MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b09fdc39338aacafb7eb0163757d2b9863f78e5467af017ff4ad2f09e0e266a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b09fdc39338aacafb7eb0163757d2b9863f78e5467af017ff4ad2f09e0e266a2
SHA3-384 hash: a9ef9ccb83cd1e75c8bcbf9e90178e6cee1abe9fefe7e704e7beab504b326a71d87e9bfecef8f77d4673c196431378f8
SHA1 hash: da993079a89eb6d478a8df4cad7ddda4d6756aba
MD5 hash: e8b1d358fb7f80a9a3d4cf79156eb585
humanhash: kentucky-maryland-wisconsin-river
File name:USD INV#1191189.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:385'536 bytes
First seen:2021-08-27 05:16:50 UTC
Last seen:2021-09-04 07:01:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ef471c0edf1877cd5a881a6a8bf647b9 (63 x Formbook, 33 x Loki, 29 x Loda)
ssdeep 6144:y4XrK9PX7Fp6Gh2wWRGl0EDDf1PisZQ5rAGQwg1QtP1f4paaYlsdcaMJEdbI0Pze:pXe9PPlowWX0t6mOQwg1Qd15CcYk0Weu
Threatray 8'706 similar samples on MalwareBazaar
TLSH T1FB8412165CD64C9AE6D4B7F860F18657253A7C6204248389EDF8FF2C9972213ECC24BE
dhash icon 174f4559191b1b13 (81 x AgentTesla, 68 x Formbook, 34 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
317
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
USD INV#1191189.exe
Verdict:
Malicious activity
Analysis date:
2021-08-27 05:18:48 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/0b471bec-a305-4932-b964-2e1d081131d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182797/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

SecuriteInfo.com.VHO.Trojan-Spy.Win32.Noon.bbue.17537.2573.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Sending a UDP request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/74feb7fb-b359-47b9-a89c-0e5f07e95fe2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840185
Signature
AutoIt script contains suspicious strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 472613 Sample: USD INV#1191189.exe Startdate: 27/08/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 9 other signatures 2->42 10 USD INV#1191189.exe 15 2->10         started        process3 dnsIp4 34 a.tmp.ninja 198.251.89.86, 443, 49719 PONYNETUS United States 10->34 54 Maps a DLL or memory area into another process 10->54 14 USD INV#1191189.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 28 freedownloadbiz.info 188.72.236.136, 49744, 80 WEBZILLANL Netherlands 17->28 30 xn--marketingrevolucin-61b.com 192.254.187.234, 49750, 80 UNIFIEDLAYER-AS-1US United States 17->30 32 18 other IPs or domains 17->32 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Performs DNS queries to domains with low reputation 17->46 21 rundll32.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b09fdc39338aacafb7eb0163757d2b9863f78e5467af017ff4ad2f09e0e266a2/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 03:06:27 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wcp5yojtrkwk7n7lafrxk7jltbr7pdsum6xqc77uvuxqtyhcm2ra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2ab54e46be8e8a1b7e66be9bed5492e2cb5c4112e548442e209954affc2dc374
Formbook
385f5ca91b0a230a14f5d32c79d061a3af0f5533923ad62e1982d1327ed086a4
Formbook
43368f8d0f777c8f0a9fb5dc2ec89f131275873935098ff8a12be41cd2161ecf
Formbook
5b7a858563dfd290658d183a0d1c101e39a9dda3327e84c11ef12bc873cb98b9
Formbook
8b4049ea3937e355ad9a551795afcb621fb56991ffc6f1db746861acfd7d6a46
Formbook
8c84e97b71aa8d34be8742cd4b6c0b86abdfb92379b099465eb751b0882efb23
Formbook
93f0775c5a5512759f85db7b3d1c4b3ee7049369cd0dcd1d4f778626621bfa0c
Formbook
c71e73a5006f03bf63ad6099f034a3d19a130a6893979c43318eca2cb6bfd224
Formbook
+ 8'696 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:b6cu loader rat suricata upx
Link:
https://tria.ge/reports/210827-tfymwvbdta/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.xn--marketingrevolucin-61b.com/b6cu/
Unpacked files
SH256 hash:
aca73336e801449e85650d8ecec3acfee897dfc8d89b90b7902007f83766c6f1
MD5 hash:
b579f9be609786682145b9802d705667
SHA1 hash:
7fb3141f6c4b1608ed4e347e7ab5161ea18747bf
Link:
https://www.unpac.me/results/09b58ef7-9a54-4a99-8d33-b692a776cf2e/
SH256 hash:
b09fdc39338aacafb7eb0163757d2b9863f78e5467af017ff4ad2f09e0e266a2
MD5 hash:
e8b1d358fb7f80a9a3d4cf79156eb585
SHA1 hash:
da993079a89eb6d478a8df4cad7ddda4d6756aba
Link:
https://www.unpac.me/results/09b58ef7-9a54-4a99-8d33-b692a776cf2e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/b09fdc39338aacafb7eb0163757d2b9863f78e5467af017ff4ad2f09e0e266a2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b09fdc39338aacafb7eb0163757d2b9863f78e5467af017ff4ad2f09e0e266a2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/182797/

Comments