MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bed7abc83b78434c8423a380739d28aefdb7dd445f4cf8d3894991de7c79c16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bed7abc83b78434c8423a380739d28aefdb7dd445f4cf8d3894991de7c79c16
SHA3-384 hash: 345f594fe6acd391a380c8ad1188c00aa713a506cd3563a25889613e333198482fdb3c1994aa4a22f59fa66c41283588
SHA1 hash: 9c7147640143c52435e42f97dad47f768f4c72d4
MD5 hash: 8ae2e7fbf45a305d88df997fdc957eee
humanhash: don-video-jupiter-mango
File name:SecuriteInfo.com.Win32.CrypterX-gen.327.26539
Download: download sample
Signature Formbook
Create hunting rule
File size:795'648 bytes
First seen:2024-10-10 11:52:19 UTC
Last seen:2025-01-10 14:07:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:dEI89rVbCx3YNKc6RgoUzMUlbTqDbwvaj3rm:Q9lCy8gobUlbTIdj3r
Threatray 528 similar samples on MalwareBazaar
TLSH T13605025033BD5F26CD7987FA6521A18083F67C1AB9A2E3A89DC571DE2976F008F50E13
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
377
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.CrypterX-gen.327.26539
Verdict:
No threats detected
Analysis date:
2024-10-10 11:53:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/97cb5360-c939-4938-a64f-99bb6c2044e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.327.26539.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6707c023f936b5621b0c4099
Tags:
Malware
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/6707c021138022833756ba49/reports/2c3f6f96-8d70-41a8-909a-9fdde946376a/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/9bed7abc83b78434c8423a380739d28aefdb7dd445f4cf8d3894991de7c79c16
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/93a439a8-b2d6-4b4f-b45c-dc880fd1f763
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1530754
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9bed7abc83b78434c8423a380739d28aefdb7dd445f4cf8d3894991de7c79c16
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9bed7abc83b78434c8423a380739d28aefdb7dd445f4cf8d3894991de7c79c16/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2024-10-10 08:09:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tpwxvpedw6cdjscchi4aooosrlx5w7ouix2m7djyssmr3z6htqla._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
6dc1bba66cba9a4ee7a5156375e1935bd30c6b1022bea4082fb3714ce5c73e07
Formbook
78b3e10f355de8a780c69cc622dd3bc529365ff5fa141eb291112ee7b2ef2a94
Formbook
8762ea652c974bb0aa9bdf338ed57d46c251f72f5f1f4a5bf4d40c9961d8e2ee
Formbook
9bed7abc83b78434c8423a380739d28aefdb7dd445f4cf8d3894991de7c79c16
Formbook
c01d1b77062d28f497480aac1c2ad019d88b9f12a8db4405065cd2a9f3086191
Formbook
error
Formbook
ffaa78a8a97885716e7dbe2a4a7ed9e1593ea5690f02f79f5d63c9b4964559da
Formbook
+ 518 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:t94g discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/241010-n2al1svfkg/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Verdict:
Malicious
Tags:
formbook
YARA:
n/a
Link:
https://app.threat.zone/submission/aeaa648a-40dd-4e65-bd44-4381f64fa661
Unpacked files
SH256 hash:
3eead0098cefd1ca92f5c18180e0ff8d702f2b462e585c1d04fd1f5f78d6ffbb
MD5 hash:
4471b83e01b0830b61c045fdb78b7bee
SHA1 hash:
801e7a49d556065666f6f72359b8032a5793f923
Detections:
FormBook
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_w0
Create hunting rule
Formbook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Link:
https://www.unpac.me/results/2cea3ebe-4fca-48aa-94b7-1a9aed6f5f28/
Parent samples :
8762ea652c974bb0aa9bdf338ed57d46c251f72f5f1f4a5bf4d40c9961d8e2ee
c01d1b77062d28f497480aac1c2ad019d88b9f12a8db4405065cd2a9f3086191
12af745dd8353b25857dc4bd3d3282f21c960ab55d3dece7e62d7a10a9aae810
78b3e10f355de8a780c69cc622dd3bc529365ff5fa141eb291112ee7b2ef2a94
9bed7abc83b78434c8423a380739d28aefdb7dd445f4cf8d3894991de7c79c16
SH256 hash:
a193ca3b85a39c67ce59b28223ff573d3979387253380571d7382a341adbbaff
MD5 hash:
8d3bceb4f351d16d8c19a1c3553ec70c
SHA1 hash:
adf070a8f4f475800c619b4d88ccb17a488f38cd
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/2cea3ebe-4fca-48aa-94b7-1a9aed6f5f28/
Parent samples :
abf6f6f8527a650cbc514945d036330694d9febe77fdae82e8a2d207789faa51
06d709cf438f3fefe0ed7858278e77e1188422e2b4d59706f6c4759df1a5aafd
9266e7c60ee4abd1b415a2ca3273d0a9d83547807f610565ca964065fa0aac14
4d5fc3f460988b553111d1272933b57a7b98deb12ca477e16f89f95126c92613
23cd8546d36b29224b474b5fff6b67fea6a12c0bcc84b0cdc7e84ca23f5faf3d
eb825b11d00bc3ec41e7856a59ebe1027e3f9c9128a177e182f688535f22bfb6
08fc3b1fd5055344609064d31139e4a8e1c26d8c5d353b1ca97b4148f03d8823
142873db547e46701d0630bf254b6e4d7570a37e62194e89264b53410682d9a8
3c6442f58e0a1c358a1175dc5510899c7f5a753e9615abefbbfec7cb1bcb7bf4
a5c97f8e1ff612fbfcc18f1a1852db11099e58bb241f5b825c74715c60dd0fef
9bed7abc83b78434c8423a380739d28aefdb7dd445f4cf8d3894991de7c79c16
cef7d88f9ddb7a30478aa00624340d206b0d84553d8ee969178d8ed59cea3033
470733344bb4e563a0b482efd18cf1f643808164c1093b9eea60e6eb0f40127c
b1520b6a3358bbcad7d55344f3d7bd2e75a9075ef4afd3f7c23de5def92daad0
175b56f2026e4e7b12259dca5a6181cc8b8dc85f88f6e24561246fc71ac9624c
9ca515b794477e792d95386fb74f8efe7fba769a2a082c5ebb3cc2b7d2460a95
732336eccda1e0e01a9474a968eb6ac9725fec8e8e03ad950472df75ba470693
f972a54ca5d86ea9ced7ddc4621a816f1ae22b6fe0a24e40fbef01ce07283e1b
fef8a3967f5c6164745be39c6911671f07e6fb7c690df94bbad259fb550a7abb
834d4e9657f33ca5bea5956050e5188ecd53b8a2fcad2b6136dc60f83619691a
e7372cd29537f5e27f70f6b9969cf16b2b2bcaf655406722f87efb7a74f2be38
c56b0068b210b206f7c93062eb115654919ea50fcb21a35391b25e33fcf92af2
4c862b599a4c9a2e709ab39c52f577a99685c5a2fd2683ff58ef67bef169438e
88fd2273dba726f8e93082eef548564c84ee1f3be9f69a7d02ef9a3ed7f8ea18
febb5bdd2ccb5a6421696cff51519112f8eef6abe873b37e24e6b1b78fa942ba
0309aa8889daca83b4cf97ab99bc9921bb549c9187736a69c76185dfe68cd325
94f98b239d0b82e134302c53455418fdcc7ed9ff19b9d8e9b079a7961c03068a
d1c69953a06498fe205f2b9feeeaff6258ed120ce94790d3a7107b521e09bc6d
399b9d5f1658e0050f4861e992ce7648ed78f8da0b9c7789da902550e7513884
4b7fd648f2be722b797647d77097c9245f2d61d9898913544f3f1702ced2a3d7
0868d29bf99ab1267ab55c306ecba0d147e12c1e8c6cec05acd76ded3e4edd1b
c9f9cac249b944a81dcaf942997c774b267cd4b27d64318dd5d91583274098f1
44223862b1ca9060ca97e5f36246dc1efd66a68745380ac1a6a221f0bc485b35
cff5f0bb2c9dc0d52591745ea43e9c7cd8dc46ea14c5a9996c72f76e7cdf7011
b37b37330f9c4970ca450212d0e3e902fb44110b4570bb07574621354509d045
cc080dac2e57cd7ce34efc7e9cfe8d14ed9dffda5f95006f2d010557b08220f3
3b233c5cc8b85a8020975ed736b93644fdae180f1d6f5190d91a3512e813ba8a
ea0d7f34cfddec8c57ddf23bfc5eab2c1692f1b3f5e8fdd6f4f7f8596e478d9d
dc4adc8ac3a46bc4cf987c81c9bdb338994bb77ffaf9ee803bb3987600ea7a12
d8df8ae0a2b685d4a9e0e2bc5c624c2b8b9be74d8a0ce6d00ba982e9077398e4
fe32cd498b7f031639961bfb962d1289896a3667f38f06f801b2c5d97d0b5906
836e1a1a93d29eeef8a26fd8001cb5efe017c899bea5c4d404db74cc7e6ea563
171b961f6ef845235612fb2685e94832c38dba1143dc02970bdcab7389fa3383
31a702cd5ff00baefbeb5f301ca3015587a099b0046939cc3d1e8cd553eb3147
40472fbefd08c24147afbf941b4504ee7a4658409e0077ec98c1e7dfb4c507fa
d360ba3b74cc01e2352a4070922b2dca3d46c7bfe5e4cde8ac474274f8522455
47e643f3f3a8fcb062b8e83acf86adc8b6f5256714d88aed3c95e48693c937c6
e46f2d7b2f17430fbf6670db5f785f22a38cec22cf879259032b1edb1d074c41
c12ecca79747db3f47b548b79fe0efc40e048fd1f430ec2e2fd9eccd6bcc8ec3
d72e2b372f10ca73099c02fedf3506ba76ba2aae1719f5bce7c7781454d1eace
68e83b9aefb2c1899294a6a9da8a3c2e34380d3e3af51c68d6c706d383ae61ce
4c11a38a17a285f3c95774f535fa79e2596bf5723b2cc7b870a29f06e85727c3
1546c45496290063818a4e24b240aa8cd88c8023dccb2876706a569a0359be9e
194f2fcea5e7a2056112f479911bf768c494f8dd04702471f643dca95bae46fa
51bad1b993f7599689fdf576e1f79383f6aa47e6ff1ba4775a7e4412a51ebd1b
e23a32c4d68cbf04b1206bd1459678a749482d44ef5ed825e507d124d34f8bc9
b4b6159351045ef04f9ba6321722c1c1fd920eac7a3799665d2663775edfa84d
6f4bbb5aee6549053ab218b1d564cdcb6b07144dcab1dd3e92683d640f3a8b60
57c7933d769882ce3fe88605d7796c2137e8ae2ff2084469478af084740cb721
8f7124624844c97145faad6f265f2a15b5f1fa67f107168b61fd777d987d9f35
f228af74ecf7302bb5e8d9ce8060a9aa3fc2bd583bd477e23543452cf1cebad6
cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048
bfb4b96460ce25a3a585f3780f8ab6c0db4d31dccfe614491876332c028d4328
c82b82cf444e4a02ffe7091ef5ea7bea733c2127c38366c88775cade7d234681
b612dbe8660225d074563250626237783bfdeedf5bb38d5af1e2789690787fc8
5d021ca8e798f9713c4778b806fa00c207dbe34f4efec22ec5d1b65dd59c68a7
03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6
1e3104a64ac3e19163d22210b2f4df66dbccfe1731177ba1022ff9044b421c84
868444860f70d7825d5801e3ebdc8e9f0c5ffe72c3f42a938b7df98d50e10758
1dc4c4881f138a6f1ffae6b406e696a46a89f3a0d1265a5ec6ed3d80dc40ea32
86983eeb3231d8cc4eddbdec4b8b19194410f6adbee3265bbe68cd4a1ddcd161
d25aa55294fe6a2e98ba3c985c3182d745c511754c03ae7b4080133a8bb2e3bd
20648ff1d02266ebeece4bd2cc799c0b2be339887a45593c43cc851116820d4d
545f70314c72e3b34893811f991d96aa1cee2049f346419264e10f0ae44400bb
f86f20a799e10fb4906d426906e30734636a4c2743b8dd1b781adb307f4d5576
a6d2a47171f9630a8db62eb4001e196dfbad94cf40638e108cc649883d1bc069
8ed60c6c3516465b2918af6a467e3b38c3b64fa39a32ee79d1337b15e1c3ac0d
ac56ec5a81bca833585ad1c052dc5614936523763c87ade64f519b23a4f0b24a
de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7
ebb5ff83ff02d5cc378fdcb1730736e22535ea3b945df2f80c992fdf09d21344
0787749d9897612314975e2943139157efcff4dbf604323d3d950c76b7555719
ec40bd9352347399d79a1393ee4478d945b81a0c5555a8d30bf043afb1e70e93
2d1500188097d6bc8f6bcd1690db485ea07e82470b2a631246a4ff5c4b64fa42
067d0a32b11208193e232f3b4d05b24f0d730ffb23049a1611be068738b9d11c
2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0
8c3b7bab6d9c32f813aa49cc65578049f516dd8607f6b2b43fd1e696d5b86988
SH256 hash:
95c84ab1bb3f228cfdd9318a6a1c42fc5c02c36cbf646b10c0f9d6c2551590ae
MD5 hash:
56a7954cea14c3bbc49a64f60fe909e5
SHA1 hash:
07740516a2dfa5033f0287651e56c49891cd9608
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2cea3ebe-4fca-48aa-94b7-1a9aed6f5f28/
SH256 hash:
9bed7abc83b78434c8423a380739d28aefdb7dd445f4cf8d3894991de7c79c16
MD5 hash:
8ae2e7fbf45a305d88df997fdc957eee
SHA1 hash:
9c7147640143c52435e42f97dad47f768f4c72d4
Link:
https://www.unpac.me/results/2cea3ebe-4fca-48aa-94b7-1a9aed6f5f28/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9bed7abc83b7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/9bed7abc83b78434c8423a380739d28aefdb7dd445f4cf8d3894991de7c79c16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments