MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c6536ae2b9588bf5dada49dc918a668a204e0903fc091bf1a5ebaacb9b5559f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 20 File information Comments

SHA256 hash:	9c6536ae2b9588bf5dada49dc918a668a204e0903fc091bf1a5ebaacb9b5559f
SHA3-384 hash:	edcab79c33c32527020cd291360d0d9985a05b3ff6a8c98c73a51222a634c8965845cde6f361ac3f2b2d95fb7bb43d09
SHA1 hash:	51c8e452353941a976ef82eceac69f4387ac57fb
MD5 hash:	21d88b2a0f4c4577417d3706c6ffad49
humanhash:	uranus-summer-april-mountain
File name:	Purchase Order P02144004R.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'236'480 bytes
First seen:	2024-01-09 13:06:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla)
ssdeep	24576:YqDEvCTbMWu7rQYlBQcBiT6rprG8aedDNy/cRcCZic6GSyU0U:YTvC/MTQYxsWR7aeJNhRcCb
TLSH	T1DC45C00273C1D062FFAB91334B9AF6115BBC6A660123E61F13981D79BE701B1563E7A3
TrID	68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.5% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon	6a6ae6b6b0b484a1 (3 x Formbook)
Reporter	JAMESWT_WT
Tags:	exe FormBook P02144004R

Intelligence

File Origin

# of uploads :

# of downloads :

318

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/470017/

Detection(s):

SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Restart of the analyzed sample

Сreating synchronization primitives

Sending a custom TCP request

Launching a process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

autoit bladabindi control greyware keylogger lokibot lolbin masquerade packed shell32 threat

Link:

https://www.filescan.io/uploads/659d44f83b363792f357e010/reports/8b4aa8a9-e6f7-472a-80c6-525005ac3d1f/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/9c6536ae2b9588bf5dada49dc918a668a204e0903fc091bf1a5ebaacb9b5559f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

LockBit Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/391e9895-acab-45d8-b0b3-3e4d9517b67a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9c6536ae2b9588bf5dada49dc918a668a204e0903fc091bf1a5ebaacb9b5559f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9c6536ae2b9588bf5dada49dc918a668a204e0903fc091bf1a5ebaacb9b5559f/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-01-09 08:38:45 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=trstnlrlswel6xnnuso4sgfgncrajyeqh7ajdpy2l25kzonvkwpq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/240109-qcmldsbbal/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

bf8832191b1800c669ca406954c1a1d977a4bb0379c101fd09fcfe38213b2d61

MD5 hash:

f47e56c914a7ebde034c3dddd4e10ef4

SHA1 hash:

b968a630716c4db18f18f2d619db2e7c0b8e772c

Link:

https://www.unpac.me/results/44821dee-cc9e-4f0f-9354-6caac0a45c8e/

SH256 hash:

3f76f80ace754df39de9a2fe0f63e2e8e702a239cd6c4607366476330aba533c

MD5 hash:

b744e85f580eeeeba8a999087a50ad6f

SHA1 hash:

879789f4c8a0a9a777ccdd3ed6da19404d96a19d

Link:

https://www.unpac.me/results/44821dee-cc9e-4f0f-9354-6caac0a45c8e/

SH256 hash:

9c6536ae2b9588bf5dada49dc918a668a204e0903fc091bf1a5ebaacb9b5559f

MD5 hash:

21d88b2a0f4c4577417d3706c6ffad49

SHA1 hash:

51c8e452353941a976ef82eceac69f4387ac57fb

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/44821dee-cc9e-4f0f-9354-6caac0a45c8e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9c6536ae2b9588bf5dada49dc918a668a204e0903fc091bf1a5ebaacb9b5559f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Formbook Create hunting rule
Author:	kevoreilly
Description:	Formbook Payload

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 9c6536ae2b9588bf5dada49dc918a668a204e0903fc091bf1a5ebaacb9b5559f

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/470017/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample