MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dc7fcfcf600302dc2fafb21be5a63dea8d15197f29a9af3b1ac200e725d9393. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	9dc7fcfcf600302dc2fafb21be5a63dea8d15197f29a9af3b1ac200e725d9393
SHA3-384 hash:	dd7ba27d2e41f008353771939bb6d04fd609c73dd11e41e32f57a7a030ff31db04fb0af268f7ebb6dcb5f309e22dd08c
SHA1 hash:	1291d53e873e10e6fbcf2dd0f7398c62d13f7ab9
MD5 hash:	13c33dcf766129f15e1362f8edf9a981
humanhash:	pluto-robin-sad-burger
File name:	13c33dcf766129f15e1362f8edf9a981.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	459'776 bytes
First seen:	2022-02-23 15:26:11 UTC
Last seen:	2022-02-23 17:14:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:m/NaCwpS8ccw+VvSwLfrNMyg5PBaTV0D1YMNHz0cS8S8YP/ba5r1qDx80kxGdCtN:7WMrymMNHzvS01wx8nxGktN
Threatray	1'241 similar samples on MalwareBazaar
TLSH	T1EEA4F82F73BDB896D2EFAA732AE031B1CD7B723A1211279F20724D520901685EF55CB5
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Verdict:

Malicious activity

Analysis date:

2022-02-21 05:23:13 UTC

Tags:

loader evasion

Link:

https://app.any.run/tasks/76f1aa26-f2bc-4c79-a7f5-275e73fb7262

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/243854/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader44.40099.23600.32286.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Running batch commands

Creating a process with a hidden window

Creating a file

Launching a process

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

hacktool obfuscated packed quasar rat replace.exe

Link:

https://www.filescan.io/uploads/6216524d875593a3cc0b4e64/reports/989a9d7d-6674-4eba-a392-4bce9f87176a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/21bcab3f-7226-47f3-8df4-d163b5f6d35f

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/945023

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Yara detected Generic RAT

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9dc7fcfcf600302dc2fafb21be5a63dea8d15197f29a9af3b1ac200e725d9393/

Threat name:

Win32.Trojan.Skeeyah

Status:

Malicious

First seen:

2022-02-20 02:04:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

37 of 43 (86.05%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=txd7z7hwaayc3qx27mq34wtd32uncumx6knjv45rvqqa44s5sojq._file

Verdict:

malicious

Formbook

36e08c2df39cd84d8969a95de6a6882fbc954e7ca31a5a5d4be8ec33cfa84649

Formbook

3d030fbfbe328bc4f276d565854f89189094ddb46dc1c6d36e8e9a438227279f

Formbook

4ab15234cdc0baf746b77352e6d47af4643544c48c32653bd215c6e5296b6f3c

Formbook

81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0

Formbook

914cd602a58f69dd35dd207d8128807926a139f27f4d8b7b2b958041783bc10c

Formbook

92d30855da0de535afe7d2b432108880f5d3766767c09c493defcb6c05c10448

Formbook

cdf45f57fd8885bea02e2fcaf7b3a13c3f8185827cee1ef348a22cb36c1886c0

Formbook

dda839584708cdc28f165d0f387a43dbd32b7f56bba0af7c942ee2b751e9ab75

Formbook

eb24b3b9375f0b3272fac6eecc9329f79eab274d802b2ad37037cc83a46fa3f1

Formbook

+ 1'231 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220223-svrdeabhek/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Looks up external IP address via web service

Checks computer location settings

Deletes itself

Unpacked files

SH256 hash:

9dc7fcfcf600302dc2fafb21be5a63dea8d15197f29a9af3b1ac200e725d9393

MD5 hash:

13c33dcf766129f15e1362f8edf9a981

SHA1 hash:

1291d53e873e10e6fbcf2dd0f7398c62d13f7ab9

Link:

https://www.unpac.me/results/0a2dd801-aae1-4b43-8488-6aad6d9fc5ec/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/9dc7fcfcf600/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9dc7fcfcf600302dc2fafb21be5a63dea8d15197f29a9af3b1ac200e725d9393

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Quasar_RAT_1_RID2B54 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/243854/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample