MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9777cb78779de98104f1a01584f9df07e39b7ace7d5e6686d225e7261bd9447. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments 1

SHA256 hash:	c9777cb78779de98104f1a01584f9df07e39b7ace7d5e6686d225e7261bd9447
SHA3-384 hash:	048cb918e5aad715b8862a793a88dd670101cdab23a9e346eca48552c59fae0f338b9f834db0405c710c74e2a6588259
SHA1 hash:	c33ea2eb219a088610847905251e5e2c3d2c87a2
MD5 hash:	a09f93f7606aa64851c9a8f82317b72f
humanhash:	sodium-emma-timing-juliet
File name:	a09f93f7606aa64851c9a8f82317b72f
Download:	download sample
Signature	Formbook Create hunting rule
File size:	529'408 bytes
First seen:	2022-06-21 19:05:42 UTC
Last seen:	2022-07-23 03:19:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	12288:ML6RKFDBJG4SYpxCqFVADHJgFOYs6y0WUu5douHwXOTSC7yLcYfIt:ML6RcJG4VCqDAVwtvu5doV+WC7
Threatray	17'143 similar samples on MalwareBazaar
TLSH	T13BB4C09C7550BA8FC86BCC7289A42C60AA606477930BE247D49716EC9E4DADFCF141F3
TrID	69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

235

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

factura.xlsx

Verdict:

Malicious activity

Analysis date:

2022-06-22 13:10:54 UTC

Tags:

encrypted opendir exploit CVE-2017-11882 loader

Link:

https://app.any.run/tasks/7e5fb0d8-3e95-42ff-880a-c5beba2665fa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/282090/

Detection(s):

SecuriteInfo.com.Trojan.Heur3.CTR.2003fGm0@aK5pskp.26772.5444.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62b2169f08903778452de095/reports/cfa93a23-c6d0-484e-986e-61ed4c66324b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/94ded02d-db5b-40c6-b56d-a87b64c3f243

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1017430

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/c9777cb78779de98104f1a01584f9df07e39b7ace7d5e6686d225e7261bd9447/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2022-06-21 19:06:56 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 25 (76.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zf3xzn4hphpjqecpdiavqt456b7dtn5m47k6m2dnejpheyn5srdq._file

Verdict:

malicious

Label(s):

formbook

Formbook

25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21

Formbook

4413a2e6e778cdc5dd839816a62d25e68095be325a28036b45f85716405a2d18

Formbook

8ecf3a66141bdd66b2ba8201bb1fedbbbde5c4e5710b99ba2e1d523ad49011a1

Formbook

9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538

Formbook

a013267b2dae410a6e166f9faaceebef0324d4b9036531856f10275f30ce41b8

Formbook

a92f8917b2e98217ede5359f7906dd0a60df26e087a1e1c33b81797a334fb448

Formbook

cf6f665f23b44c9c347fc9d3fbb3f6b3ccf3ab82366959437213ad77346e757d

Formbook

+ 17'133 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:nn40 loader rat

Link:

https://tria.ge/reports/220621-xr23ysdag8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Unpacked files

SH256 hash:

eb34d25f79cf69105cc87e8e8f902fce7bc2dc4c80d5c1dc510cf60b3859dfb3

MD5 hash:

f8fbac0b58d026c8dd80df878e2e7774

SHA1 hash:

69de8ce161c2fdd0d10aee01a20a1e3b2b51237c

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/c5e5b288-2d00-451b-82bf-6e4429b58324/

Parent samples :

9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538
4413a2e6e778cdc5dd839816a62d25e68095be325a28036b45f85716405a2d18
c9777cb78779de98104f1a01584f9df07e39b7ace7d5e6686d225e7261bd9447
0cfac9ebd9e0bb5a2f128f38b9879e4f103208c8559a68a18bb099fa2b8bf18e
1d9fc02237d06ae3ee5ea85ae14a05ab41ee99f03ac660e3f6360ac6864bf7fd
d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d
35ddf428695769bb87459e0848cfae7eb62a86c91c8bb33a2caa23c5fbc43b73
d9953c25aba720427a7122609ba2ec3ed42861e9acd631dc5f2a0deb3d8508b5

SH256 hash:

9f5cfd7115e28cf2dd891ab8783e1485d4d81d25927e5310d54a5d8eac071b72

MD5 hash:

a97442083051f29f7e570c68a77a7cdc

SHA1 hash:

ebcb2704893f95524b82c934f58abfb50337954b

Link:

https://www.unpac.me/results/c5e5b288-2d00-451b-82bf-6e4429b58324/

SH256 hash:

6de8bc7d4844efdb55328126b632a374bee9aaf3073cf9ca5fe5fdf303106f8e

MD5 hash:

7ce2d10bd0f02667bc0e1343d9ffc1c1

SHA1 hash:

c3a5b4e5721085022eb7bf0008b7e449f9369fcf

Link:

https://www.unpac.me/results/c5e5b288-2d00-451b-82bf-6e4429b58324/

SH256 hash:

348315d0ca3c7942c3e2f46a05f8700f0b7be9f1d1a83ad828aac7972c69b7b4

MD5 hash:

0d590bd5a536ea5ee11a4f3367e81423

SHA1 hash:

5d9b1c558939509d7f2fb30f00425275bf41a3c4

Link:

https://www.unpac.me/results/c5e5b288-2d00-451b-82bf-6e4429b58324/

SH256 hash:

c9777cb78779de98104f1a01584f9df07e39b7ace7d5e6686d225e7261bd9447

MD5 hash:

a09f93f7606aa64851c9a8f82317b72f

SHA1 hash:

c33ea2eb219a088610847905251e5e2c3d2c87a2

Link:

https://www.unpac.me/results/c5e5b288-2d00-451b-82bf-6e4429b58324/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c9777cb78779/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/c9777cb78779de98104f1a01584f9df07e39b7ace7d5e6686d225e7261bd9447

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.