MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bd6ff186abaaa8ad5ba8e89d2f12c87ea5fdac36e14af8192ad43655a90a972. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bd6ff186abaaa8ad5ba8e89d2f12c87ea5fdac36e14af8192ad43655a90a972
SHA3-384 hash: 2f66b582de7303b79a3a8ff5f7ebf49bae495091146981df8f09b360749b6b71a23160374fe7e674e40e772ce0856bd3
SHA1 hash: 621178e09718f892a7e8fd86da65963908fed565
MD5 hash: 29776aefed6bc1ea53c2bb85a0d328c6
humanhash: harry-timing-wisconsin-arizona
File name:Maynew-order #Brazil-05011.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:640'000 bytes
First seen:2023-05-15 07:26:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:cqUTmfMYMlNZT/LVGFOQDD9v487+Rms33lmQPwDhYJ5:eTmMlxGFOQDhkRfVaVYJ
Threatray 2'856 similar samples on MalwareBazaar
TLSH T105D4CF89123BBFE2D9A917F0211434424B7DA11A75F8F0FC6D9BB4C9C89AB104BD4B67
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
235
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Maynew-order #Brazil-05011.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-15 07:29:08 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/9c4bac2c-295e-410e-9c95-70e38d77d3a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/389970/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66993370.18169.26503.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6461dec750d4f3894cdeb918/reports/7562446d-3a8b-43ff-bb33-e102199c86eb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9bd6ff186abaaa8ad5ba8e89d2f12c87ea5fdac36e14af8192ad43655a90a972
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/778364e8-b537-4dee-a1f2-3d67dee1d043
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1233468
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 866459 Sample: Maynew-order_#Brazil-05011.exe Startdate: 15/05/2023 Architecture: WINDOWS Score: 100 31 www.fzjinyebz.com 2->31 37 Snort IDS alert for network traffic 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 8 other signatures 2->43 11 Maynew-order_#Brazil-05011.exe 3 2->11         started        signatures3 process4 file5 29 C:\...\Maynew-order_#Brazil-05011.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 57 Injects a PE file into a foreign processes 11->57 15 Maynew-order_#Brazil-05011.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 3 1 15->18 injected process9 dnsIp10 33 www.kevinaccorinti.com 35.214.156.121, 49707, 80 GOOGLE-2US United States 18->33 35 www.drx72.com 122.10.4.13, 49708, 80 DXTL-HKDXTLTseungKwanOServiceHK Hong Kong 18->35 45 System process connects to network (likely due to code injection or exploit) 18->45 47 Uses netsh to modify the Windows network and firewall settings 18->47 22 netsh.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9bd6ff186abaaa8ad5ba8e89d2f12c87ea5fdac36e14af8192ad43655a90a972/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-05-11 08:52:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tplp6gdkxkvivvn2r2e5f4jmq7vf7wwdnykk7amsvvbwkwuqvfza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
21e08bb00bf5a84ec339e16296437ef3f5fc98b93d62da5a2e26bebbb2eb5861
Formbook
28981de1a7a9617749fe0a5d19b8e0c80b2dc082118c1ca1b95e475df34e44a4
Formbook
3130fe0040aca5135a6c22251a313fcaca05c404082727d8191545fccfcd3a02
Formbook
48dcf0afe635fd456a6914465d2b79e61ddbd57d304203eeeb14cafbf5dd1e81
Formbook
68561f9a18130d1f0e2a8ca14b9e9344a7f624bb599a766a5b41e16fd728e192
Formbook
ee0603d9ad98809ae728d4d1ebee72fcb97b28d493df380a6805f7d45a086b64
Formbook
efd586fdc04eae13911a3f2638cb478edb6c952716e3279d854c4d855a9a70c1
Formbook
f8b1ba811be8ffc9b87d3f55b5c8c0a10b3d468f119eaf1d5c36d5664b940a84
Formbook
facf2fbbac21edd7550d00e6f6916f9ee598f9c3bdc2ca0feb288c139d687672
Formbook
fadd1059ba6d602427a8d00daf8e93b283ec5fbc8180ce65fc246ebbb4ef7318
Formbook
+ 2'846 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ca82 rat spyware stealer trojan
Link:
https://tria.ge/reports/230515-h931msfc32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
98e1311b8f852d84ca8015bf0397901a0f1a87dcdbbdce999e47ad09bea9f10f
MD5 hash:
04cf82b2c488a2f1b101288e84b12897
SHA1 hash:
6e579a9f44b591cc213f60d8ae7ac16760f02b3c
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e06f0a0c-22f5-440a-befb-d9335fd49a3f/
Parent samples :
28981de1a7a9617749fe0a5d19b8e0c80b2dc082118c1ca1b95e475df34e44a4
9bd6ff186abaaa8ad5ba8e89d2f12c87ea5fdac36e14af8192ad43655a90a972
9048c7507764dd285566e7bcdd0db1a5ca6554fc08739e9af182d4cc0a18e201
80a117ddcf71acfcb656a02ed92698d35fdd0150a31e7e4678bbb31bf30ab4b7
6ea7ca3a65d2621c8a9c7502eb9a7f914d5a155a3791e551cc3308f638ea307c
SH256 hash:
8311241acff882f99b7e5fea6e60ea51b818ad98fa82f679a2babefd5fe88ea7
MD5 hash:
87c24ad552f13f186c254e420ff417a8
SHA1 hash:
fe0fe2afaacd7306057777a0e9ea1b1e396b9c97
Link:
https://www.unpac.me/results/e06f0a0c-22f5-440a-befb-d9335fd49a3f/
SH256 hash:
3ab1dcc37e7c5c643bf41e9f0f81f816f24974fbddde95e2af52426e3374dd35
MD5 hash:
8a2c496875c0871aecc16aae768b323f
SHA1 hash:
f5423a32125c70b512de301c5616c7b75477e2e7
Link:
https://www.unpac.me/results/e06f0a0c-22f5-440a-befb-d9335fd49a3f/
SH256 hash:
3161d4070cf1986605804b7a6c829cc470d282d9b67fa5bfc774cb42b8f1d55c
MD5 hash:
266ff259db543fbc0bd0d7a7c5294f33
SHA1 hash:
460564fc4e902de0eb4822b7e1d356514cd161ae
Link:
https://www.unpac.me/results/e06f0a0c-22f5-440a-befb-d9335fd49a3f/
SH256 hash:
b52c29ba9ef8996bdf721950d900db96f1befb9883eb38c2075528e60c7aabd4
MD5 hash:
7b6143d9d94c8b80d191b77d8b6d1ba2
SHA1 hash:
1c91704ff6da2a9dd8aaa2ff2d5a5f69a445f76b
Link:
https://www.unpac.me/results/e06f0a0c-22f5-440a-befb-d9335fd49a3f/
SH256 hash:
9bd6ff186abaaa8ad5ba8e89d2f12c87ea5fdac36e14af8192ad43655a90a972
MD5 hash:
29776aefed6bc1ea53c2bb85a0d328c6
SHA1 hash:
621178e09718f892a7e8fd86da65963908fed565
Link:
https://www.unpac.me/results/e06f0a0c-22f5-440a-befb-d9335fd49a3f/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9bd6ff186aba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 9bd6ff186abaaa8ad5ba8e89d2f12c87ea5fdac36e14af8192ad43655a90a972

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/389970/

Comments