MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d144168607d4e6808be108cf349da625b911307dabab1ea645381a5473deb03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d144168607d4e6808be108cf349da625b911307dabab1ea645381a5473deb03
SHA3-384 hash: cd41deb15803b8c8a8d1e37d4908716273691ee145fdae4dc630be880522523aa9e59ec3477f60efde31c014a7f8e777
SHA1 hash: 1fe28204941a586998e721e8ec4df57a353f6b05
MD5 hash: 21c467f17b35432b0e6d384e09e77e5d
humanhash: nine-cola-uncle-maine
File name:91JadopM6BYFF0K.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:805'376 bytes
First seen:2022-02-23 12:30:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:IK7777777777775rD3CnFWwdrkUA5ZYS86MHrCnA:h7777777777775/3/w+UA5ybhrCn
Threatray 13'971 similar samples on MalwareBazaar
TLSH T13405C04839A71F3DF1B18BB21DC4ECB4FA59FB231C08B37D78516686C691B809982776
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/243720/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.NanoBot.mc.30336.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6216290ca2660f3bb92f8c1d/reports/774f39ec-097c-4201-ba17-18f2bd38f9e6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/450ab99a-fed2-4afc-bc2c-253adf173ed6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/944757
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 577236 Sample: 91JadopM6BYFF0K.exe Startdate: 23/02/2022 Architecture: WINDOWS Score: 100 30 www.magicbasketbourse.net 2->30 32 www.j2ig529zbahs.biz 2->32 34 2 other IPs or domains 2->34 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 6 other signatures 2->44 11 91JadopM6BYFF0K.exe 3 2->11         started        signatures3 process4 file5 28 C:\Users\user\...\91JadopM6BYFF0K.exe.log, ASCII 11->28 dropped 54 Tries to detect virtualization through RDTSC time measurements 11->54 56 Injects a PE file into a foreign processes 11->56 15 91JadopM6BYFF0K.exe 11->15         started        signatures6 process7 signatures8 58 Modifies the context of a thread in another process (thread injection) 15->58 60 Maps a DLL or memory area into another process 15->60 62 Sample uses process hollowing technique 15->62 64 Queues an APC in another process (thread injection) 15->64 18 explorer.exe 15->18 injected process9 signatures10 36 Uses ipconfig to lookup or modify the Windows network settings 18->36 21 ipconfig.exe 18->21         started        process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9d144168607d4e6808be108cf349da625b911307dabab1ea645381a5473deb03/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-23 12:31:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tukec2dapvhgqcf6ccgpgso2mjnzceyh3k5ld2tekoa2krz55mbq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0fdf7d71205b22f118f035eadd183c769c80cd916e41228252494ce59658aad6
Formbook
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Formbook
2ceae7d4227b3dc96253c77943851ebb41fab14f6f07af4dadca597f82ebda67
Formbook
46fa7e230e5d8398c15c24dd78906dcf50da9bb1d2cfd8682ad7f2f80819a3a8
Formbook
6fafca0825dbdedf739d4f57ea1b09563eed9834a54f2998b712891baeef4839
Formbook
70c6fd4de902c8ccce31380698b123def84b4d209c8b824e1065349a5aee9de2
Formbook
9e4e02725cde43b4da85cdf054b11ad0e4a622bb54f4a967b1634ebcaea9666a
Formbook
d277fc7f7001598fc7730b3bfec96ce2749f616d64fe20bcd403a599b1bc7c2c
Formbook
d8842d4c311c9e35f77ef0ee038f34061be70a55b38f949e0624d32e5a6a4212
Formbook
e4a4e1f73cbbd5667b5264b48bc7429ea638532d08e78d53b86b86c0fa5b291b
Formbook
+ 13'961 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:wdc8 loader rat
Link:
https://tria.ge/reports/220223-pp2emsaaf5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Blocklisted process makes network request
Xloader Payload
Xloader
Unpacked files
SH256 hash:
d3ca3783db4188399ea2066aa9ca230c85a75bd547346b1d112219ca65a64bf9
MD5 hash:
5bf0df3cfd245af38deaef08677615a8
SHA1 hash:
a7b2107c1db7306089a298406d032456f3a302b3
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9c83f4b2-6881-4488-9a2f-742c05ca08eb/
Parent samples :
4ba337aa0663470b85d2b1b97713a219ea8c5d7ee7f5795dfc9017ae2b123e47
e34c0a8218be6d3783e8cd61b8040b6b39004ad34e68c1cdb2f123b636e6b274
1b9a70f1049fb47db190512121def425ec88c6f007a70308ac63c4549ae78f77
2ceae7d4227b3dc96253c77943851ebb41fab14f6f07af4dadca597f82ebda67
fef3c1fc57689534161dd663bf1cb63d3f728dc87cad1eca4ea1780ff889d056
3356a1d5d011f9117000a3f5326a8eecc0fc0d9ba156af4f634891b19c63773b
d976d19fe98e25ad6fd2c13d26f7e46311feb08952a5913d00231806d6277c78
852d04f44d46f2a8f75ca8827232765a90c172da5f2e7d84acc919c41bc73856
9d144168607d4e6808be108cf349da625b911307dabab1ea645381a5473deb03
a70a717458c5147a02dca62c03c58d2e11e165180e683fa4755c719e6f9ad9c5
b36891ab4a7fa6be1680a65614dd5551a3fa8a89052c381a954601eedd82e62c
2bb47abc0ec7e4e48aa80d53e19056c6adbef6b1392b3816aa335364325870fb
02ad8318feb2f8ce745e2cefa321f18d19b7ad72085664371033fada68bd6b91
3b326d59a151e3500563ad4ce6c86228508d9295f54e71c8160aec088752c994
bb7f87209e05364542dc6536f26af0580d4b10a1d376abbc7ebd531c1d1ee046
SH256 hash:
723f56f84316028a8954cef339b51b5f42319c858a78efe8db3ba5277c80fb46
MD5 hash:
1d4cb3116b58d242c928169ae23a6792
SHA1 hash:
bdfa893f22eeb14c54226843523db24a48af1119
Link:
https://www.unpac.me/results/9c83f4b2-6881-4488-9a2f-742c05ca08eb/
SH256 hash:
78641d4f76f0e65864e9bbb883118c3f0b33033512cba8d5f0ed27b4c3fb9e99
MD5 hash:
7d34605d784e9d579966b9c24a4072e1
SHA1 hash:
a3897e0bcdaa82267856481f6bbba3d98e13100f
Link:
https://www.unpac.me/results/9c83f4b2-6881-4488-9a2f-742c05ca08eb/
SH256 hash:
e3bdaf9e98eb65a070cf4424bc123e57ade151c41e4a0d375e769749155c1715
MD5 hash:
78a25e75b94923e889ecd100349facbe
SHA1 hash:
6b3f8db525d3c98f92ed480e664ab8ee9458340b
Link:
https://www.unpac.me/results/9c83f4b2-6881-4488-9a2f-742c05ca08eb/
SH256 hash:
9d144168607d4e6808be108cf349da625b911307dabab1ea645381a5473deb03
MD5 hash:
21c467f17b35432b0e6d384e09e77e5d
SHA1 hash:
1fe28204941a586998e721e8ec4df57a353f6b05
Link:
https://www.unpac.me/results/9c83f4b2-6881-4488-9a2f-742c05ca08eb/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9d144168607d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/9d144168607d4e6808be108cf349da625b911307dabab1ea645381a5473deb03

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 9d144168607d4e6808be108cf349da625b911307dabab1ea645381a5473deb03

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/243720/

Comments