MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9e9a756fe59beb18eb1cdfceee2b2c5c9246dfdad6dc05a6a9a810c479e2516. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9e9a756fe59beb18eb1cdfceee2b2c5c9246dfdad6dc05a6a9a810c479e2516
SHA3-384 hash: 37d86097a36d7b85af39f83ded3c4440d5f96f35e7c90f35c1b44c5e0ac8a79329900d9231d820bad7548e00f943cc61
SHA1 hash: 77c497557ef834f7898518a9879ab1a07010c587
MD5 hash: 9689c07b9b5503057eaacd8892bc6ed2
humanhash: bluebird-lake-coffee-nebraska
File name:TR-210315-873.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:920'064 bytes
First seen:2023-06-18 16:39:19 UTC
Last seen:2023-06-18 16:59:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:KNbQka2iNx5LbzIu9+r9kDeVujuXI/bSnLgeCNh93tBHAWhSG82Hg7s:Ua1j5LA9KKHXNLgFLAWMG8B7s
Threatray 1'265 similar samples on MalwareBazaar
TLSH T16D1501003656CB16C47E0BF9C990C1F047767E26E823C71B2DD27EDE3A72792529A687
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e0c8fcf564781929 (1 x Formbook)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TR-210315-873.exe
Verdict:
Malicious activity
Analysis date:
2023-06-18 16:40:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0275eb0c-45e0-48cf-9ad8-e964969562b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400196/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif packed threat virus
Link:
https://www.filescan.io/uploads/648f3361540cead77b081b08/reports/5631471c-fae4-4779-ba85-2d1973edcbb6/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a9e9a756fe59beb18eb1cdfceee2b2c5c9246dfdad6dc05a6a9a810c479e2516
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/039c3370-68cf-4380-8b13-e1c9ae4619f6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1256908
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 889924 Sample: TR-210315-873.exe Startdate: 18/06/2023 Architecture: WINDOWS Score: 96 39 Malicious sample detected (through community Yara rule) 2->39 41 Sigma detected: Scheduled temp file as task from temp location 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 2 other signatures 2->45 7 TR-210315-873.exe 7 2->7         started        11 REIwHDL.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\Roaming\REIwHDL.exe, PE32 7->31 dropped 33 C:\Users\user\...\REIwHDL.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp2246.tmp, XML 7->35 dropped 37 C:\Users\user\...\TR-210315-873.exe.log, ASCII 7->37 dropped 47 Uses schtasks.exe or at.exe to add and modify task schedules 7->47 49 Adds a directory exclusion to Windows Defender 7->49 51 Injects a PE file into a foreign processes 7->51 13 powershell.exe 19 7->13         started        15 schtasks.exe 1 7->15         started        17 TR-210315-873.exe 7->17         started        19 TR-210315-873.exe 7->19         started        53 Multi AV Scanner detection for dropped file 11->53 21 schtasks.exe 1 11->21         started        23 REIwHDL.exe 11->23         started        signatures5 process6 process7 25 conhost.exe 13->25         started        27 conhost.exe 15->27         started        29 conhost.exe 21->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9e9a756fe59beb18eb1cdfceee2b2c5c9246dfdad6dc05a6a9a810c479e2516/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-16 03:25:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
39
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vhu2ovx6lg7lddvrzx6o5yvsyxesi3p5vvw4awtktkaqyr46eula._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
082c753b9065e2c0db0904195b91ae7b59b23d56252bf941c70cf9b0a5fcb6ea
Formbook
0d8247c4ed6a49e33ac5d481f08cdef22d2ed7caf2434d031e0a0cebe296893d
Formbook
12384caecb7a336ae37a29e642488b5cc45559c321dad21c4c8fa7868a2ce859
Formbook
3c2b603e5f2c4bf67f3e240cff2daa7ffca9703ce808e9893f446963ff72eb1e
Formbook
654385028b87dbf8e7387cd76dc69099cdcc344f97dc735647d429d11f7fe95f
Formbook
90af14f7e125ba4bb6b30152719708b262b08d77b30b02d02ee136d2acf8bfb5
Formbook
c41a86ef4cc333d1fa382b1aef023e72a4316dcbf7e0fd7b2670d2badfd17477
Formbook
d7abd39aef9b875bc280512418843d56e027212adfd34c36d7d20203168b8bad
Formbook
e9104c6f82a1b8c52bb881161440b8b1a8e3bf358cd60672dbfc14a2bc12518d
Formbook
+ 1'255 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230618-t6hfbagd84/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
7bb70d3d4bc68aa15e8a93d035dc943e4860b944bba5767c8051738d6ceac24b
MD5 hash:
b3f6e6eb60ebf84ae5ad1f9926ab3ce9
SHA1 hash:
6c21c05971f62955fd3fbc2697c0407647224ee9
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/9f211e5c-0ba7-4125-be9d-58cf71c50270/
Parent samples :
02bc9f274f7ba4ec93358bfa71c5b658727b414e7e6301c50fac619227a78327
151eacb26f65117d4a4abb8473c8650edd42b079a662f7dc4c4ebdd966045d1c
ce3a332225a10d659e26a1775a2e002ce62d470c9f02c47bbbf69767c7e2ffa9
571f10fb2f8ed39463e85d4a5af98f8203489b60d7a634d890462f10d6b15f2d
2692c5fb278a85db144c8121617ab7909a54281e5161b8bff920bd485ea4eccf
0b7841ea5b8040d0a636dfb94f374666baec80ee31307dc156c947b287d8f1cc
a9e9a756fe59beb18eb1cdfceee2b2c5c9246dfdad6dc05a6a9a810c479e2516
89525d55fd73880fae8d04629ee885c441a497fb091eb73e204c91d9d03ddb05
742d71604162b05306e5701394815bb970efa39a9778ca3cc7a1f6617845782b
SH256 hash:
ee8044463d637bca6ee6967b5ab0ab04d28db515b94e1e09eb931f69d4bb4d22
MD5 hash:
bf2ac64a9f5788fbb6acd96d2a3391d5
SHA1 hash:
65a983320eee0701a12db8b79729d99ff2e64d17
Link:
https://www.unpac.me/results/9f211e5c-0ba7-4125-be9d-58cf71c50270/
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/9f211e5c-0ba7-4125-be9d-58cf71c50270/
SH256 hash:
8e8fa446f5323ed2709620ed553630fa829eb4e30a1afed32c21eecb44dcaef0
MD5 hash:
59a0def53c677598e84f7a622d994958
SHA1 hash:
c1646d936e25141fd01230c12fdc68e24d1f39de
Link:
https://www.unpac.me/results/9f211e5c-0ba7-4125-be9d-58cf71c50270/
SH256 hash:
a81d20a46f4fc08a285788a9a8ad41624369f6678112786c2d5980da6293845c
MD5 hash:
f5295b2f5a47fc8cacc33181bce50f4b
SHA1 hash:
b4ad11a326b19ba37bae623aabe96918fbeb74c1
Link:
https://www.unpac.me/results/9f211e5c-0ba7-4125-be9d-58cf71c50270/
SH256 hash:
b86193f0f5eeadf451f23596dffb4d015245311c67bc15244c2b1c81293d3679
MD5 hash:
be09d1a9fbdc7fe4ad47e49a0ccf2a0e
SHA1 hash:
3eea7d856de59fefd670110c2edda63c319a5a1b
Link:
https://www.unpac.me/results/9f211e5c-0ba7-4125-be9d-58cf71c50270/
SH256 hash:
a9e9a756fe59beb18eb1cdfceee2b2c5c9246dfdad6dc05a6a9a810c479e2516
MD5 hash:
9689c07b9b5503057eaacd8892bc6ed2
SHA1 hash:
77c497557ef834f7898518a9879ab1a07010c587
Link:
https://www.unpac.me/results/9f211e5c-0ba7-4125-be9d-58cf71c50270/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a9e9a756fe59/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9e9a756fe59beb18eb1cdfceee2b2c5c9246dfdad6dc05a6a9a810c479e2516

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a9e9a756fe59beb18eb1cdfceee2b2c5c9246dfdad6dc05a6a9a810c479e2516

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/400196/

Comments