MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9d1fa40e50da5f6d22eee0a711265cc6340e0e8ff969c93d6113725407fbd6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	a9d1fa40e50da5f6d22eee0a711265cc6340e0e8ff969c93d6113725407fbd6d
SHA3-384 hash:	35aa65653bb1f612ee73bfe011eb3e5b6412c205a09e73d6516c19037d266aa606921ac0032f33d3907b2e6cf95b4cff
SHA1 hash:	39f1883fe47e737ed65281e3fd6a7d382cefa85b
MD5 hash:	2dae8d9f7a07723e7b9f7a1045f907e7
humanhash:	lima-spring-fourteen-edward
File name:	SecuriteInfo.com.W32.AIDetectNet.01.7269.17341
Download:	download sample
Signature	Formbook Create hunting rule
File size:	606'208 bytes
First seen:	2022-07-25 03:33:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	12288:sN2JNin30wvoTFI6wUaTbwRHsHCxvZJeuzeG8+cizxp5hw+lMi:sN+inEwQq6wTURPxvveuzfNb5qy
TLSH	T1A7D4022C1BB46F23ED7987F89855110003F8B5253463E7A91EC1B4DB2AA3F758981E6F
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

273

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/293851/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.7269.17341.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62de0ef7e04de093764cf2c9/reports/ec600381-342c-4678-94c9-dc6918e227b9/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/07241489-4d1f-4810-bed4-dbef0c9e494f

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1040104

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a9d1fa40e50da5f6d22eee0a711265cc6340e0e8ff969c93d6113725407fbd6d/

Threat name:

Win32.Trojan.XLoader

Status:

Malicious

First seen:

2022-07-25 03:07:18 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vhi7uqhfbws7nuro5yfhcetfzrrubyhi76ljze6wce3skqd7xvwq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/220725-d4appadbcp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader payload

Xloader

Unpacked files

SH256 hash:

0c3a61544b8d8ad30c311fe92f844a77ea2c2ce4e24bb215f6eac6ce37e0afad

MD5 hash:

2730d5bde341467f5325a5f45a867293

SHA1 hash:

4fa6d0e29554a2f4e7675ae332dd6bfa1f9837c1

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/90ad0055-7e24-406a-a7b2-0b6b82bee746/

Parent samples :

684782ca20359680b64b720ee81fbb5653fa3a13661c06c61c4a80af50fcdcb9
8c56786407c509280b5b2ee7ad0267568876b56dc418f873816753b8a034f00c
a9d1fa40e50da5f6d22eee0a711265cc6340e0e8ff969c93d6113725407fbd6d

SH256 hash:

39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807

MD5 hash:

db51fe170a9e5d6ec5429a2fbd9d0353

SHA1 hash:

e30a58125fc41322db6cf2ccb6a6d414ed379016

Link:

https://www.unpac.me/results/90ad0055-7e24-406a-a7b2-0b6b82bee746/

SH256 hash:

1981da0b3b97c66dfee5d3c0572259f31bc3f0860c80a3e6f9d3b36c30f42ff1

MD5 hash:

70aee0f700582d755c87dfedd122a691

SHA1 hash:

b5203ecda8aa400fb085473ab16ced2c5e01c4f2

Link:

https://www.unpac.me/results/90ad0055-7e24-406a-a7b2-0b6b82bee746/

SH256 hash:

467cb2fa910db79597371a2947e31035725b6accb22191ea7fd0b4a2dee195ce

MD5 hash:

a3b1c4732f67c9570047a0b07a637099

SHA1 hash:

4d5d291ddf929076842a06e28afb51d30f12815c

Link:

https://www.unpac.me/results/90ad0055-7e24-406a-a7b2-0b6b82bee746/

SH256 hash:

13ca2f7a55b98e1890983122e67935c97e6d9df4429279d49a1324c6d56f0451

MD5 hash:

8b3a92a3409ae046bf3dc0753fcf8685

SHA1 hash:

4455c3efa2bf569f6d180063bb1e104a22581d61

Link:

https://www.unpac.me/results/90ad0055-7e24-406a-a7b2-0b6b82bee746/

SH256 hash:

a9d1fa40e50da5f6d22eee0a711265cc6340e0e8ff969c93d6113725407fbd6d

MD5 hash:

2dae8d9f7a07723e7b9f7a1045f907e7

SHA1 hash:

39f1883fe47e737ed65281e3fd6a7d382cefa85b

Link:

https://www.unpac.me/results/90ad0055-7e24-406a-a7b2-0b6b82bee746/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a9d1fa40e50d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/a9d1fa40e50da5f6d22eee0a711265cc6340e0e8ff969c93d6113725407fbd6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/293851/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample