MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9de751536a55984df4e0686ff47bbe5553906d4b2e2559d7afc019fcb7d4eb4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	9de751536a55984df4e0686ff47bbe5553906d4b2e2559d7afc019fcb7d4eb4a
SHA3-384 hash:	4881bce519ce2c7cab1a8c7316a81d9d163800884bac92ecca9ed5f3107855fc389272c8a654edb35e8220f223c48891
SHA1 hash:	6563f1ac1ed459403a63b3d78a55c94a1b939d04
MD5 hash:	bc95dfb1bbe14031b0ee4318dc731457
humanhash:	montana-lemon-hydrogen-fix
File name:	triage_dropped_file
Download:	download sample
Signature	Formbook Create hunting rule
File size:	255'042 bytes
First seen:	2022-01-31 21:33:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep	6144:owZope7DHMykBw45ldcRBfQnTpHItV50sUcd3h3r8xr11x:lopcrMoW7U1OCtDNrRb211x
Threatray	13'203 similar samples on MalwareBazaar
TLSH	T17C4412A601C0A9BBE458EA736E37E77AEBFB76081F5101134F454EDE760E091089B1D7
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	malwarelabnet
Tags:	exe FormBook xloader

Intelligence

File Origin

# of uploads :

1

# of downloads :

192

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

saskaita apmoketa.xlsx

Verdict:

Malicious activity

Analysis date:

2022-01-31 17:54:38 UTC

Tags:

exploit CVE-2017-11882 loader trojan formbook stealer

Link:

https://app.any.run/tasks/c90cfada-f6f8-425b-abca-8991bceffd70

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/228780/

Detection(s):

SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

Сreating synchronization primitives

DNS request

Launching a process

Launching cmd.exe command interpreter

Searching for synchronization primitives

Sending a custom TCP request

Sending an HTTP GET request

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/61f855cda0f6a794b32e4695/reports/32211e55-a29a-4a03-b1c9-2af80495573b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1c07e135-b5c5-4e94-8d64-dddbee5c93be

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/931254

Behaviour

Behavior Graph:

n/a

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/9de751536a55984df4e0686ff47bbe5553906d4b2e2559d7afc019fcb7d4eb4a/

Threat name:

Win32.Spyware.Obfusinjector

Status:

Malicious

First seen:

2022-01-31 21:34:09 UTC

File Type:

PE (Exe)

Extracted files:

4

AV detection:

23 of 28 (82.14%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=txtvcu3kkwme35hanbx7i656kvjza3klfysvtv5pyam7zn6u5nfa._file

Verdict:

malicious

Label(s):

formbook

Similar samples:

081be32fe752d7e270c45f1d7a71889aa4452a590963da8dd75e3f26861ddba8

0d42799a7602de1d76ef3b39ceff5075b95dd1e3891332987d525a07ef5c5f0f

39cc0c369b8ce6f0570864f4ac0019abed40383a582aae1a13c34e2de08a7168

3ef87bd378c364fe42e2a46547baa7b5683716328eaf8c1e3bd74050becb83a3

502303edd5a9de57b3667146e84f15fc4957242ca2ef8f75f5e503946c452ee2

71bad0685e5b2447a8dcdc960ee2930ad5ec4910d5d449040fb52cb9754df2a2

73f458d7e38ab748b7b7d3b3e680db9eb08d845c1b1b7c935a6ee453d8f03358

9e6a92df11bb23b335d5bbf85731a1ea96f6c4038a24c2e4edb28e2169804c30

f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1

+ 13'193 additional samples on MalwareBazaar

Unpacked files

SH256 hash:

9de751536a55984df4e0686ff47bbe5553906d4b2e2559d7afc019fcb7d4eb4a

MD5 hash:

bc95dfb1bbe14031b0ee4318dc731457

SHA1 hash:

6563f1ac1ed459403a63b3d78a55c94a1b939d04

Link:

https://www.unpac.me/results/41e65666-e8b3-400f-8855-aba6b8186125/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/9de751536a55/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.33

Link:

https://yomi.yoroi.company/submissions/9de751536a55984df4e0686ff47bbe5553906d4b2e2559d7afc019fcb7d4eb4a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/228780/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample