MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c558e9f026119bab2580c1e38533870d351b1e01e65341427194504e2cdf490. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	9c558e9f026119bab2580c1e38533870d351b1e01e65341427194504e2cdf490
SHA3-384 hash:	b22bf028e285c12b294342a0055cbefce0635712b79181c3c208cf55b3d38197ad0cb73d50ae8f52029fc0396ad34e25
SHA1 hash:	1b4683cec4d54b3217b10d3a4908537ce52a9808
MD5 hash:	a8732c40f2c0e569f938a59e0ccb8130
humanhash:	blue-tennessee-mexico-don
File name:	Lista de ordenes de compra.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	669'184 bytes
First seen:	2021-10-01 06:35:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	37eb007caca04517136e6f2437bd7b42 (6 x RemcosRAT, 4 x Formbook)
ssdeep	12288:6xAWXql73WhMWZP6I2Wjh2h785jWU1bjjx:6xfXqlKCW92chM85SU1bj
Threatray	9'768 similar samples on MalwareBazaar
TLSH	T153E4BE41FA81A937C17239FDD6260229A4697E003A00BABD7DEC3C84A7F9787F45D9D1
File icon (PE):
dhash icon	e1b0b6c2736a7878 (6 x RemcosRAT, 4 x Formbook)
Reporter	abuse_ch
Tags:	ESP exe FormBook geo

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Lista de ordenes de compra.exe

Verdict:

Malicious activity

Analysis date:

2021-10-01 07:17:24 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/db75e613-cb65-4e85-904d-d58e64e2b87d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/193875/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.26590.16247.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Launching a process

Launching the process to change network settings

Launching cmd.exe command interpreter

Deleting a system file

Sending an HTTP GET request

Unauthorized injection to a system process

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c7365d7f-dde4-4ef9-942e-0156b73e1f7e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/862508

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9c558e9f026119bab2580c1e38533870d351b1e01e65341427194504e2cdf490/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-09-30 20:43:00 UTC

AV detection:

12 of 45 (26.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=trky5hycmem3vmsybqpdquzyodjvdmpadzstifbhdfcqjywn6sia._file

Verdict:

malicious

Label(s):

formbook

Formbook

1fae82dd43e0af0adf50dea57a3a609682ea8a604d67701448ab91d3193f4eb1

Formbook

2cf9a6fd4361184dbe79b2067472bdb6ac2907b89e78e213cf0eadd69ed10cd1

Formbook

64c00be3d0bc5f000ee6d2d6d49e72c9e9f36090f19b7f9620ff0993a0e84025

Formbook

75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6

Formbook

87f8905d999f293634fddf1bff47a614041bdfaa2f07ef19fe70e5296a7b086e

Formbook

99a52f15cbd0ceb13b15070bbbab2eee59974d15e8d4aaed562b015d888294c5

Formbook

d079479dd85fb94fe08f6cd70cfff35e39c14294174a8ed6f9b480ffc1cbc9b2

Formbook

dae6ba220bb0a34de731b57965753391343bfe96f9f3fa4fea48102d3377ccf7

Formbook

+ 9'758 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader campaign:pvxz loader persistence rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/211001-hcxscsbagn/

Behaviour

Gathers network information

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Executes dropped EXE

Xloader Payload

Formbook

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Malware Config

C2 Extraction:

http://www.finetipster.com/pvxz/

Unpacked files

SH256 hash:

f808a11e5b1cb4332bb4d65cdbcf1e0ca7323b15bcf73cb7462ad3eb30f05703

MD5 hash:

6cfdeebc3c72279486ddd229eb14b009

SHA1 hash:

e3a2a0a2a0fabd55415c9007f52c79fe9e19e0a7

Link:

https://www.unpac.me/results/fef80995-947f-4b04-8603-cdfb8fd63dbc/

SH256 hash:

9c558e9f026119bab2580c1e38533870d351b1e01e65341427194504e2cdf490

MD5 hash:

a8732c40f2c0e569f938a59e0ccb8130

SHA1 hash:

1b4683cec4d54b3217b10d3a4908537ce52a9808

Link:

https://www.unpac.me/results/fef80995-947f-4b04-8603-cdfb8fd63dbc/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/9c558e9f0261/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9c558e9f026119bab2580c1e38533870d351b1e01e65341427194504e2cdf490

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/193875/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample