MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dfcc932a69f5fd8aa13068874c8c34a90ed3cc60e54be8bd7c2f815c4cf952b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9dfcc932a69f5fd8aa13068874c8c34a90ed3cc60e54be8bd7c2f815c4cf952b
SHA3-384 hash: b4e36cbd2520d7862b93f7dba71aaa27886b1103d30100f0bdf2663a3b9ed83b7ee234e8ddf42841a41fe2cb225955cf
SHA1 hash: 5235964381a431fb593570fbe8a0480c90d5c06a
MD5 hash: 7d14ef3583f1d461a9a9683008750244
humanhash: ceiling-alanine-uranus-fourteen
File name:Re,cnc machine and sowing machine.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:690'688 bytes
First seen:2023-08-14 06:41:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:JFBQZW/MT9+nn5cKXDWAWOtmVDDal5U1IO1sAmVMmbYKS6lqTjP:/BQ82wn5tXKAVIVdlsL0rTj
Threatray 3'710 similar samples on MalwareBazaar
TLSH T141E4C060ED79DE82E54F4BB8008FD74D82719C893522C23A5AAB50C6D4973C216DBBDF
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Re,cnc machine and sowing machine.exe
Verdict:
Malicious activity
Analysis date:
2023-08-14 06:44:31 UTC
Tags:
formbook xloader stealer spyware
Link:
https://app.any.run/tasks/0c9ef1cf-6fba-408c-b079-4528b6835d21

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442581/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9dfcc932a69f5fd8aa13068874c8c34a90ed3cc60e54be8bd7c2f815c4cf952b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ddb6d9bf-684a-46a0-b1ab-8bacbe4b2602
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290808
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9dfcc932a69f5fd8aa13068874c8c34a90ed3cc60e54be8bd7c2f815c4cf952b/
Threat name:
ByteCode-MSIL.Spyware.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-08-11 18:29:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tx6msmvgt5p5rkqta2ehjsgdjkio2pggbzkl5c6xyl4blrgpsuvq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
244be6e97ebec790a323a32fc4fe43dade04804c07ae684191c4d527f5312ad0
Formbook
4246ac35e29b03cf4057457231abf222b88bf64cd65b59d7dc79d35b1953372b
Formbook
651a4c3e35b647788a3eb33862d90bc7d58912e6e99ffb8a7bd4c759634fe67b
Formbook
725bd590093b4997559b500248e8a84debbde13ceec846081c78e7ec286a40ef
Formbook
76c0b6dacffa84c683a078ee89c597f3997aac922c0fbac7e2fe1ae5c7748259
Formbook
9d9e8ec84f674a2484716075dd29db7677057598a3ef9b1d0f8dd4addfac24da
Formbook
a16bbcd964ae89f1cae59ed66c22f1009830c91db528215972952d97433bfb71
Formbook
b1d6939bbb4a9f66306d13bd4b0cd7a59fbe69c451c3bd2df836a65c1114f70a
Formbook
+ 3'700 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ct45 rat spyware stealer trojan
Link:
https://tria.ge/reports/230814-hgcb8aab79/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
1324ef1d47933d10b993f88ecbba39139917f63b5bb491de253b07e3895b6dfc
MD5 hash:
52b6e08cc03c01d68bfa8016d62136f6
SHA1 hash:
110f300f6a6dd87039eea6b879e51e77116c7bfe
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/a0a0b678-92fa-44dd-87a6-1f3ed22fa840/
Parent samples :
d5e9981b7fdef80983edcdda6b3e09870fe991720db4684986ceecb01d24506c
b1d6939bbb4a9f66306d13bd4b0cd7a59fbe69c451c3bd2df836a65c1114f70a
9d9e8ec84f674a2484716075dd29db7677057598a3ef9b1d0f8dd4addfac24da
244be6e97ebec790a323a32fc4fe43dade04804c07ae684191c4d527f5312ad0
1434b391d1b8e5369395173e021878dee61f4269e7e758102c430bb047cb336b
725bd590093b4997559b500248e8a84debbde13ceec846081c78e7ec286a40ef
9dfcc932a69f5fd8aa13068874c8c34a90ed3cc60e54be8bd7c2f815c4cf952b
SH256 hash:
1d4ef92940095ce5abd862ddf54fc5b5223e08dd96c0387c2bd2210f25e92963
MD5 hash:
f9337ea20e5973c9376b8ff35804e35e
SHA1 hash:
b6713a3f755af6fc8342cd11c08e67dc48af5751
Link:
https://www.unpac.me/results/a0a0b678-92fa-44dd-87a6-1f3ed22fa840/
SH256 hash:
8973ec20883b3d45af6c843de26bd764bb3ca9346ffe2def89942b1a973f16f0
MD5 hash:
67cda3ec4bee9bf8bb35ea857ac9a5d1
SHA1 hash:
6ca5037103de3a0d69b07610cdb9a4f7ed70c643
Link:
https://www.unpac.me/results/a0a0b678-92fa-44dd-87a6-1f3ed22fa840/
SH256 hash:
38ff77812d0834f27a29d38ba9baa1a7a3cfbb3ac391ad23a0ab22ed82110ba4
MD5 hash:
fc3578efcc98e4d79790c20912ef3188
SHA1 hash:
526b9877bc371affbf892042e7247a28b132f697
Link:
https://www.unpac.me/results/a0a0b678-92fa-44dd-87a6-1f3ed22fa840/
SH256 hash:
9dfcc932a69f5fd8aa13068874c8c34a90ed3cc60e54be8bd7c2f815c4cf952b
MD5 hash:
7d14ef3583f1d461a9a9683008750244
SHA1 hash:
5235964381a431fb593570fbe8a0480c90d5c06a
Link:
https://www.unpac.me/results/a0a0b678-92fa-44dd-87a6-1f3ed22fa840/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9dfcc932a69f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9dfcc932a69f5fd8aa13068874c8c34a90ed3cc60e54be8bd7c2f815c4cf952b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 9dfcc932a69f5fd8aa13068874c8c34a90ed3cc60e54be8bd7c2f815c4cf952b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/442581/

Comments