MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e6da348b123ec110ed3d923198f378f6398a6e1f87d3a440340c5ab479e6912. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e6da348b123ec110ed3d923198f378f6398a6e1f87d3a440340c5ab479e6912
SHA3-384 hash: ab4380776aab55506974137fbfcf38122ae10ce83160a4e1bcaad67f87679a5c65294acf020840e249e77c841a9e37e4
SHA1 hash: c384ddc45d0067194b9fae470c530f5b7a47db3e
MD5 hash: 53820fa678467752c3c332f1556906b0
humanhash: lemon-arkansas-five-mobile
File name:purchase order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:944'128 bytes
First seen:2022-08-31 19:03:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f81b5c9269910375af465608d2f2ff2 (3 x RemcosRAT, 3 x Formbook, 2 x DBatLoader)
ssdeep 12288:AJUHQf66vLY0QWoYa5RsDDVQdDPf+rKU5IT7greRccA/s/rsGvRcZoYto:AsoUQin8uerHqRcv/sHsoIo
TLSH T10A159E11A362C83BD2375634CD1796AD682D7E106934B44F3BD61D087B7A3A2362F6CB
TrID 61.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
24.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
10.7% (.OCX) Windows ActiveX control (116521/4/18)
1.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.2% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon ecdce4c48c9ce4c4 (14 x RemcosRAT, 9 x DBatLoader, 5 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
344
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/306988/
Detection(s):
SecuriteInfo.com.Variant.Zusy.436143.17787.27254.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36221/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit keylogger overlay remcos shell32.dll zusy
Link:
https://www.filescan.io/uploads/630fb0a9ab0be91dfea3870d/reports/96a66c33-1add-4182-9991-c9ddfcdcf925/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d2c8b939-c4fa-4dcd-81fc-469a0020ebcd
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1061897
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e6da348b123ec110ed3d923198f378f6398a6e1f87d3a440340c5ab479e6912/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-08-25 21:48:54 UTC
File Type:
PE (Exe)
Extracted files:
70
AV detection:
30 of 40 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tzw2gsfrepwbcdwt3errtdzxr5rzrjxb7b6turadidc2wr46neja._file
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/220831-xqxrvacce9/
Behaviour
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
53619866fb7adb9f5dcbed0dce75932a74830dc02351a6b6c819e9701a13ada1
MD5 hash:
38a86eff48873c72ca4d72f191a56f63
SHA1 hash:
25e96f601aa827d3b1ab70b0fdc67d0c15023b73
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/36e8767b-6b7d-4d86-ac12-45f5783f7073/
Parent samples :
e9f4a7f5f39ac0ea1fc287c5d9521667d3eca8344b2e60fe26f9f795d7f53a8d
2e86f98ee2dc99164970b21058123fda31af9feb290e14646c3a6f49525f2fcc
5968fd5908c38e76d8f57fbfe06bfc87956d15b778eaa637816e1630fb3eb7c4
b725d730c210274c7cc33fa90c06467cf9e3416a9d214e060e14f323d31aa3c7
6620f97090422729f9d69268a68b76cc854f81cd97c25f3463315344ba3d639e
eae13c9aa0b286157c56819381b92a4a6d8e2607f553e7b71539b1959f2cd7a2
efa8f5c281c591960f2a8f508f278b1541de0c308f4039432307de4e0f25627c
aa4a3cf409c65c84e33841c92533d1781a01cd5b1b5ba372e0b3d4c333a8f5fe
d9d5ed4a3733ad8d8edcdd4a4e36f965f3ad5b0b0bb38b54acd9091ee99ff7cf
9e6da348b123ec110ed3d923198f378f6398a6e1f87d3a440340c5ab479e6912
ad2c3ee8225bffd3052bb7d77be8e73b14731a65d420a08bac8cd72f979300b9
22c7ed8874209dd96c59fbc16dd829802729f9fa34c09cce41f6f64704af7578
SH256 hash:
9e6da348b123ec110ed3d923198f378f6398a6e1f87d3a440340c5ab479e6912
MD5 hash:
53820fa678467752c3c332f1556906b0
SHA1 hash:
c384ddc45d0067194b9fae470c530f5b7a47db3e
Link:
https://www.unpac.me/results/36e8767b-6b7d-4d86-ac12-45f5783f7073/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e6da348b123ec110ed3d923198f378f6398a6e1f87d3a440340c5ab479e6912

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 9e6da348b123ec110ed3d923198f378f6398a6e1f87d3a440340c5ab479e6912

(this sample)

  
Dropped by
Formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/306988/

Comments