MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e4d05b5c07d77f2bf1fd7a22c59b4932f096ad1e140a536a025b5c325683073. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e4d05b5c07d77f2bf1fd7a22c59b4932f096ad1e140a536a025b5c325683073
SHA3-384 hash: 2e97ec606ec414cc1c0abf63fac2362ecb004fb5ccead5fbd351963c57036ceb5a458a9fa147bc717a357a566f64fa39
SHA1 hash: db34bb2e6dc20b945443faa9f5c5607a66638735
MD5 hash: 40df500e4caa9265ef6bea269c34140d
humanhash: hawaii-may-pip-yellow
File name:40df500e4caa9265ef6bea269c34140d
Download: download sample
Signature Formbook
Create hunting rule
File size:677'888 bytes
First seen:2023-06-27 04:48:46 UTC
Last seen:2023-07-11 12:53:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'453 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:a5dPG2fJ4owKoZ4Ra6SeLDIRh+iq41d+RfgCyVN:yJ5oZ4Ra6SeXwA+d+FghV
Threatray 2'396 similar samples on MalwareBazaar
TLSH T143E4473838BD5627D174D7E78FE7E423B278982B3021EA2568C657C90686F1225C763F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e0cc8e8e8eccccf0 (19 x AgentTesla, 8 x Loki, 7 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
290
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
8682811e-b4f5-4c3e-85a7-61445acf8a85
Verdict:
Malicious activity
Analysis date:
2023-06-26 07:32:36 UTC
Tags:
exploit cve-2017-11882 loader formbook xloader
Link:
https://app.any.run/tasks/fe550f9f-76da-4402-bcfa-a4fcea5abd56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/403092/
Detection(s):
SecuriteInfo.com.Variant.Ser.Lazy.4454.12351.4912.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/649a6a3e07c2007b16e6e7ee/reports/a3f1e693-1411-4c8a-ad13-98c90ccf3fc2/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/9e4d05b5c07d77f2bf1fd7a22c59b4932f096ad1e140a536a025b5c325683073
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff1b7c7f-be33-4eac-9295-6ca8dcdfb76b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1261798
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 894818 Sample: oHHsORLxBO.exe Startdate: 27/06/2023 Architecture: WINDOWS Score: 100 35 www.newleter.com 2->35 43 Snort IDS alert for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 8 other signatures 2->49 11 oHHsORLxBO.exe 4 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\oHHsORLxBO.exe.log, ASCII 11->33 dropped 61 Adds a directory exclusion to Windows Defender 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 15 oHHsORLxBO.exe 11->15         started        18 powershell.exe 21 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 20 explorer.exe 2 1 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 37 masterbidbox.com 151.106.117.41, 49695, 80 PLUSSERVER-ASN1DE Germany 20->37 39 atfbestsale.online 162.241.2.24, 49696, 80 OIS1US United States 20->39 41 3 other IPs or domains 20->41 51 System process connects to network (likely due to code injection or exploit) 20->51 53 Performs DNS queries to domains with low reputation 20->53 26 svchost.exe 20->26         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 26->55 57 Maps a DLL or memory area into another process 26->57 59 Tries to detect virtualization through RDTSC time measurements 26->59 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9e4d05b5c07d77f2bf1fd7a22c59b4932f096ad1e140a536a025b5c325683073/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-26 11:27:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tzgqlnoapv37fpy726rcywnusmxqs2wr4fakknvaew24gjligbzq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2834c7716f19153625258be49e586dc0d81be392f9bedeae1ddd740469287c44
Formbook
34b13a0e4c1c0226e821fa78d0a32e797db1329f3ab0d16e41a413968c274ba7
Formbook
35e8f730fa386dfecfb616ff20246d9eec1d6ec4d2b18f9d2e0d53032bff6b7f
Formbook
3682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f
Formbook
4422661ccc0d1ca90ea0427fbe9eacc398d819ef1f557c163a686fa127444c3a
Formbook
4faf527fcde9f38b487c5f4a7c29dcba98977f664c1f2c8be13bc88c7232f496
Formbook
6147af8263840617beb21652bb8db0fc7683a9e62a084254e548a884c8fa9a31
Formbook
6f9e6daba8384e0535415277476d0bc21a6943ed2cd1483b18259280fab5e2fc
Formbook
737ed71a18c5ed82843236483504cac2ef798ec9651cc6687b5bcaf6022e070e
Formbook
f52f3c64c7e5729b929919c449f9087899823470d11335c5dad97f8c19ce2679
Formbook
+ 2'386 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:xchu rat spyware stealer trojan
Link:
https://tria.ge/reports/230627-ffnyhsea3x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
955b267b5c991cccbd168c2127a490e77c2cd9e884c4963ff75e93b4f885bbcc
MD5 hash:
68b300e6be0bbb8bbc32c7c0b94b5014
SHA1 hash:
155b285f50d48b46378eb8bad40220050de07107
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/d26c59cb-4918-4cd9-8037-7b08f96306d5/
Parent samples :
4faf527fcde9f38b487c5f4a7c29dcba98977f664c1f2c8be13bc88c7232f496
2834c7716f19153625258be49e586dc0d81be392f9bedeae1ddd740469287c44
9e4d05b5c07d77f2bf1fd7a22c59b4932f096ad1e140a536a025b5c325683073
SH256 hash:
f345dc2619cf1654262bbc2d0d5a78d5b58bda2bfb0238a3ff49f1e40a3a210f
MD5 hash:
cd621e04412820a1b7837252b80b6dda
SHA1 hash:
fdc39de2f08b69461385f153046e267a5f847ce1
Link:
https://www.unpac.me/results/d26c59cb-4918-4cd9-8037-7b08f96306d5/
SH256 hash:
29e78fb802e44392a7498b14646f1fa8db1cdf9f4a1646efd9072c69be26b6a6
MD5 hash:
5c4dafda9aaf1a00ceba9472ffc83a36
SHA1 hash:
874f2da42358aad9309b1f9bb2d8d09df0742551
Link:
https://www.unpac.me/results/d26c59cb-4918-4cd9-8037-7b08f96306d5/
SH256 hash:
51456e3deb2c8201855829be57a63b40c12c57d0fbb455db4f3986cabd347a3a
MD5 hash:
13f279c1d25c48c7b8e53d08bc2b5fd1
SHA1 hash:
2d365142673f22300bc9abb210af945002413ba3
Link:
https://www.unpac.me/results/d26c59cb-4918-4cd9-8037-7b08f96306d5/
SH256 hash:
955b267b5c991cccbd168c2127a490e77c2cd9e884c4963ff75e93b4f885bbcc
MD5 hash:
68b300e6be0bbb8bbc32c7c0b94b5014
SHA1 hash:
155b285f50d48b46378eb8bad40220050de07107
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/d26c59cb-4918-4cd9-8037-7b08f96306d5/
Parent samples :
4faf527fcde9f38b487c5f4a7c29dcba98977f664c1f2c8be13bc88c7232f496
2834c7716f19153625258be49e586dc0d81be392f9bedeae1ddd740469287c44
9e4d05b5c07d77f2bf1fd7a22c59b4932f096ad1e140a536a025b5c325683073
SH256 hash:
f345dc2619cf1654262bbc2d0d5a78d5b58bda2bfb0238a3ff49f1e40a3a210f
MD5 hash:
cd621e04412820a1b7837252b80b6dda
SHA1 hash:
fdc39de2f08b69461385f153046e267a5f847ce1
Link:
https://www.unpac.me/results/d26c59cb-4918-4cd9-8037-7b08f96306d5/
SH256 hash:
29e78fb802e44392a7498b14646f1fa8db1cdf9f4a1646efd9072c69be26b6a6
MD5 hash:
5c4dafda9aaf1a00ceba9472ffc83a36
SHA1 hash:
874f2da42358aad9309b1f9bb2d8d09df0742551
Link:
https://www.unpac.me/results/d26c59cb-4918-4cd9-8037-7b08f96306d5/
SH256 hash:
51456e3deb2c8201855829be57a63b40c12c57d0fbb455db4f3986cabd347a3a
MD5 hash:
13f279c1d25c48c7b8e53d08bc2b5fd1
SHA1 hash:
2d365142673f22300bc9abb210af945002413ba3
Link:
https://www.unpac.me/results/d26c59cb-4918-4cd9-8037-7b08f96306d5/
SH256 hash:
955b267b5c991cccbd168c2127a490e77c2cd9e884c4963ff75e93b4f885bbcc
MD5 hash:
68b300e6be0bbb8bbc32c7c0b94b5014
SHA1 hash:
155b285f50d48b46378eb8bad40220050de07107
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/d26c59cb-4918-4cd9-8037-7b08f96306d5/
Parent samples :
4faf527fcde9f38b487c5f4a7c29dcba98977f664c1f2c8be13bc88c7232f496
2834c7716f19153625258be49e586dc0d81be392f9bedeae1ddd740469287c44
9e4d05b5c07d77f2bf1fd7a22c59b4932f096ad1e140a536a025b5c325683073
SH256 hash:
f345dc2619cf1654262bbc2d0d5a78d5b58bda2bfb0238a3ff49f1e40a3a210f
MD5 hash:
cd621e04412820a1b7837252b80b6dda
SHA1 hash:
fdc39de2f08b69461385f153046e267a5f847ce1
Link:
https://www.unpac.me/results/d26c59cb-4918-4cd9-8037-7b08f96306d5/
SH256 hash:
955b267b5c991cccbd168c2127a490e77c2cd9e884c4963ff75e93b4f885bbcc
MD5 hash:
68b300e6be0bbb8bbc32c7c0b94b5014
SHA1 hash:
155b285f50d48b46378eb8bad40220050de07107
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/d26c59cb-4918-4cd9-8037-7b08f96306d5/
Parent samples :
4faf527fcde9f38b487c5f4a7c29dcba98977f664c1f2c8be13bc88c7232f496
2834c7716f19153625258be49e586dc0d81be392f9bedeae1ddd740469287c44
9e4d05b5c07d77f2bf1fd7a22c59b4932f096ad1e140a536a025b5c325683073
SH256 hash:
29e78fb802e44392a7498b14646f1fa8db1cdf9f4a1646efd9072c69be26b6a6
MD5 hash:
5c4dafda9aaf1a00ceba9472ffc83a36
SHA1 hash:
874f2da42358aad9309b1f9bb2d8d09df0742551
Link:
https://www.unpac.me/results/d26c59cb-4918-4cd9-8037-7b08f96306d5/
SH256 hash:
f345dc2619cf1654262bbc2d0d5a78d5b58bda2bfb0238a3ff49f1e40a3a210f
MD5 hash:
cd621e04412820a1b7837252b80b6dda
SHA1 hash:
fdc39de2f08b69461385f153046e267a5f847ce1
Link:
https://www.unpac.me/results/d26c59cb-4918-4cd9-8037-7b08f96306d5/
SH256 hash:
51456e3deb2c8201855829be57a63b40c12c57d0fbb455db4f3986cabd347a3a
MD5 hash:
13f279c1d25c48c7b8e53d08bc2b5fd1
SHA1 hash:
2d365142673f22300bc9abb210af945002413ba3
Link:
https://www.unpac.me/results/d26c59cb-4918-4cd9-8037-7b08f96306d5/
SH256 hash:
29e78fb802e44392a7498b14646f1fa8db1cdf9f4a1646efd9072c69be26b6a6
MD5 hash:
5c4dafda9aaf1a00ceba9472ffc83a36
SHA1 hash:
874f2da42358aad9309b1f9bb2d8d09df0742551
Link:
https://www.unpac.me/results/d26c59cb-4918-4cd9-8037-7b08f96306d5/
SH256 hash:
51456e3deb2c8201855829be57a63b40c12c57d0fbb455db4f3986cabd347a3a
MD5 hash:
13f279c1d25c48c7b8e53d08bc2b5fd1
SHA1 hash:
2d365142673f22300bc9abb210af945002413ba3
Link:
https://www.unpac.me/results/d26c59cb-4918-4cd9-8037-7b08f96306d5/
SH256 hash:
9e4d05b5c07d77f2bf1fd7a22c59b4932f096ad1e140a536a025b5c325683073
MD5 hash:
40df500e4caa9265ef6bea269c34140d
SHA1 hash:
db34bb2e6dc20b945443faa9f5c5607a66638735
Link:
https://www.unpac.me/results/d26c59cb-4918-4cd9-8037-7b08f96306d5/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9e4d05b5c07d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e4d05b5c07d77f2bf1fd7a22c59b4932f096ad1e140a536a025b5c325683073

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9e4d05b5c07d77f2bf1fd7a22c59b4932f096ad1e140a536a025b5c325683073

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2672572/
Cape
Cape
https://www.capesandbox.com/analysis/403092/

Comments


Avatar
zbet commented on 2023-06-27 04:48:47 UTC

url : hxxp://194.180.48.58/pablozx.exe