MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9913540ced2148e50e55dbbb6c2fac3d0f909646f18f22b974b52f33641e812. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9913540ced2148e50e55dbbb6c2fac3d0f909646f18f22b974b52f33641e812
SHA3-384 hash: ea210b2369403da9ec30502694006f8826552a0910003463f4d64761adb88dab3535a0e9a33e1da8dd0572d0bcb104fc
SHA1 hash: c28d4f091f5f2a762641f816a62e625fb7e16ad5
MD5 hash: 81895faac851dd56f820886f4a74eed7
humanhash: papa-california-vegan-virginia
File name:c9913540ced2148e50e55dbbb6c2fac3d0f909646f18f22b974b52f33641e812
Download: download sample
Signature Formbook
Create hunting rule
File size:620'544 bytes
First seen:2023-07-07 10:09:29 UTC
Last seen:2023-07-07 10:38:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:uPn4SXpaYkhpwHm3QVjp9MBSORnzf9uASi:uPn4SXpaxhpvAVt9M/p0
Threatray 3'419 similar samples on MalwareBazaar
TLSH T117D46A3C18BD1A37F074D6A98FE48463F550D47F39299A32A4DBCB516706EA228C723D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
275
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c9913540ced2148e50e55dbbb6c2fac3d0f909646f18f22b974b52f33641e812
Verdict:
Malicious activity
Analysis date:
2023-07-07 10:11:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/51783f3e-beb4-40ba-89ad-9d90e0bbfb4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/410472/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67790538.29481.2497.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/64a7e47a342796a4a908299a/reports/a8c73713-6998-4d14-bc6f-3a87dabf8f90/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c9913540ced2148e50e55dbbb6c2fac3d0f909646f18f22b974b52f33641e812
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/69285bd7-5f1f-40c5-9a94-3b9487f91158
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1269079
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1269079 Sample: xs40nWJPZA.exe Startdate: 07/07/2023 Architecture: WINDOWS Score: 100 59 www.newvoicehouseoflife.shop 2->59 75 Snort IDS alert for network traffic 2->75 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 8 other signatures 2->81 11 xs40nWJPZA.exe 7 2->11         started        15 KrPThJaWQg.exe 5 2->15         started        signatures3 process4 file5 51 C:\Users\user\AppData\...\KrPThJaWQg.exe, PE32 11->51 dropped 53 C:\Users\...\KrPThJaWQg.exe:Zone.Identifier, ASCII 11->53 dropped 55 C:\Users\user\AppData\Local\...\tmp7FC7.tmp, XML 11->55 dropped 57 C:\Users\user\AppData\...\xs40nWJPZA.exe.log, ASCII 11->57 dropped 89 Uses schtasks.exe or at.exe to add and modify task schedules 11->89 91 Adds a directory exclusion to Windows Defender 11->91 93 Tries to detect virtualization through RDTSC time measurements 11->93 17 xs40nWJPZA.exe 11->17         started        20 powershell.exe 21 11->20         started        22 powershell.exe 19 11->22         started        28 2 other processes 11->28 95 Multi AV Scanner detection for dropped file 15->95 97 Machine Learning detection for dropped file 15->97 24 KrPThJaWQg.exe 15->24         started        26 schtasks.exe 15->26         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 17->67 69 Maps a DLL or memory area into another process 17->69 71 Sample uses process hollowing technique 17->71 73 Queues an APC in another process (thread injection) 17->73 30 explorer.exe 2 1 17->30 injected 34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        process9 dnsIp10 61 fizyoceyhansicim.com 178.20.227.11, 49702, 80 SPD-NETTR Turkey 30->61 63 www.zbapexsurgical.biz 208.91.197.27, 49698, 80 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 30->63 65 7 other IPs or domains 30->65 99 System process connects to network (likely due to code injection or exploit) 30->99 42 help.exe 30->42         started        45 rundll32.exe 30->45         started        signatures11 process12 signatures13 83 Modifies the context of a thread in another process (thread injection) 42->83 85 Maps a DLL or memory area into another process 42->85 87 Tries to detect virtualization through RDTSC time measurements 42->87 47 cmd.exe 42->47         started        process14 process15 49 conhost.exe 47->49         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c9913540ced2148e50e55dbbb6c2fac3d0f909646f18f22b974b52f33641e812/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-26 20:48:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zgitkqgo2iki4uhflw53nqx2ypipsclen4mpek4xjnjpgnsb5aja._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
14ac214aee66557d77577da7211f5fa6476753b38ff8b40738c660a88c8ffd35
Formbook
35e53fdc9e554c33ffa134b23eb74b04b2bc07a2eaca797f4af2e467979eb34d
Formbook
68ba26474bb29bdbc42cfddd75f212eec1ffa22d5c1affc893addce5330f4e11
Formbook
81cc12cb517ef66335a22cae970b19cc0f43f874cb97ee1acd757fe0b5e52b36
Formbook
c1e64e86dd89a5820bbb518ead2176741f91d3bf5c579e154533d44e816c1f76
Formbook
cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca
Formbook
e2ceee53e039eaca503c58bd2be1b268bfbc1f17a7568e70bdedf5ca8d1bd637
Formbook
ed2689d4f89e5f40f8ddf93839da8b822d008329530090975edb6d0909bee67f
Formbook
f3a16fbf76dc776eb61b55b5a5aa8d3203e77effc2e05d85f93df96612323095
Formbook
fa50f197e39eb37efdbd83462dd11e3057e45f88d9acb8b7e99c50c44c1936b7
Formbook
+ 3'409 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ea04 rat spyware stealer trojan
Link:
https://tria.ge/reports/230707-l7cmfshd3y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
60e607301173a7f635112bfab8dcdf095395fd4ce64c82a28c3fa1b179526cb7
MD5 hash:
ea15dc3167c86f858bf1fd7839dc0fbd
SHA1 hash:
dd04b0cb73acaed3b56e34fcd3f35fbf47fff92d
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/cee6e868-d718-41fc-bde3-8f87ab66d781/
SH256 hash:
66605594e8a48022eee0e46f56c1b4f736694549a93073c3600a4e89439eb545
MD5 hash:
7e38d0e016317979651981911e1240e9
SHA1 hash:
e08ce3eabf01ae778af01a9d2678a7dd36c36529
Link:
https://www.unpac.me/results/cee6e868-d718-41fc-bde3-8f87ab66d781/
SH256 hash:
60e607301173a7f635112bfab8dcdf095395fd4ce64c82a28c3fa1b179526cb7
MD5 hash:
ea15dc3167c86f858bf1fd7839dc0fbd
SHA1 hash:
dd04b0cb73acaed3b56e34fcd3f35fbf47fff92d
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/cee6e868-d718-41fc-bde3-8f87ab66d781/
SH256 hash:
66605594e8a48022eee0e46f56c1b4f736694549a93073c3600a4e89439eb545
MD5 hash:
7e38d0e016317979651981911e1240e9
SHA1 hash:
e08ce3eabf01ae778af01a9d2678a7dd36c36529
Link:
https://www.unpac.me/results/cee6e868-d718-41fc-bde3-8f87ab66d781/
SH256 hash:
867c70bd4fb8c0b35a98109c398d54c47d3042dca3e91fad56a4449fca9bbec3
MD5 hash:
ddc8615f9751995ed3950b1ca6977412
SHA1 hash:
62350c8523f0ff5cda8979330237c66c19d27c74
Link:
https://www.unpac.me/results/cee6e868-d718-41fc-bde3-8f87ab66d781/
SH256 hash:
6442dc477e6022c9f595ae6d192e9b0b109944c5551e1fa4c921338696fec20a
MD5 hash:
56aff6dbb094587524ee9a27f1810035
SHA1 hash:
47fa6197798b851686760d8dd0984b305b71b6f6
Link:
https://www.unpac.me/results/cee6e868-d718-41fc-bde3-8f87ab66d781/
SH256 hash:
867c70bd4fb8c0b35a98109c398d54c47d3042dca3e91fad56a4449fca9bbec3
MD5 hash:
ddc8615f9751995ed3950b1ca6977412
SHA1 hash:
62350c8523f0ff5cda8979330237c66c19d27c74
Link:
https://www.unpac.me/results/cee6e868-d718-41fc-bde3-8f87ab66d781/
SH256 hash:
6442dc477e6022c9f595ae6d192e9b0b109944c5551e1fa4c921338696fec20a
MD5 hash:
56aff6dbb094587524ee9a27f1810035
SHA1 hash:
47fa6197798b851686760d8dd0984b305b71b6f6
Link:
https://www.unpac.me/results/cee6e868-d718-41fc-bde3-8f87ab66d781/
SH256 hash:
60e607301173a7f635112bfab8dcdf095395fd4ce64c82a28c3fa1b179526cb7
MD5 hash:
ea15dc3167c86f858bf1fd7839dc0fbd
SHA1 hash:
dd04b0cb73acaed3b56e34fcd3f35fbf47fff92d
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/cee6e868-d718-41fc-bde3-8f87ab66d781/
SH256 hash:
66605594e8a48022eee0e46f56c1b4f736694549a93073c3600a4e89439eb545
MD5 hash:
7e38d0e016317979651981911e1240e9
SHA1 hash:
e08ce3eabf01ae778af01a9d2678a7dd36c36529
Link:
https://www.unpac.me/results/cee6e868-d718-41fc-bde3-8f87ab66d781/
SH256 hash:
867c70bd4fb8c0b35a98109c398d54c47d3042dca3e91fad56a4449fca9bbec3
MD5 hash:
ddc8615f9751995ed3950b1ca6977412
SHA1 hash:
62350c8523f0ff5cda8979330237c66c19d27c74
Link:
https://www.unpac.me/results/cee6e868-d718-41fc-bde3-8f87ab66d781/
SH256 hash:
6442dc477e6022c9f595ae6d192e9b0b109944c5551e1fa4c921338696fec20a
MD5 hash:
56aff6dbb094587524ee9a27f1810035
SHA1 hash:
47fa6197798b851686760d8dd0984b305b71b6f6
Link:
https://www.unpac.me/results/cee6e868-d718-41fc-bde3-8f87ab66d781/
SH256 hash:
60e607301173a7f635112bfab8dcdf095395fd4ce64c82a28c3fa1b179526cb7
MD5 hash:
ea15dc3167c86f858bf1fd7839dc0fbd
SHA1 hash:
dd04b0cb73acaed3b56e34fcd3f35fbf47fff92d
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/cee6e868-d718-41fc-bde3-8f87ab66d781/
SH256 hash:
66605594e8a48022eee0e46f56c1b4f736694549a93073c3600a4e89439eb545
MD5 hash:
7e38d0e016317979651981911e1240e9
SHA1 hash:
e08ce3eabf01ae778af01a9d2678a7dd36c36529
Link:
https://www.unpac.me/results/cee6e868-d718-41fc-bde3-8f87ab66d781/
SH256 hash:
867c70bd4fb8c0b35a98109c398d54c47d3042dca3e91fad56a4449fca9bbec3
MD5 hash:
ddc8615f9751995ed3950b1ca6977412
SHA1 hash:
62350c8523f0ff5cda8979330237c66c19d27c74
Link:
https://www.unpac.me/results/cee6e868-d718-41fc-bde3-8f87ab66d781/
SH256 hash:
6442dc477e6022c9f595ae6d192e9b0b109944c5551e1fa4c921338696fec20a
MD5 hash:
56aff6dbb094587524ee9a27f1810035
SHA1 hash:
47fa6197798b851686760d8dd0984b305b71b6f6
Link:
https://www.unpac.me/results/cee6e868-d718-41fc-bde3-8f87ab66d781/
SH256 hash:
c9913540ced2148e50e55dbbb6c2fac3d0f909646f18f22b974b52f33641e812
MD5 hash:
81895faac851dd56f820886f4a74eed7
SHA1 hash:
c28d4f091f5f2a762641f816a62e625fb7e16ad5
Link:
https://www.unpac.me/results/cee6e868-d718-41fc-bde3-8f87ab66d781/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c9913540ced2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9913540ced2148e50e55dbbb6c2fac3d0f909646f18f22b974b52f33641e812

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/410472/

Comments