MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9de1892b227f07e8896b3dfa4d1f8b450bf2af962b1ec34f3075acc7a4187259. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9de1892b227f07e8896b3dfa4d1f8b450bf2af962b1ec34f3075acc7a4187259
SHA3-384 hash: ca459b4214c1616d0626577820076e85a9a7a9e0d80e58626ed5c34f75454e66d7d78a167f32ef55285114831b1e38d5
SHA1 hash: e2371038a5cac558e52297cb808ead02c2150c36
MD5 hash: e329a2ae51067a9ae8a508fb7dd34ca8
humanhash: juliet-river-lima-river
File name:SecuriteInfo.com.Gen.Variant.Androm.29.9877.8691
Download: download sample
Signature Formbook
Create hunting rule
File size:258'048 bytes
First seen:2021-05-07 09:53:16 UTC
Last seen:2021-05-07 10:00:52 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 6144:IEK9X0GgO9lrADDBeBneptkd/lY09fZwVr7q7BQMHy:IE80VAlroBcnewL1CVrKFS
Threatray 5'049 similar samples on MalwareBazaar
TLSH B444122B3A80D4FBD185A3B10D7B072BD776AE1454429B079BD03E4CBF326D6850FA99
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/152576/
Detection(s):
SecuriteInfo.com.Gen.Variant.Androm.29.9877.8691.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/9de1892b227f07e8896b3dfa4d1f8b450bf2af962b1ec34f3075acc7a4187259
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9de1892b227f07e8896b3dfa4d1f8b450bf2af962b1ec34f3075acc7a4187259/
Threat name:
Win32.Trojan.Spynoon
Create hunting rule
Status:
Malicious
First seen:
2021-05-07 01:12:29 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
024c67bdc81850f0d4acf648be1016358c78e21a74dbde96b0d753cffd76ffa7
Formbook
0c856e57da034a8943b4065297d075365090d9eb925abb7ba74dd3df9acefc1f
Formbook
2080ae2cfe843c0e1754f994b356086718dd6dceedf974ca37b629fb4da817a6
Formbook
220f3d2b4e15b67592dc527153c3b7107d1465ef90339b8c00c0db2f9cc245fc
Formbook
2a728511ab345b4207ea5959439df12205796548388cc170b427110f9cc247dd
Formbook
5aa64b3eef03b9c837e37102be20cb4f537c524b2a2531bf1bf6dd6a02461d7e
Formbook
6120294360629da33cd6f897de16401325be12ae2cd9dcc03857de7e0b4f94e4
Formbook
cfee90218720f31491495dd353027017808fb3b9524d6c86ddfd016a372f627c
Formbook
d8e0edf1cca3b6edefcd830e233131c593997b5bd4454891dc1b70614862f718
Formbook
ee1e6c57be9de3dde5f374dd49232f23b3667b52fdf770649bbd27a1abceaa16
Formbook
+ 5'039 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook macro rat spyware stealer trojan xlm
Link:
https://tria.ge/reports/210507-mejwp18y7x/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.111bjs.com/ccr/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/9de1892b227f07e8896b3dfa4d1f8b450bf2af962b1ec34f3075acc7a4187259

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Executable_Converted_to_MSI
Create hunting rule
Rule name:INDICATOR_MSI_EXE2MSI
Create hunting rule
Author:ditekSHen
Description:Detects executables converted to .MSI packages using a free online converter.
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Microsoft Software Installer (MSI) msi 9de1892b227f07e8896b3dfa4d1f8b450bf2af962b1ec34f3075acc7a4187259

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/152576/
  
URLhaus
https://urlhaus.abuse.ch/url/1203472/
  
Delivery method
Distributed via web download

Comments