MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c09cee65ae5836198280c323cb525a699721d2c02c8c83ba0ff61189592774f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c09cee65ae5836198280c323cb525a699721d2c02c8c83ba0ff61189592774f4
SHA3-384 hash: 1d12e85921f22eeb8cad176d68a5bcf95218ccee4130ea532f5447ce6894abe8c19ada2c3a57722327679d2f93fa2d81
SHA1 hash: 2c60049cbd246bcc4ab1a6568e5702e4e744c91b
MD5 hash: e9584872908db7e839bf70e9723c9793
humanhash: autumn-fix-eleven-november
File name:TNT Original Invoice 12.10.2022.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:930'304 bytes
First seen:2022-10-12 13:17:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:z/Dp/MPWouvL7Pgf4c1AFSASf/TGy84Zz0WNzT0RV9XJwnDkAO98NAFPUDR+AZg:7mPWouvvNciFSA0TGy8s0B9XynD7Ok
TLSH T1BF156BBA2192614FD4167131C8C7DAF36AFB6D617112D1C796D32F6FBC480BF9A02292
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0c4c4a4c4cb4b4b4 (26 x SnakeKeylogger, 9 x Formbook, 5 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook TNT

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319370/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.19712.18090.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6346be8c5cada2cbc6ebbf13/reports/f1ed08c1-5128-46eb-ad25-93b21c627d44/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e8495a2-166d-4d6f-bd92-d931f93951b3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1089313
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 721912 Sample: TNT Original Invoice 12.10.... Startdate: 13/10/2022 Architecture: WINDOWS Score: 100 29 www.catsyproxy.com 2->29 37 Multi AV Scanner detection for domain / URL 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 7 other signatures 2->43 9 TNT Original Invoice 12.10.2022.exe 3 2->9         started        signatures3 process4 file5 27 TNT Original Invoice 12.10.2022.exe.log, ASCII 9->27 dropped 55 Injects a PE file into a foreign processes 9->55 13 TNT Original Invoice 12.10.2022.exe 9->13         started        16 TNT Original Invoice 12.10.2022.exe 9->16         started        18 TNT Original Invoice 12.10.2022.exe 9->18         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 13->57 59 Maps a DLL or memory area into another process 13->59 61 Sample uses process hollowing technique 13->61 63 Queues an APC in another process (thread injection) 13->63 20 explorer.exe 13->20 injected process9 dnsIp10 31 www.madhavropa.com 162.213.249.67, 49700, 80 NAMECHEAP-NETUS United States 20->31 33 www.tpc-tt.site 20->33 35 www.metodotorresmiguel.site 20->35 45 System process connects to network (likely due to code injection or exploit) 20->45 24 explorer.exe 13 20->24         started        signatures11 process12 signatures13 47 Tries to steal Mail credentials (via file / registry access) 24->47 49 Tries to harvest and steal browser information (history, passwords, etc) 24->49 51 Deletes itself after installation 24->51 53 2 other signatures 24->53
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c09cee65ae5836198280c323cb525a699721d2c02c8c83ba0ff61189592774f4/
Threat name:
Win32.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-10-12 07:01:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ycoo4znola3btauaymr4wus2nglsduwafsgihoqp6yiyswjhot2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:uymo rat spyware stealer trojan
Link:
https://tria.ge/reports/221012-qjybgadef8/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9fb4aae9-d645-4d36-9119-dbc47ed04c4f
Unpacked files
SH256 hash:
4a0f25ba5bfa58f0da9d5d8b3a5fcb8410768dba642d1ed49055992ba6b424b7
MD5 hash:
61124d94be8974bcce5368650b3e6628
SHA1 hash:
96108297e87b81bb05e725ef111822d47d866978
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/06175c61-f34d-46bf-a4bf-686a27028e34/
Parent samples :
9a5edc79c2643926c35c6e83248b6c196c5cd081f74b3b689ae9f02be6b18369
fbc14992308d88c7a33989479793655a4ff4c9caeb3c011f6e95b11c55f675ef
91c69e984e53cc30d77e21fcb1a44044fff62368ee2740f04b3b26bfb82f2967
e3ac8c8b67752d68d7c6b20ceee1fd8d60d8506b0da5cd589c6e5976ecf8b0c1
310b4ffa559e06b739ba7b4d7cd12f47286aec7352a8aa5296955f0a7f49b190
c09cee65ae5836198280c323cb525a699721d2c02c8c83ba0ff61189592774f4
5d83498b9c6024ab916f54e78a7af7cac3f2e2fa3a9b8a347c32e0dd946ac753
SH256 hash:
cc8d00bd20e65f242e9dd5f769d3f4db614b79dfd8866d9782a0c6cef1e304b4
MD5 hash:
0ceb5c1d97b423df5f236c7ff088942b
SHA1 hash:
d5ff267189a16c064d3bd20c45faa086d9379cc6
Link:
https://www.unpac.me/results/06175c61-f34d-46bf-a4bf-686a27028e34/
SH256 hash:
1019e3c8c918ab9949d53aaf8ede882eac3d1457b389b3c9bf4d85bcd0e5699a
MD5 hash:
d6a32292347e5d7022c72b9a5ec3c153
SHA1 hash:
a339500e71f446941a08e2e076eae73af7d64d0f
Link:
https://www.unpac.me/results/06175c61-f34d-46bf-a4bf-686a27028e34/
SH256 hash:
af7ac1171b44c9a949ad80bfaf05095048d0b74cfb527f66479e22f47d340110
MD5 hash:
f696dc0e00cb8f70799ac3fcaa5f9f6a
SHA1 hash:
cde2283de5b89639ea52f6388feef8f77efc63ce
Link:
https://www.unpac.me/results/06175c61-f34d-46bf-a4bf-686a27028e34/
SH256 hash:
70dfa4c873605ab0fcdcb62be2a970da110535280d8dc88261edbe1ed2865307
MD5 hash:
d5b0f8aff064b3e828421b48efccd312
SHA1 hash:
724f4bc7ab4e08c45562748b739c8f7496a5ad8f
Link:
https://www.unpac.me/results/06175c61-f34d-46bf-a4bf-686a27028e34/
SH256 hash:
cbc9218cac23bcae99108ea7e2de480584d69b0ecf15ecc6d4290f866b0c896a
MD5 hash:
296972ed3c432bfd9d79d037acf27c03
SHA1 hash:
513b829c53824348b6929142f32acd9931037cb0
Link:
https://www.unpac.me/results/06175c61-f34d-46bf-a4bf-686a27028e34/
SH256 hash:
c09cee65ae5836198280c323cb525a699721d2c02c8c83ba0ff61189592774f4
MD5 hash:
e9584872908db7e839bf70e9723c9793
SHA1 hash:
2c60049cbd246bcc4ab1a6568e5702e4e744c91b
Link:
https://www.unpac.me/results/06175c61-f34d-46bf-a4bf-686a27028e34/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c09cee65ae5836198280c323cb525a699721d2c02c8c83ba0ff61189592774f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c09cee65ae5836198280c323cb525a699721d2c02c8c83ba0ff61189592774f4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/319370/

Comments