MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9a39c36b0fb495bd816ac4b750f8078b6ecd3d2d96c651b82dc92f3d2689ac5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9a39c36b0fb495bd816ac4b750f8078b6ecd3d2d96c651b82dc92f3d2689ac5
SHA3-384 hash: 5ae613f10dbb9441cb5b0bdca5211a77ee45758386f97206ea99306bc7ebedf83cce4ca0e43d79b12918bfdef345af24
SHA1 hash: 6425851753dc543fcdd5de09df6506370e7abdc0
MD5 hash: a4a65e0f37cfa1fbb499e37c3b349db9
humanhash: network-papa-mockingbird-ten
File name:AG-037551 revised PO#01.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:614'912 bytes
First seen:2023-04-24 07:19:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:+dj4Y86F+Rq45xvdu3m21BVCZD2IlF1tJYKxeZ1LbJB:+hQ6Mb3vduP1fsHlTjYKxeDr
Threatray 2'929 similar samples on MalwareBazaar
TLSH T1BBD4121404FCD277C41D087B29B4E32307BA5E936992FBA129DD5CB97D737858230BAA
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon a2f2d2888ce4a6c0 (1 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
316
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AG-037551 revised PO#01.exe
Verdict:
Malicious activity
Analysis date:
2023-04-24 07:22:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/91a47734-4880-4e38-93e4-b6110bbb186a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/384439/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/64462da5115cd381d96cac48/reports/23f8c381-9b86-4f85-aca3-ae866c35d51d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c9a39c36b0fb495bd816ac4b750f8078b6ecd3d2d96c651b82dc92f3d2689ac5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8346492c-34a4-48a9-bdef-7fb457d6e39e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1219747
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9a39c36b0fb495bd816ac4b750f8078b6ecd3d2d96c651b82dc92f3d2689ac5/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-04-24 07:20:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
16 of 22 (72.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zgrzynvq7nevxwawvrfxkd4apc3ozu6s3fwgkg4c3sjphutitlcq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0fdc5a8bd9026a352ad7c986e4c690f7a85924235ef648a2a313f12f9ea885d5
Formbook
17483ba2526d9ba490c29dc88e5c1a066b0c26f22243e02d312542a53f292393
Formbook
1c0a9c963662d8f1a32f87a3c33f14c5684707e97257a2583dbfa74c89e51800
Formbook
2c66d41ea5a85fe54c36039b1a2636cb74b676a5a12341bdcab562c5a63a312a
Formbook
42f025f744bb97509425ac749ada6c20ef6439d193e537a013b981ad4d21e124
Formbook
4adcc8ef0f0f441cf8e44f0c3c446f620409dbf79353811fa4d6526c6752f6ae
Formbook
7bf6863ca040ff44fef29dab94fd94341cbd0b67cc52f60c398a6cf6dd69090a
Formbook
d02ef9df3bc1af2c02ad5a9904ea604a55a6a93b5e08ca518232b96fec13882f
Formbook
ec27e95180289cd7ca8ebfafc4a1ec973448dcda09892716324966ac95ce4a87
Formbook
f3197cca74f60c552d9d3b4d04d99996ceca8c8dc6ad845a468c10c65062a0fc
Formbook
+ 2'919 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230424-h535vacb21/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
50d375d039b81b3f2abc9da7d866ada6d600ffc58274413ec1a4573439eb2e3a
MD5 hash:
9dd289bc345e6e01c6f0e69bcdd1ef3e
SHA1 hash:
11d7773861e887c09961f9e9632200ccc73baf28
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/1a8d8887-86bd-4809-9f03-9fedd4db15c1/
Parent samples :
d02ef9df3bc1af2c02ad5a9904ea604a55a6a93b5e08ca518232b96fec13882f
c9a39c36b0fb495bd816ac4b750f8078b6ecd3d2d96c651b82dc92f3d2689ac5
38e090d8747dd1332c68563c5f8204876d297ecfeb0a25da3282c57579cef3fa
c6a8a26cba06649f599b82e98ff2af4e2b9a034f52f8c1c1a9efdbba9becee12
SH256 hash:
cc05c5a52e169abc5033c80c5c5c9b4bb3ceb451ee3afe816e17c8fe00e28d24
MD5 hash:
ea74c2e435710fe5727e02b97d578468
SHA1 hash:
d635ea803de96e5ea4d4d9e70427e2c4e9ff3a14
Link:
https://www.unpac.me/results/1a8d8887-86bd-4809-9f03-9fedd4db15c1/
SH256 hash:
cd6f1781aec2eb4c7a810eb27cf2b29586106ad8e4f0c471bf362271f09af127
MD5 hash:
70f47306a17a46e076d1540d26f0d227
SHA1 hash:
f74595d3ea639be5894a6405f44bc98997cb1383
Link:
https://www.unpac.me/results/1a8d8887-86bd-4809-9f03-9fedd4db15c1/
SH256 hash:
a0bca034e69f485c6a372c762584171b79ec757464015cd6fabe67cea7076eee
MD5 hash:
3f76b265ce68f94f4833e9440fb33dd9
SHA1 hash:
d8ac88c8d950ea3cb9d28feec81aff4e800da952
Link:
https://www.unpac.me/results/1a8d8887-86bd-4809-9f03-9fedd4db15c1/
SH256 hash:
41bd13401ae39d251b36b5ef20b6c531102f9018ccb85bc9ac222ef122bd7077
MD5 hash:
b816abfeabe92d9713859076ecf1f5da
SHA1 hash:
6a2bf00899b19bcbd93fff2c86789d41739b2408
Link:
https://www.unpac.me/results/1a8d8887-86bd-4809-9f03-9fedd4db15c1/
SH256 hash:
c9a39c36b0fb495bd816ac4b750f8078b6ecd3d2d96c651b82dc92f3d2689ac5
MD5 hash:
a4a65e0f37cfa1fbb499e37c3b349db9
SHA1 hash:
6425851753dc543fcdd5de09df6506370e7abdc0
Link:
https://www.unpac.me/results/1a8d8887-86bd-4809-9f03-9fedd4db15c1/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c9a39c36b0fb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9a39c36b0fb495bd816ac4b750f8078b6ecd3d2d96c651b82dc92f3d2689ac5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c9a39c36b0fb495bd816ac4b750f8078b6ecd3d2d96c651b82dc92f3d2689ac5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/384439/

Comments