MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c8bd9485bb9039e6c2f0bb765ac58131c478b32419643405378bdbb4eb30547. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c8bd9485bb9039e6c2f0bb765ac58131c478b32419643405378bdbb4eb30547
SHA3-384 hash: 4c654ac576cf13ca20947684be08dc10943bedb32f363b2b66e19d204601eb2babb0ace1eb0e9010651a595ea734b98c
SHA1 hash: 82803dc73d1588942c61944829bd4437df17bf82
MD5 hash: dafb8d939f1e7433d11ab35ddc72cfc8
humanhash: wolfram-louisiana-early-montana
File name:order # 81027.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:739'840 bytes
First seen:2023-08-30 13:07:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:VQcA5k6quyC4L/3uS3pqa+N09t2xz9CJJxxjYDfxSGHgviXB++3WUhRcOJ5clT:VQcWqJpSBNN0STCfbYDJSsdMH5ycT
Threatray 140 similar samples on MalwareBazaar
TLSH T18CF4F12876BC6F66E679C3F98534554417F92BAA253AE34C8DD174EF2761F820E00B23
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
81027.exe
Verdict:
Suspicious activity
Analysis date:
2023-08-30 10:47:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0ebe964a-6617-484a-9efa-b4a25b6fc5d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445305/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.PWSX-gen.25269.24331.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
explorer lolbin masquerade packed
Link:
https://www.filescan.io/uploads/64ef3f33b3b7d7c782d141c8/reports/a38a4966-1835-49d3-9067-3bfa6c1c1530/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9c8bd9485bb9039e6c2f0bb765ac58131c478b32419643405378bdbb4eb30547
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/381197ce-c32b-46f1-8fa1-42db5d5a7c62
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1300381
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1300381 Sample: order_#_81027.exe Startdate: 30/08/2023 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for URL or domain 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 4 other signatures 2->40 9 order_#_81027.exe 3 2->9         started        process3 signatures4 52 Injects a PE file into a foreign processes 9->52 12 order_#_81027.exe 9->12         started        15 order_#_81027.exe 9->15         started        process5 signatures6 54 Maps a DLL or memory area into another process 12->54 56 Queues an APC in another process (thread injection) 12->56 17 XkDojyyZyuxZwBezjtxUTEz.exe 12->17 injected process7 process8 19 svchost.exe 13 17->19         started        signatures9 42 Tries to steal Mail credentials (via file / registry access) 19->42 44 Tries to harvest and steal browser information (history, passwords, etc) 19->44 46 Modifies the context of a thread in another process (thread injection) 19->46 48 Maps a DLL or memory area into another process 19->48 22 explorer.exe 1 19->22 injected 26 XkDojyyZyuxZwBezjtxUTEz.exe 19->26 injected process10 dnsIp11 28 www.safartour.org 198.244.230.230, 49763, 80 RIDLEYSD-NETUS United States 22->28 30 www.cealr.link 38.6.177.47, 49785, 49786, 49787 COGENT-174US United States 22->30 32 2 other IPs or domains 22->32 50 System process connects to network (likely due to code injection or exploit) 22->50 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c8bd9485bb9039e6c2f0bb765ac58131c478b32419643405378bdbb4eb30547/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-30 04:03:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tsf5ssc3xebz43bpbo3wllcycmoepczsiglegqctpc63wtvtavdq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
5762d46e91e94d731bb4f1047a3d080b27be1b34d05236e8c8f24b24238545fd
Formbook
6a5fb47fa51f3c9fda9c9b2646a5d0b7d35ea2447e1c144131f2819d49e73518
Formbook
86fe793dd78fe5b8f80d271bad4f574577222d150fa1d21517f26ac8b77193be
Formbook
93512f8df3b84088ddebeaa216201bfc2a2e9d68ded4133a9ef94fc5f154b229
Formbook
94f494962805c4cae1a0295d20db44ac8a42f4a6447a5856f17716c8f146844c
Formbook
b321a1ea7cd14d6f159deef8feca34bcd4820ff2dbbf935be2003ced08a06d5e
Formbook
b6b2b89e880bddb6817fc3da22e4cf9a0e6f823667f8d3eb5de2e8943f745405
Formbook
d815c085093b35ac977c206b6ea93dee817c02e926dd32768713b3a6bc7d1869
Formbook
fd82749104473f4be5f7498f2a751f4090f999c50ae63e114ea49067c2b16185
Formbook
+ 130 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230830-qc7xbsef6v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
510101cf792cf26328e3b813169333c405687045c31693c9bdc40944b58aa335
MD5 hash:
9a706a70eafefcd58c2cf242e43300de
SHA1 hash:
23990eed51c81ccd3c961920a2fbc781437cdebe
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/a5303120-d7b0-4472-b6b0-ce7a7b5546e1/
SH256 hash:
053f3e7b7af0d272a8eaa88c48d03c1953e70c1023390a6328b035a3996f9ba1
MD5 hash:
5ba7efb3366741d3e16745a15ce6b809
SHA1 hash:
739903a192d60282dcf99b41b051a09c92067b29
Link:
https://www.unpac.me/results/a5303120-d7b0-4472-b6b0-ce7a7b5546e1/
SH256 hash:
b1f2bdbad8ba505618d98d1d21688a094239dbc4a6d3e6a287fd015ff4539b3b
MD5 hash:
25b4faa1df04aa441f31194fc2e42fce
SHA1 hash:
f3455e0024781e2776dc9d95d5764d23d67cb374
Link:
https://www.unpac.me/results/a5303120-d7b0-4472-b6b0-ce7a7b5546e1/
SH256 hash:
892761d55890a0af5517cc5da1b7b251539f9d1b5e126616def3b66b60b25f50
MD5 hash:
1381fe1ab71c80397a78422051edbd51
SHA1 hash:
e258e5a6e54f6314944e713515d22906fa4520f7
Link:
https://www.unpac.me/results/a5303120-d7b0-4472-b6b0-ce7a7b5546e1/
SH256 hash:
5846c855d84ce31d178d105977e643a28a6d76bb34bb0312f43246dca9d6d1af
MD5 hash:
94e1fbd0d7f35b45585f385cdc078f90
SHA1 hash:
b0a9c360bab3f214555333d9e4f11ccd874b2dd3
Link:
https://www.unpac.me/results/a5303120-d7b0-4472-b6b0-ce7a7b5546e1/
SH256 hash:
9c8bd9485bb9039e6c2f0bb765ac58131c478b32419643405378bdbb4eb30547
MD5 hash:
dafb8d939f1e7433d11ab35ddc72cfc8
SHA1 hash:
82803dc73d1588942c61944829bd4437df17bf82
Link:
https://www.unpac.me/results/a5303120-d7b0-4472-b6b0-ce7a7b5546e1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9c8bd9485bb9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/9c8bd9485bb9039e6c2f0bb765ac58131c478b32419643405378bdbb4eb30547

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/445305/

Comments