MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d2688c35966c4ba68ca34f8274f34e6bc5e0e62e1d40ce4a3073149e841d8b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d2688c35966c4ba68ca34f8274f34e6bc5e0e62e1d40ce4a3073149e841d8b4
SHA3-384 hash: df21c73bebb354b064a07d827b22b4890c6c2588f58e9370cad7734b5589f0f321be386db6c2bf9e93e7852277732b88
SHA1 hash: a52555d85074c581e2af2154c490f9599b77f95a
MD5 hash: 6cf0200d66b943e0c41ce00807ffe6c8
humanhash: pluto-steak-georgia-bluebird
File name:SecuriteInfo.com.Trojan.Siggen13.6179.19808.402
Download: download sample
Signature Formbook
Create hunting rule
File size:372'736 bytes
First seen:2021-04-13 10:41:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1c198acdc88e6433341d82c12cfad0a9 (2 x Formbook, 1 x CryptBot)
ssdeep 6144:43yAPECLO4dK/eNvPosSj3nBXDoA35F/hH6NCSfUEne2:43yAf8eNvrSTnVDoA35F/hYVe
Threatray 4'670 similar samples on MalwareBazaar
TLSH D884CF1173D0C133C05325798526CBB68EBE74712A6A598FAFC50EBD2F297D1A72630E
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://23.95.122.25/hdf/vbc.exe
Verdict:
Malicious activity
Analysis date:
2021-04-13 08:38:12 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/8611332a-2255-4afd-b32f-e9ee6067fc0f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133944/
Detection(s):
SecuriteInfo.com.Trojan.Siggen13.6179.19808.402.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/674165
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9d2688c35966c4ba68ca34f8274f34e6bc5e0e62e1d40ce4a3073149e841d8b4/
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 18:33:15 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4d8a482a05fd92a0186ad2c0f3e77a86740f5c5c7850de4f5ed93e03ed640026
Formbook
5399fb6324cc620d69fd08e7975f69703e4c754ccb38e19b4e8088d8e9bc2569
Formbook
86071c5800d553ea0cac697f9188a7b592aa9336bf59302545b14aed8b13ce11
Formbook
87fb0ca5b0ebcc0dc80aeca8065b2e2bf1ec14cade124316227646bc59ad237c
Formbook
98bf20a283219c4cc786234b7d389766fddbe3b095d13c9109f5406128e83103
Formbook
9e23de70acc475a483df75190ca88ff14395f99074f84c8eb86b4eadf523e498
Formbook
a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
Formbook
cf993c713cfe3b22bd4978530f420e2dc54c38d106ad5fc5a9aacb1e377b81e2
Formbook
de3c81ef7e59a386f6572d4c095739d45493d90b03c348748200012ec165372f
Formbook
f86b0f3ec06d574080bd86e2980c7d04c29d4093d025fe592a567b5767031d2b
Formbook
+ 4'660 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210413-bgkdszgv62/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.nyclgbxyi.icu/u6nq/
Unpacked files
SH256 hash:
1e5d26b6627ae95db16a1e5d6edff87d1a8a98dcb392badbc15e532ec761c91b
MD5 hash:
ec80e12785e432179b1f02ac5ce4d384
SHA1 hash:
b26ba8f9fc3c25f2a4c3904757d46a384ed5d304
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/df3a33c6-4acd-4193-b13c-152954c9c231/
SH256 hash:
9d2688c35966c4ba68ca34f8274f34e6bc5e0e62e1d40ce4a3073149e841d8b4
MD5 hash:
6cf0200d66b943e0c41ce00807ffe6c8
SHA1 hash:
a52555d85074c581e2af2154c490f9599b77f95a
Link:
https://www.unpac.me/results/df3a33c6-4acd-4193-b13c-152954c9c231/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d2688c35966c4ba68ca34f8274f34e6bc5e0e62e1d40ce4a3073149e841d8b4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9d2688c35966c4ba68ca34f8274f34e6bc5e0e62e1d40ce4a3073149e841d8b4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1108169/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/133944/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-14 08:06:10 UTC

================================================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
================================================================================
0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0049] File System Micro-objective::Get File Attributes
4) [C0051] File System Micro-objective::Read File
5) [C0050] File System Micro-objective::Set File Attributes
6) [C0052] File System Micro-objective::Writes File
7) [C0033] Operating System Micro-objective::Console
8) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
9) [C0040] Process Micro-objective::Allocate Thread Local Storage
10) [C0041] Process Micro-objective::Set Thread Local Storage Value
11) [C0018] Process Micro-objective::Terminate Process