MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f44c58001149776520aeff671ff0888b3af00f1f0188f768ed21595fa30f81c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f44c58001149776520aeff671ff0888b3af00f1f0188f768ed21595fa30f81c
SHA3-384 hash: b292b949bc2187bdaf8e56af5cdb868a9d10a984efca4fe22ebe3a60cddb8e12f9902c02d078edce5986cbaa67220945
SHA1 hash: 69a30ca322c0ce272047e7a798ceb22d983bf5f3
MD5 hash: 8d360fc27ccfe9c27c3fe5e621002611
humanhash: jig-freddie-yankee-west
File name:SecuriteInfo.com.Win32.PWSX-gen.29192.12603
Download: download sample
Signature Formbook
Create hunting rule
File size:800'256 bytes
First seen:2023-01-17 06:29:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:6gIeGwt3+NNx8NDfbpZj1MAcLpcDOBPXbqTlj:6Q1yoZjaAcLpcqx2Tl
TLSH T1DA057B415A7B87E2D4B90E74123CA5142BA11CD147ADF23ABDC67DBA9CEB34F0099723
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.29192.12603
Verdict:
Suspicious activity
Analysis date:
2023-01-17 06:30:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4de9cc60-4d9a-4a2d-88a6-a9df931d7557

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/353676/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.29192.12603.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/63c6406e8352dc7065e3353a/reports/ab8cf133-340e-4ec7-bede-666b3b3a9deb/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/748525ef-b7aa-458e-86db-75a3500a411e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1152823
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 785555 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 17/01/2023 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for URL or domain 2->36 38 7 other signatures 2->38 8 SecuriteInfo.com.Win32.PWSX-gen.29192.12603.exe 3 2->8         started        process3 file4 22 SecuriteInfo.com.W...29192.12603.exe.log, ASCII 8->22 dropped 48 Detected unpacking (changes PE section rights) 8->48 50 Detected unpacking (overwrites its own PE header) 8->50 52 Writes to foreign memory regions 8->52 54 Injects a PE file into a foreign processes 8->54 12 RegSvcs.exe 8->12         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 12->56 58 Maps a DLL or memory area into another process 12->58 60 Sample uses process hollowing technique 12->60 62 Queues an APC in another process (thread injection) 12->62 15 explorer.exe 1 12->15 injected process8 dnsIp9 24 www.asliceofbliss.com 216.40.34.41, 49717, 49718, 80 TUCOWSCA Canada 15->24 26 www.oxbridgemasters.co.uk 81.17.29.149, 49705, 80 PLI-ASCH Switzerland 15->26 28 8 other IPs or domains 15->28 30 System process connects to network (likely due to code injection or exploit) 15->30 19 msdt.exe 13 15->19         started        signatures10 process11 signatures12 40 Tries to steal Mail credentials (via file / registry access) 19->40 42 Tries to harvest and steal browser information (history, passwords, etc) 19->42 44 Modifies the context of a thread in another process (thread injection) 19->44 46 Maps a DLL or memory area into another process 19->46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f44c58001149776520aeff671ff0888b3af00f1f0188f768ed21595fa30f81c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-17 01:41:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5cmlaabcslxmuqk573hd7yircz26ahr6ami65uo2ikzl6rq7aoa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230117-g9gxqsbd94/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Gathering data
Unpacked files
SH256 hash:
6f21d46bc9ef68041d0b0ec89b878cae1e5b996988f5b367d54c46e00e782ef3
MD5 hash:
b23ff9e28cdfc56d60a68f42b346fc05
SHA1 hash:
e4eb037c7732ab9b73d59b66274816ae605dc3ee
Detections:
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/8f8f4e22-2a8b-4354-a110-512e0ac427d4/
Parent samples :
9f44c58001149776520aeff671ff0888b3af00f1f0188f768ed21595fa30f81c
a69d0f56789a6cc4e0d12922b6552bf777a9a58206fc5c0639ab22dd86880600
72fe4875ce631d4f955e3a88d502b931acffc323576cf4a962e39ac9a0136204
2451cd26906f3fd1186b6b958557c185e3554f76ec248d8ea944e6c7cc70443f
5718c580c8854ea0d8785b26989e890c56f9e5fb9a58a0f1debc4bf71d869a9b
2e5a68487fb25640fbf7d4c2529e17bb20b2c948b82e464e9543a25f34027176
SH256 hash:
0d69ffb6d71bb73cb201c5d720e706020ecf8128b75a75df62b114a3a99709f1
MD5 hash:
dac31c8bc4e4a583f6571778e0cf57e9
SHA1 hash:
1a104ea41ecf0459fb8f5878182b5b1e48c4897d
Link:
https://www.unpac.me/results/8f8f4e22-2a8b-4354-a110-512e0ac427d4/
SH256 hash:
54d781f0dee6692c47390edf1ada295fb17a7e80ed5ccd58ab14c6ddf80a0ad8
MD5 hash:
4f6caebd865502f7c8046fbae3284c61
SHA1 hash:
be357e832bf6f61454875b37a1759cf1c5fa5ca4
Link:
https://www.unpac.me/results/8f8f4e22-2a8b-4354-a110-512e0ac427d4/
SH256 hash:
0560ae9fe561c4f78208319b5e6f83a3742edc79f91d3844a5dcb6f232c0ef21
MD5 hash:
66f49d9bbe38225572533e03276491a0
SHA1 hash:
b601e09d6ddaa25665fad672a7776225730db74d
Link:
https://www.unpac.me/results/8f8f4e22-2a8b-4354-a110-512e0ac427d4/
SH256 hash:
d8f7ba958afb057069e11071568b50e442e3b78d7ebd7eda6cfc3e16fa5db0be
MD5 hash:
9f18c1fccd09885cdf61a5f8c537a17b
SHA1 hash:
2109cfc9d31dee8736a15a0e9c867f442a44e38c
Link:
https://www.unpac.me/results/8f8f4e22-2a8b-4354-a110-512e0ac427d4/
SH256 hash:
86c10b44745c084eddded4b66561df326bf7025a6ec56f6dbaf2f91d295dbdba
MD5 hash:
49e76bcca2fe220e03b9be7da3abb4f4
SHA1 hash:
10efb8d59d7d4a7903b7e2a9796816c738af000d
Link:
https://www.unpac.me/results/8f8f4e22-2a8b-4354-a110-512e0ac427d4/
SH256 hash:
9f44c58001149776520aeff671ff0888b3af00f1f0188f768ed21595fa30f81c
MD5 hash:
8d360fc27ccfe9c27c3fe5e621002611
SHA1 hash:
69a30ca322c0ce272047e7a798ceb22d983bf5f3
Link:
https://www.unpac.me/results/8f8f4e22-2a8b-4354-a110-512e0ac427d4/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9f44c5800114/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/9f44c58001149776520aeff671ff0888b3af00f1f0188f768ed21595fa30f81c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/353676/

Comments