MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cd1b016ff9416679f96b8047284684816dc8dc5c61d698f2ff69a3d200477ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cd1b016ff9416679f96b8047284684816dc8dc5c61d698f2ff69a3d200477ca
SHA3-384 hash: adddbcd326578361d209869ac66dc36d95940670c53f0c9f90a8b7eda8af53aaa11e28623bda77cf7f28f51f6704aaef
SHA1 hash: 0f9b27c7ab5437a033e4b033ba9b771380e4ceb2
MD5 hash: 4f19076e48936394ec0a525e03c5b317
humanhash: washington-india-salami-uniform
File name:4f19076e48936394ec0a525e03c5b317.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:601'088 bytes
First seen:2023-07-25 18:25:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:bXPZXoGozUq8nmFi+n6yMbOPzHThy37Y7/wu92i80SfyRp:pLGUqsyD6yMbO3hy3Ejw50Sfy
Threatray 3'614 similar samples on MalwareBazaar
TLSH T1A6D4132022EC8526C93D6FFE3C50A1850BB17D5F6262FB485F9858D98E31B245BB1B73
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 2d6dbd754d4d71b2 (8 x AgentTesla, 6 x Formbook, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
bd86259ef85ed5eb85469ffb5702242c.rtf
Verdict:
Malicious activity
Analysis date:
2023-07-25 18:02:10 UTC
Tags:
exploit cve-2017-11882 loader formbook xloader stealer spyware
Link:
https://app.any.run/tasks/f91506b5-a873-4c58-84ff-af5ba4fccb81

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/433051/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.13291.15692.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9cd1b016ff9416679f96b8047284684816dc8dc5c61d698f2ff69a3d200477ca
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95ee3ce6-77d5-49a8-9358-7469e1fb66c8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1279506
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1279506 Sample: Akz2z1NImF.exe Startdate: 25/07/2023 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 5 other signatures 2->42 10 Akz2z1NImF.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\Akz2z1NImF.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 14 Akz2z1NImF.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 2 1 14->17 injected process8 dnsIp9 30 www.j51xit.cfd 107.148.29.97, 49700, 80 PEGTECHINCUS United States 17->30 32 www.spatialdatacapture.com 162.255.119.110, 49701, 80 NAMECHEAP-NETUS United States 17->32 34 2 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 colorcpl.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9cd1b016ff9416679f96b8047284684816dc8dc5c61d698f2ff69a3d200477ca/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 18:26:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tti3afx7sqlgph4wxachfbdijalnzdofyyowtdzp62nd2iaeo7fa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
09a46413e5df831a43d988315fc1973f8ec5124fa4d984c84da40d8a2b15f1ba
Formbook
4a30ba2e0012dd756f7d6fab584e78fe144a306d134921502819330a6978d328
Formbook
5ad354e8575a8c5c293f1fa8a1a25de41078a35c843b330a4b7529ec9b042d9b
Formbook
68f739e8cec56189a152729584f046954f13e32426331970eb755538a8008f1c
Formbook
88c0a4f198b99be42be456d49cd61731bec58522a81fc170ef44f92296a39e04
Formbook
97bd79e26600f552bfb5764aec1606acb63b830b5fefb807d12fe2088854a3cc
Formbook
a993e52917b124010519fcf6adb63124d87c0cc594cea58b1dce686bf85d7cf9
Formbook
bdc8c2c8c2cf14b3189551124ff820c303a36139830b0ce299f2538ef9c2ff06
Formbook
c250549bfd9382d9489d8a0905c0b8bde28ec07f5af5d8b92e4ec8eb6cc72248
Formbook
c5ae9a42b26b2a0c9b7ab0e75dc45ebb11c69276345a8e8dcd6367599569fbc5
Formbook
+ 3'604 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:xy18 rat spyware stealer trojan
Link:
https://tria.ge/reports/230725-w26y8afa68/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
6dba7e2f791b8bc6409266fad7402f38b3f89e8e7ecc11642bc42eaff38f0045
MD5 hash:
f7dfb8cac68b5d752c0a21d3024ce224
SHA1 hash:
9791866ce00085ac50f8f41a1cde215bf274d91a
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/32d3c83d-74e1-4201-88eb-e11da7f5e503/
Parent samples :
09a46413e5df831a43d988315fc1973f8ec5124fa4d984c84da40d8a2b15f1ba
c250549bfd9382d9489d8a0905c0b8bde28ec07f5af5d8b92e4ec8eb6cc72248
9cd1b016ff9416679f96b8047284684816dc8dc5c61d698f2ff69a3d200477ca
c5ae9a42b26b2a0c9b7ab0e75dc45ebb11c69276345a8e8dcd6367599569fbc5
7575a4e559fb7df7dc4781137aa09a0e9bf542b3127b5e34850d5829e59ac58f
e337292eeb5ad0cdb4a6a6fa44620890113977bbc4be85b2f3440395547f6eb0
SH256 hash:
56708a100da1ecbca80e946bfadf1b013e0fae8a7d86d2169862d33401bbf29b
MD5 hash:
a284f1fa4d94de05d79ea56f7a7655da
SHA1 hash:
f3fad6341341ce0ca71199e8ccb0907bd6a51af6
Link:
https://www.unpac.me/results/32d3c83d-74e1-4201-88eb-e11da7f5e503/
SH256 hash:
1bf69033e97a8ad8d59469dd2f1aa57bab7461345e9993acc83afa48029c95ac
MD5 hash:
58419415321b3303da79fcd299874125
SHA1 hash:
a7a4c4fb47ccefd232a543219e2f4e0e12520912
Link:
https://www.unpac.me/results/32d3c83d-74e1-4201-88eb-e11da7f5e503/
SH256 hash:
7106b956a50b62abc9a98407c0b03987fe13cd39cb627a72e36f75be7162724e
MD5 hash:
6133c20f00359b779a8e3a730aff6e43
SHA1 hash:
791720c5a03092412043033fde4ad8030fda86d6
Link:
https://www.unpac.me/results/32d3c83d-74e1-4201-88eb-e11da7f5e503/
SH256 hash:
9cd1b016ff9416679f96b8047284684816dc8dc5c61d698f2ff69a3d200477ca
MD5 hash:
4f19076e48936394ec0a525e03c5b317
SHA1 hash:
0f9b27c7ab5437a033e4b033ba9b771380e4ceb2
Link:
https://www.unpac.me/results/32d3c83d-74e1-4201-88eb-e11da7f5e503/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9cd1b016ff94/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/9cd1b016ff9416679f96b8047284684816dc8dc5c61d698f2ff69a3d200477ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9cd1b016ff9416679f96b8047284684816dc8dc5c61d698f2ff69a3d200477ca

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2685600/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/433051/

Comments