MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9feae92d12fa03fc35f79af2670703aa18a2dcb39d65c6415f81239eb5af011c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9feae92d12fa03fc35f79af2670703aa18a2dcb39d65c6415f81239eb5af011c
SHA3-384 hash: 339a2044701a9ffcaf388a3be4aa17deb3e210da795837e7b09d864a6d793c40093f3ae2e972e154be5fd64f71ccb667
SHA1 hash: 0c436abdb4813d5aec83df262fdfca8fa57f99ee
MD5 hash: 624513aa8d81b92779e353d915b4c3e4
humanhash: oranges-india-oxygen-indigo
File name:FT-2009-0030.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:421'376 bytes
First seen:2020-10-06 05:40:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:PKf+0/hitjkl6Vg+hQbng9vYkz1QFKmviIjKnbaw38bT:S2glP01Ykz2ImviIWnS
Threatray 2'282 similar samples on MalwareBazaar
TLSH 14949CBD38C75B6CC67A0B3541A184C2F67622C23F618B0DB25B630C1D972AB979375E
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: one.go24.sk
Sending IP: 86.110.225.155
From: Alex Lin <support@larqs.sk>
Subject: Eckart new order FT-2009-0030
Attachment: FT-2009-0030.zip (contains "FT-2009-0030.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68397/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
75 / 100
Link:
https://www.joesandbox.com/analysis/482279
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293576 Sample: FT-2009-0030.exe Startdate: 06/10/2020 Architecture: WINDOWS Score: 75 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for dropped file 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 6 other signatures 2->38 7 FT-2009-0030.exe 9 2->7         started        11 pcalua.exe 1 2->11         started        13 pcalua.exe 1 1 2->13         started        process3 file4 24 C:\Users\user\AppData\Roaming\...\update.exe, PE32 7->24 dropped 26 C:\Users\user\...\update.exe:Zone.Identifier, ASCII 7->26 dropped 28 C:\Users\user\...\FT-2009-0030.exe.log, ASCII 7->28 dropped 30 2 other files (none is malicious) 7->30 dropped 42 Tries to detect virtualization through RDTSC time measurements 7->42 15 cmd.exe 1 7->15         started        17 update.exe 2 7->17         started        signatures5 process6 process7 19 reg.exe 1 1 15->19         started        22 conhost.exe 15->22         started        signatures8 40 Creates an autostart registry key pointing to binary in C:\Windows 19->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9feae92d12fa03fc35f79af2670703aa18a2dcb39d65c6415f81239eb5af011c/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 00:59:38 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t7voslis7ib7ynpxtlzgobydvimkfxfttvs4mqk7qerz5nnpaeoa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
262d8dd389aad1ef11023ded97da5703e88f1a96c2b0b8a1dbdde5fa7ee04022
Formbook
353e4fd91fe618f5c22c9cae00e7575e9b1914576ff7e332d03ca3e9f7dbbbbc
Formbook
3fda6f5aaefec5286f13f453ce9ca896d82c0065ffb4c9019dc12eb685609117
Formbook
4fd6cfb4c08338e8b3a6ec64118aa6ad90350e865e90365b5b700aa41908b984
Formbook
546ca9154ddc425843391ba45da25d60e4c89d85d34dfc5028fb56ed94861bbf
Formbook
59793c1ac9d8537e06996b0a09f161deb98a77d527b0bc97b18e15972f120a2d
Formbook
8f06b49b371c6b257b716689b767ebf4bbc75391d0cf152b9bbe498ef55d017c
Formbook
a102b644fd134778f28e1105e4645e84ff4d05687351990de90ae27a89f0513b
Formbook
a76588c6088ba6b56904fa50df8547ff3b93a67b520769d73e92b04bb8d718d6
Formbook
bfb2fd4412e9cd136a794f61436d597d7d58fb4fd842509dabe7a70344e4fd97
Formbook
+ 2'272 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/201006-1v5amx56sa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Unpacked files
SH256 hash:
9feae92d12fa03fc35f79af2670703aa18a2dcb39d65c6415f81239eb5af011c
MD5 hash:
624513aa8d81b92779e353d915b4c3e4
SHA1 hash:
0c436abdb4813d5aec83df262fdfca8fa57f99ee
Link:
https://www.unpac.me/results/87fd42a4-0f5e-4f27-b274-9bf03f138fac/
SH256 hash:
d065744c83c37b059fd345011b6c21297a5de8bc5ebbc93f05add6315bee770a
MD5 hash:
17d8bbf85363bf3ca0f6b4d0154dfeb7
SHA1 hash:
6295dcb6bfd8907d47b3db14d0d4b230c4f07186
Link:
https://www.unpac.me/results/87fd42a4-0f5e-4f27-b274-9bf03f138fac/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/87fd42a4-0f5e-4f27-b274-9bf03f138fac/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
31a7bddff330da3339a0219fc56b765a303477440389679363bcb239d3398f57
MD5 hash:
4dff620bf307007fa21a74ba9963963c
SHA1 hash:
7076ba73be791fe28114fdd83de2d4712b35823a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/87fd42a4-0f5e-4f27-b274-9bf03f138fac/
Parent samples :
9feae92d12fa03fc35f79af2670703aa18a2dcb39d65c6415f81239eb5af011c
6c2f26b8fee229fab2605231fb9e9b16cf2b610d588410bfc183131a30fb4ca7
SH256 hash:
18a247e7696d1250483ae69405873b489486c0b47b825559078372b354b8ba68
MD5 hash:
7e4a270cda38e7072e1e67fb359eb4c1
SHA1 hash:
c1f673cc635167936d01c87bdd497a0c8b070286
Link:
https://www.unpac.me/results/87fd42a4-0f5e-4f27-b274-9bf03f138fac/
SH256 hash:
4548ad361641eb85fb2e18a3992204310de62f9ee0979769dd0239e381da18ee
MD5 hash:
9ac674c13fce14da8ae3148beabad6b3
SHA1 hash:
29c215c76c690d41801ca9bc5c7afa5fe5679b20
Link:
https://www.unpac.me/results/87fd42a4-0f5e-4f27-b274-9bf03f138fac/
SH256 hash:
f80246ebada2bc7dc6d8a3c573fdc4e1ae698f00b842453dcf9d662fab951f1d
MD5 hash:
5819b419daec4279b3499c0e1fa7c105
SHA1 hash:
4e36cc740d678d67c654ccab8433b3d44e5c257b
Link:
https://www.unpac.me/results/87fd42a4-0f5e-4f27-b274-9bf03f138fac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9feae92d12fa03fc35f79af2670703aa18a2dcb39d65c6415f81239eb5af011c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip f0be7de38dafb9a3b6cd5c6cf159f4e6e219f03e74baafa139b8bc440633aba0

Formbook

Executable exe 9feae92d12fa03fc35f79af2670703aa18a2dcb39d65c6415f81239eb5af011c

(this sample)

  
Dropped by
MD5 57a0b9a86b26979bd22d21589409b987
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68397/
  
Dropped by
SHA256 f0be7de38dafb9a3b6cd5c6cf159f4e6e219f03e74baafa139b8bc440633aba0

Comments