MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d1779f9a627d5d1cd19c2a1f74f71eddb92cc11d8757d4ea3a2e7b315f4186d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d1779f9a627d5d1cd19c2a1f74f71eddb92cc11d8757d4ea3a2e7b315f4186d
SHA3-384 hash: 59086a8a6afd74a51bfc6a9eb883a0ea3ec9864b3b1d0eb1dc3a5e578ae79e64af0f680f51b8f2356f389d4057e72d55
SHA1 hash: 58d33cd8862a881b002c7cf1cfecf951e0c4b70f
MD5 hash: bc278e61afe6b7ec94d465d01bb603c3
humanhash: mobile-moon-artist-september
File name:bc278e61afe6b7ec94d465d01bb603c3.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:672'768 bytes
First seen:2023-04-28 11:09:34 UTC
Last seen:2023-05-13 22:47:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:XDi4w1v8hgHaqJY+lYwE0HtYm/ar7bv4MTVLATarVWaT7uYgrFsegQVto:XDir0hg6qJY+q0NYsarPwiW47u
Threatray 2'848 similar samples on MalwareBazaar
TLSH T11BE4AD575065CD5FFE2AEBB0C0B4FF55A6F2F07320D195241BB92189CAA9F011E8C92E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
244
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Purchase Order.doc
Verdict:
Malicious activity
Analysis date:
2023-04-28 11:19:46 UTC
Tags:
exploit cve-2017-11882 loader formbook xloader
Link:
https://app.any.run/tasks/d1390df1-903d-4c4b-8416-15e91702bb86

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/385441/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/644ba98f1facab193c669ac7/reports/048a8784-4b7b-4437-a7e1-1dbbd543be9c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9d1779f9a627d5d1cd19c2a1f74f71eddb92cc11d8757d4ea3a2e7b315f4186d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd266517-ba2a-46a9-b796-0ffd5853fa5a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1222756
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 855711 Sample: dVoBNUQnr1.exe Startdate: 28/04/2023 Architecture: WINDOWS Score: 100 31 www.gvihx.com 2->31 33 gtm-sg-6wr2vph4409.gtm-i2d8.com 2->33 39 Snort IDS alert for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 7 other signatures 2->45 11 dVoBNUQnr1.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\dVoBNUQnr1.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 57 Injects a PE file into a foreign processes 11->57 15 dVoBNUQnr1.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 1 1 15->18 injected process9 dnsIp10 35 shops.myshopify.com 23.227.38.74, 49699, 80 CLOUDFLARENETUS Canada 18->35 37 www.itstopnotch.com 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 chkdsk.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d1779f9a627d5d1cd19c2a1f74f71eddb92cc11d8757d4ea3a2e7b315f4186d/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-04-28 11:10:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tulxt6nge7k5dtizykq7ot3r5xnzftar3b2x2tvdult3gfpudbwq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
3104fa64c32a8333437eecd7781d4617f221d12975b4167338dfff37a1022177
Formbook
60b3645a7d02232fd97ba076bdb88e6a801f462ce972d79366df9261a9f62720
Formbook
878f78260ff0cc10af5b6aef90f7352b83dd20db8394db7ba06bb3230a54e674
Formbook
9889a91e24a729669aa276f27617f5169fd9d8f0358be427ed4e4cd9bb8e5dab
Formbook
befc3edb5d02c2d1350dfea27e2ae101704b5c18827e9dba61afe446ff371730
Formbook
cdca513e22701403a62e153f5d197a4d7e3f0fb3ed18f66021e00b7b3720713a
Formbook
dc9592028314f25ba440ef8629468e39714188cdd0d681e76d2e8222bec8978c
Formbook
dce7af2c2162f2fa2be0ca63706446e0b3c4bebdf1ae8791f22cb76ca7aa375c
Formbook
de567e5c1f4968bfb083ffcb111e1d0613780a47c58767af65fbd90c27507b4b
Formbook
f54df2996b5822d0fce462c7675e0a9522d05664f45fb278cff05617b8de7b9c
Formbook
+ 2'838 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:e8fg rat spyware stealer trojan
Link:
https://tria.ge/reports/230428-m9qsjade86/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
895f15ca9cefb2058b044c12ca33bbed2a857ca5a9c073464861224808ad061e
MD5 hash:
de26eb905c26dc8261dfeae6d176f6d7
SHA1 hash:
635149304cac3552fff59b5748e8186e27add4bc
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/fb7a83e8-43b0-433b-be15-bcf410c0abe9/
Parent samples :
f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e
02ea9a838872751f53f53611015ee23062c2cbc9b71a962caf500e54a145e87e
9d1779f9a627d5d1cd19c2a1f74f71eddb92cc11d8757d4ea3a2e7b315f4186d
e4355828a192e2a9680ccde52befb9d6431f21f69572156cba5197409fc7cdb6
3e48c872f879fc29b5440b844c42780669d2c2d3c219806d0c02c4839482c86f
290e9c2d3b53a9c41d8cc6a76b053217cf499ff19f7a73a89335fa0ae1006579
SH256 hash:
af0925e4c632166ff87032bc43ea4f85a3805db3782a49724d125f44c0731114
MD5 hash:
b9897ba5e468e516e162fd3790a9ddbc
SHA1 hash:
db264c796e4a36a45af11e8a7bf71cf0dadce0f0
Link:
https://www.unpac.me/results/fb7a83e8-43b0-433b-be15-bcf410c0abe9/
SH256 hash:
ed0698fd18fccf44a6ad8c5d5df5c3c9dde0960f075b25bc735bdfec990d26d2
MD5 hash:
c1cebf65f99a3705c35f4d0ca34a0e1f
SHA1 hash:
d451feb2d5b48c2ca372cf766ce6d5ff7989448c
Link:
https://www.unpac.me/results/fb7a83e8-43b0-433b-be15-bcf410c0abe9/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/fb7a83e8-43b0-433b-be15-bcf410c0abe9/
SH256 hash:
f7d60277900c23bd4565a1a86894bbe02d9669d6b44ae08d3413421a7be11750
MD5 hash:
81b1c90d6b675352b8592daaa11b0a15
SHA1 hash:
7ca5d9a4b00bea0a9d2ce95ce2712aab7a24190e
Link:
https://www.unpac.me/results/fb7a83e8-43b0-433b-be15-bcf410c0abe9/
SH256 hash:
9d1779f9a627d5d1cd19c2a1f74f71eddb92cc11d8757d4ea3a2e7b315f4186d
MD5 hash:
bc278e61afe6b7ec94d465d01bb603c3
SHA1 hash:
58d33cd8862a881b002c7cf1cfecf951e0c4b70f
Link:
https://www.unpac.me/results/fb7a83e8-43b0-433b-be15-bcf410c0abe9/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9d1779f9a627/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d1779f9a627d5d1cd19c2a1f74f71eddb92cc11d8757d4ea3a2e7b315f4186d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9d1779f9a627d5d1cd19c2a1f74f71eddb92cc11d8757d4ea3a2e7b315f4186d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/385441/
  
URLhaus
https://urlhaus.abuse.ch/url/2259322/
  
Delivery method
Distributed via web download

Comments