MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ca276f44ec7a1e4745a4d880072d374fd6db44efb6e9c2b44e80cfcf0274472. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ca276f44ec7a1e4745a4d880072d374fd6db44efb6e9c2b44e80cfcf0274472
SHA3-384 hash: f97ef4137c7c6c32e0d555114fff957c782007fd2b6e4b7d3d8a46c7be2a0bb6b2a059119c1825418c703db481cc847c
SHA1 hash: 81adbb9921401a4bb567f665d3dabeff61278a04
MD5 hash: 90064098dcdf665a8affc5825e4e7815
humanhash: kentucky-emma-fix-rugby
File name:SecuriteInfo.com.Variant.Bulz.431671.16650.9290
Download: download sample
Signature Formbook
Create hunting rule
File size:865'280 bytes
First seen:2021-04-26 09:48:36 UTC
Last seen:2021-04-28 12:01:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:d+wuaus+rttChZFQcAdnlE2jqLUbi76g:cdauztApYnlE2feH
Threatray 4'895 similar samples on MalwareBazaar
TLSH A505F1362728EF55D47EDB7D9422201113F3E916EB23DA0EBEB810ED09A6B454673B43
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Bulz.431671.16650.9290
Verdict:
Malicious activity
Analysis date:
2021-04-26 09:51:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/47eba62d-945d-4315-acdd-4f8b9c65d1a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144285/
Detection(s):
SecuriteInfo.com.Variant.Bulz.431671.16650.9290.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/697702
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9ca276f44ec7a1e4745a4d880072d374fd6db44efb6e9c2b44e80cfcf0274472/
Threat name:
ByteCode-MSIL.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-04-26 07:39:56 UTC
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tsrhn5coy6q6i5c2jweaa4wtot6w3nco7nxjyk2e5agpz4bhirza._file
Verdict:
malicious
Similar samples:
1416666c5e810ca861f2957356678266e742812f3dc29a8361e588af59b8478d
Formbook
5180e6ef19db039d8365f3cb9690424e61504a80ab94a12738a633b6cdc5fccb
Formbook
5d1f28337792985c3609a213fa8895a307f35a529a22eafbad3281fa0f4e31a0
Formbook
5d5d64a87a5d888443e8d7a25046922fa4a39fe5952a45635dd66321e616bb14
Formbook
a274ae6a1adcdc3967735c5f04aed6cf22d1541dc275def4eb2d7cb3c0c57d25
Formbook
b03f6bc5eec0f24076b3ef2c761b21d75c489ad34c5f94dcffab6d2b4d65263f
Formbook
bc0cc9f45e5a3b9f2f1815c4787849ebd8ab71d72aca809b687bc462ec9b5899
Formbook
c1d7028900706dc1fa7c0e165b9209415b96628bb49f17779f86256851a0d3c1
Formbook
d8e0edf1cca3b6edefcd830e233131c593997b5bd4454891dc1b70614862f718
Formbook
d96879b03c94cdf3e91756c0454825de2920b90cc7ffe73272692d572b930950
Formbook
+ 4'885 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210426-v7mmgqjays/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.consultinggroupwv.com/ple/
Unpacked files
SH256 hash:
e90a19eba5f2de3ba82f652221105bb0682b07c20abddec487c6f4354ea79c39
MD5 hash:
efb0de4397ea61e17d262e278b53ff86
SHA1 hash:
727fdf2ceb13262d56bdda24a02564fb3e80c8b0
Link:
https://www.unpac.me/results/bd16e750-5ad3-491f-b181-721ad84c8c58/
SH256 hash:
9ca276f44ec7a1e4745a4d880072d374fd6db44efb6e9c2b44e80cfcf0274472
MD5 hash:
90064098dcdf665a8affc5825e4e7815
SHA1 hash:
81adbb9921401a4bb567f665d3dabeff61278a04
Link:
https://www.unpac.me/results/bd16e750-5ad3-491f-b181-721ad84c8c58/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ca276f44ec7a1e4745a4d880072d374fd6db44efb6e9c2b44e80cfcf0274472

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144285/

Comments