MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f988a3199e626f789a99578c1c69f0ccd3e13d7c0d1033c01270cabf7b61de4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f988a3199e626f789a99578c1c69f0ccd3e13d7c0d1033c01270cabf7b61de4
SHA3-384 hash: 3de51a972a61168181c33cd493c028d6fdaf4c2f086fec82947483cf619e40925cc5f7640095b11fb9633585f2854b3e
SHA1 hash: 0c1191769d0eb18c6de8d703f540184689900ae7
MD5 hash: 96e92a4922fd91f5f1dba2d9550b0f8f
humanhash: batman-happy-bluebird-echo
File name:SecuriteInfo.com.Trojan.Win32.Save.a.7562.2738
Download: download sample
Signature Formbook
Create hunting rule
File size:33'968 bytes
First seen:2021-06-28 12:59:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:KkYxQZ6++hIduJJ1U1NCOLtuEYzob6vWccgcccI5BrZIYaF/kgWzC747/SPD4uCt:KkYxQZ6++hIduJJ1U1NCOLtuEYzob6vJ
Threatray 6'093 similar samples on MalwareBazaar
TLSH FCE2B389974405BEE04DD67FE3C28A35EF32879F3926DD196D7E81FB1A162470088B1D
Reporter SecuriteInfoCom
Tags:exe FormBook signed

Code Signing Certificate

Organisation:4aiEN4f8ad
Issuer:4aiEN4f8ad
Algorithm:sha256WithRSAEncryption
Valid from:2021-06-28T10:25:48Z
Valid to:2022-06-28T10:25:48Z
Serial number: a7819d96484546c71e9783f83de7157d
Thumbprint Algorithm:SHA256
Thumbprint: f51bac143853de9e9717945735027af73556a6d6c92b03ad83e9d7153b73ef07
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Win32.Save.a.7562.2738
Verdict:
Malicious activity
Analysis date:
2021-06-28 13:02:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/92c8bb8d-b263-4d47-99bf-553a78201338

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168587/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.7562.2738.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6632cf1e-d495-4ad9-a6c7-82df46b546c0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808828
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 441239 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 28/06/2021 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 2 other signatures 2->41 8 SecuriteInfo.com.Trojan.Win32.Save.a.7562.exe 15 4 2->8         started        process3 dnsIp4 29 kakosidobrosam.gq 104.21.67.197, 443, 49720 CLOUDFLARENETUS United States 8->29 31 192.168.2.1 unknown unknown 8->31 27 SecuriteInfo.com.T...Save.a.7562.exe.log, ASCII 8->27 dropped 43 Contains functionality to inject code into remote processes 8->43 45 Tries to detect virtualization through RDTSC time measurements 8->45 47 Injects a PE file into a foreign processes 8->47 49 Contains functionality to hide a thread from the debugger 8->49 13 SecuriteInfo.com.Trojan.Win32.Save.a.7562.exe 3 8->13         started        file5 signatures6 process7 signatures8 51 Hides threads from debuggers 13->51 53 Injects a PE file into a foreign processes 13->53 16 WerFault.exe 23 9 13->16         started        19 cmd.exe 1 13->19         started        21 SecuriteInfo.com.Trojan.Win32.Save.a.7562.exe 13->21         started        process9 signatures10 33 Tries to evade analysis by execution special instruction which cause usermode exception 16->33 23 conhost.exe 19->23         started        25 timeout.exe 1 19->25         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f988a3199e626f789a99578c1c69f0ccd3e13d7c0d1033c01270cabf7b61de4/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-06-28 13:00:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
17 of 46 (36.96%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t6miummz4ytppcnjsv4mdru7btgt4e6xydiqgpabe4gkx55wdxsa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
046bf8a6c9bc47b10b80a2ca83289714a931b5d10d864e02d2e20fdc09301108
Formbook
3f2cdc7783014a37d7ad61ee00c226d5221d4932f4113eb3590a9c9d0447b461
Formbook
50961752207e439abf40cf15d11d20f5c3d9b68067e571c3029c7bce69ffe085
Formbook
5180e6ef19db039d8365f3cb9690424e61504a80ab94a12738a633b6cdc5fccb
Formbook
56368dfb68347ec22ba4d8d1d16e1acc9dbf37acf30803ef92f75f27f0a6a6a5
Formbook
744400d590042d779a25401879f9906b979e32bba3fac355a0ff2d5a00f4fcfc
Formbook
bc0cc9f45e5a3b9f2f1815c4787849ebd8ab71d72aca809b687bc462ec9b5899
Formbook
cccbd0b2d46adeb6d99413af4d5a4492cd530922a09724f04c8fb1e0c47d8326
Formbook
d0116b0ea676a655b1d55a2b7a79fb2585c1d04803e9d1d6f9cd1da15f789138
Formbook
f8ca257b6bbb8a0b617611a8ddb0068f056f3dc38eb525495978632b03964380
Formbook
+ 6'083 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210628-npvprs1kkn/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.takedaitos.com/wnb/
Unpacked files
SH256 hash:
9f988a3199e626f789a99578c1c69f0ccd3e13d7c0d1033c01270cabf7b61de4
MD5 hash:
96e92a4922fd91f5f1dba2d9550b0f8f
SHA1 hash:
0c1191769d0eb18c6de8d703f540184689900ae7
Link:
https://www.unpac.me/results/715fe112-6f96-4647-a682-c26a4bc3a774/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9f988a3199e626f789a99578c1c69f0ccd3e13d7c0d1033c01270cabf7b61de4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168587/

Comments