767d52eebfbf17f2e549a57d68d7f11c199af327eeb20542b39485f883f61e1
Formbook
a0498dad46971848cf7b2bde020f6ac1ce8bd8508aaf920a2616063098acd6d2
Formbook
b972dfd3f5fd6142b67366d223c0056b75d3d93538a7c05ce35e27ad1c9541ed
Formbook
e803c5d292e1684844ff0ac82e76ca90caca1e44e7cd3507ce4ee4507b9d9fb2
Formbook
+ 13'630 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:xqqm loader persistence rat
Link:
https://tria.ge/reports/220216-yqdveacdd5/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Xloader Payload
Xloader
Unpacked files
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/d9cf1d69-2eec-47d2-84b9-13ce39c4050f/
SH256 hash:
09f49c3de7d172de2d473e011428879e9f6d8ac3706d706c08818e72a0ffd96a
MD5 hash:
28f43f50917deece7cede8071503e96c
SHA1 hash:
e5e2d29c7a53de352237e001517baf2135791c76
Link:
https://www.unpac.me/results/d9cf1d69-2eec-47d2-84b9-13ce39c4050f/
SH256 hash:
9bd40dc608fbfece64be8707069dc0284f2b358d2c3a164e326e6e602914d4dc
MD5 hash:
191f75b9864da99f38b3b0fd0346d66a
SHA1 hash:
3e830a7c59370b7c23d588a6806802219f2af058
Link:
https://www.unpac.me/results/d9cf1d69-2eec-47d2-84b9-13ce39c4050f/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9bd40dc608fb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/9bd40dc608fbfece64be8707069dc0284f2b358d2c3a164e326e6e602914d4dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9bd40dc608fbfece64be8707069dc0284f2b358d2c3a164e326e6e602914d4dc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2045582/
Cape
Cape
https://www.capesandbox.com/analysis/242054/

Comments


Avatar
zbet commented on 2022-02-16 19:58:06 UTC

url : hxxp://107.174.138.144/abu/abl.exe