MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d97eea7bad17d4b303d3b7e4b4178f94462ba08c29c46a4e2f8707afde9bee3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d97eea7bad17d4b303d3b7e4b4178f94462ba08c29c46a4e2f8707afde9bee3
SHA3-384 hash: 21a0d33224e44cec042461b3b8356ec771115dd79b35d9fadec70d74eab0d6e9507b3f348f5262d08745fdbeefc3bf12
SHA1 hash: d6bfb1076c60fdcaf044ee50dd1a201dd949b5c9
MD5 hash: 4ef47260c033dd6fc7b0e4a744456209
humanhash: california-seventeen-cola-happy
File name:4ef47260c033dd6fc7b0e4a744456209.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:135'168 bytes
First seen:2021-02-24 08:03:25 UTC
Last seen:2021-02-24 10:50:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cc882d101998a701353b40b0cd8c341a (6 x GuLoader, 1 x Formbook)
ssdeep 1536:GWWTwV4fVhudLOuANb6ioyG95TvkV8PG/eY5baCl4uxVQwV4MjW:OwVUPBhuTvU8PG/eY5bPl4QqwV
Threatray 5'233 similar samples on MalwareBazaar
TLSH 70D33B71B379EA73F5424735AA0AC2FC1B845F334C41895B64B23A1F2A742915BB1EF2
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4ef47260c033dd6fc7b0e4a744456209.exe
Verdict:
No threats detected
Analysis date:
2021-02-24 08:06:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6f6148d3-1b2f-4ad8-b01c-4a0a89e8f135

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118918/
Detection(s):
SecuriteInfo.com.W32.AIDetectGBM.malware.01.16476.29646.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/616322
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 357167 Sample: Jjd9m7vNE7.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 27 www.cavapoopuppieshome.com 2->27 29 cavapoopuppieshome.com 2->29 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected GuLoader 2->39 41 4 other signatures 2->41 11 Jjd9m7vNE7.exe 1 2->11         started        signatures3 process4 signatures5 49 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->49 51 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 11->51 53 Tries to detect Any.run 11->53 55 2 other signatures 11->55 14 Jjd9m7vNE7.exe 6 11->14         started        process6 dnsIp7 31 lopwkg.dm.files.1drv.com 14->31 33 dm-files.fe.1drv.com 14->33 57 Modifies the context of a thread in another process (thread injection) 14->57 59 Tries to detect Any.run 14->59 61 Maps a DLL or memory area into another process 14->61 63 3 other signatures 14->63 18 explorer.exe 14->18 injected signatures8 process9 process10 20 raserver.exe 18->20         started        signatures11 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d97eea7bad17d4b303d3b7e4b4178f94462ba08c29c46a4e2f8707afde9bee3/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-02-24 01:19:55 UTC
AV detection:
7 of 48 (14.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=twl65j522f6uwmb5hn7ewqly7fcgfoqiykoenjhc7byhv7pjx3rq._file
Verdict:
unknown
Similar samples:
19294a8f3982807f6119e9720e8fde7c21fdc5c13be427f2c6fd130a7b532bec
Formbook
27a443c41d963cea02a5f71b9c71d0c48a0d3b3080fdf57597cfc1f33174b6e7
Formbook
42582301a45f364439c373addd94a25444999d6fd0c90f2678702b6909d6c413
Formbook
53b73eaf0ce8661e44d17932e6f4481f7f505ca6a4080da2e34c0085a0c7da87
Formbook
56b95c3399a705e1bcdc312f3c82749308279f744f1199a59e9bcb3818c194c9
Formbook
684c43f7e479e302f4c19387be2d3b059a93ee2680379fa242b7c064913f43cf
Formbook
7c38d073b77ff7afc8f65aac812316d0fa9356115f1f3e78aca9fd496d177cad
Formbook
92c9586c472eb0346e2e1423f5707e99667c7bb03f5497145b22fc1a9b3a9b77
Formbook
a6e4d566693de23d4e9a169b765d509c634451cbb24b61ed498a593e7163ed1c
Formbook
c444900170cfcfffd0053d55120ef3de1a37aef88ce5a927a3312b54411a4032
Formbook
+ 5'223 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210224-zpvh4wfmkx/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
9d97eea7bad17d4b303d3b7e4b4178f94462ba08c29c46a4e2f8707afde9bee3
MD5 hash:
4ef47260c033dd6fc7b0e4a744456209
SHA1 hash:
d6bfb1076c60fdcaf044ee50dd1a201dd949b5c9
Link:
https://www.unpac.me/results/af6c3cd8-aaca-4e1a-974c-f8ccaa392b0c/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9d97eea7bad17d4b303d3b7e4b4178f94462ba08c29c46a4e2f8707afde9bee3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1026926/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/118918/

Comments