MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f296a8fdf6e2d93248719c87156bb0410a3171d24ffce0382a0eda207deafe6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	9f296a8fdf6e2d93248719c87156bb0410a3171d24ffce0382a0eda207deafe6
SHA3-384 hash:	bbc20eebea799c857d6ec5801294ebc1ad3e582def8791b8bb2febe9ef8aef428d288c739c28003247d9e41c55d21fc3
SHA1 hash:	720b029984f6cd94bee7fdc6b2501783aac84549
MD5 hash:	ed9c16720462e8381b5048cd57be1532
humanhash:	helium-vegan-pip-yellow
File name:	PO4550358074.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	204'180 bytes
First seen:	2022-05-18 13:52:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:ZYa6VBiSJCB4O3STGo+qYMTkyEw7CLIbf0WM76NyePZuI:ZYDLO3KjqMTkZz76AePZp
TLSH	T10E1412482AFCC5B7E8A31BB19E7A052777B5E62128A8931F5750161DFE312D2C44EB33
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

239

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

PO4550358074.exe

Verdict:

Malicious activity

Analysis date:

2022-05-18 23:21:01 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/cf946d67-0b1e-4b3f-aeb4-904f500ab41b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/272125/

Detection(s):

SecuriteInfo.com.Gen.Variant.Nemesis.2350.11188.2448.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Searching for the window

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/18734/overview

Behaviour

MalwareBazaar

Gathering data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/15cc3915-54d3-46d1-bb71-4a326d0aae72

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/996845

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/9f296a8fdf6e2d93248719c87156bb0410a3171d24ffce0382a0eda207deafe6/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2022-05-18 13:51:38 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t4uwvd67nywzgjehdhehcvv3aqikgfy5et744a4cudw2eb66v7ta._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader campaign:tgdh loader rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220518-q6ykraaed7/

Behaviour

Gathers network information

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Xloader Payload

Formbook

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Unpacked files

SH256 hash:

d8a34bd88ab11f8edf3ec181ba844eaaa9cb1f57924d7a190e0efc4f80aa36e0

MD5 hash:

d5884d22f97e74d3b9ceef6dfb1ddcd5

SHA1 hash:

2933ba3495e068ef07410705d405567a6d8c157f

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/c6b14bca-73a5-4f6d-af43-96bc5a74f020/

Parent samples :

5bd972667024edef60c1f0f0bdb7c1602e7d9da7c736bc373e100c7521bb53f2
9f296a8fdf6e2d93248719c87156bb0410a3171d24ffce0382a0eda207deafe6
d2c7dcc32790d18dbc53c496d2fc1fc26ba7ed11cd018ab9baa0b58108077b72
534116bf1a9bf94bd353ef08a736864b542269a03a039d2c54431cfd9894d729
e2661ac8c8a8e5db896935d7214c96181dff15dbf12f2051d86ce1a3a201c2dc
53012a3cec450e3c92749900993dfb081cd1dd86660063b8b1bebdf6400aebf6

SH256 hash:

cf6b1ec6183043d64bb4a9ce4bae020e616428dcd08a0881e3505063619bd9e0

MD5 hash:

96b86d74572aea213fede365deeb0f51

SHA1 hash:

90076976d7ae4584df5f36ba6c588b9216965886

Link:

https://www.unpac.me/results/c6b14bca-73a5-4f6d-af43-96bc5a74f020/

SH256 hash:

9f296a8fdf6e2d93248719c87156bb0410a3171d24ffce0382a0eda207deafe6

MD5 hash:

ed9c16720462e8381b5048cd57be1532

SHA1 hash:

720b029984f6cd94bee7fdc6b2501783aac84549

Link:

https://www.unpac.me/results/c6b14bca-73a5-4f6d-af43-96bc5a74f020/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9f296a8fdf6e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9f296a8fdf6e2d93248719c87156bb0410a3171d24ffce0382a0eda207deafe6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/272125/

URLhaus

https://urlhaus.abuse.ch/url/2200862/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample