MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9ab023170f993a0fa7889aceffcd8d85ce9f43dcb14bca321f95c6148e679e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	c9ab023170f993a0fa7889aceffcd8d85ce9f43dcb14bca321f95c6148e679e3
SHA3-384 hash:	3e9715f5f9ea4aa27d74be80d0134a409a509eca551dcd577194d15b3b60644e345225631d73f8b058425b62fc74de0c
SHA1 hash:	444affa0955539375013da28c2a62cb7294c4a91
MD5 hash:	e21e24d85db1ff3225b5dd1a2284cf27
humanhash:	venus-purple-romeo-speaker
File name:	e21e24d85db1ff3225b5dd1a2284cf27.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	396'800 bytes
First seen:	2021-03-13 15:28:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9c2408c4e289059dc1f7339d62dec625 (2 x RaccoonStealer, 1 x Formbook)
ssdeep	6144:rgWlsg16t427dkmlo85TLHgGJ6Lh0+PTvaV5d+lrtz89bU:rF6E6t4273loUTDK0+7aVbMe9b
Threatray	4'167 similar samples on MalwareBazaar
TLSH	4A84AF3077E1D434F5B212B84B7583F8A53D7DA0AB2891CF52D62AEA66346E0EC30757
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

289

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Request for Quotations 090321 - Parker.docx

Verdict:

Malicious activity

Analysis date:

2021-03-11 11:23:42 UTC

Tags:

generated-doc opendir exploit CVE-2017-11882 loader

Link:

https://app.any.run/tasks/38e48c2e-82c4-457e-b2fa-0077c765d023

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/124150/

Detection(s):

Win.Packed.Tofsee-9840603-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/638710

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/c9ab023170f993a0fa7889aceffcd8d85ce9f43dcb14bca321f95c6148e679e3/

Threat name:

Win32.Trojan.Pwsx

Status:

Malicious

First seen:

2021-03-11 10:16:55 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zgvqemlq7gj2b6tyrgwo77gy3boot5b5zmklzizb7fogcshgphrq._file

Verdict:

malicious

Label(s):

formbook

Formbook

48b5f73b85cc94914ad9190896b29a400558a8a4a50e67132f7988e11532b5fc

Formbook

56f6ae8977212fbc76c8395b969260cbb6daa8e73a6118b0e1493ab71722ddc8

Formbook

59a6f0a402a4172f893c1747b51c7e1a7d6092fe091e1a9497067849efb5eec2

Formbook

6bbe2d663bd7e2ae586d3627f7d132f19992decb9e006387f4deeb236b68e9d8

Formbook

8160be86cfef6146d2b7aad72e89cfe0a7cb7e11514107782d8cf7a372ea6c48

Formbook

a86f792a5a3d424b756508cb462d3ca9b454f2513a5471df5d41da33649748e9

Formbook

b2697b1c939e346a4adcf8ed2cb4a0e493f2390a54a0457c95fea5485c2fa19b

Formbook

c935e13396041731908b9fbb5c4e74c38b9f374eb9a47d419038ac539008c94c

Formbook

ec744aeae689c95f44a24eb398e65c3a722595de5504db84b2e41488f30a7510

Formbook

+ 4'157 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210313-aq1ad6e72x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Xloader Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Xloader

Malware Config

C2 Extraction:

http://www.tgofilms.com/e8mc/

Unpacked files

SH256 hash:

ea8924d31c372827b7516d92b3b64f1d00b97ceea4c51199d9a5d14cf8c60b9c

MD5 hash:

ed61b1b79a2c72caf66fc8dd76c5bed0

SHA1 hash:

00e231cbd49689d6ceb491f8434fd07dde7c5477

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/61e08a61-670b-45aa-8576-9ab12067d5b4/

Parent samples :

6bbe2d663bd7e2ae586d3627f7d132f19992decb9e006387f4deeb236b68e9d8
56f6ae8977212fbc76c8395b969260cbb6daa8e73a6118b0e1493ab71722ddc8
c9ab023170f993a0fa7889aceffcd8d85ce9f43dcb14bca321f95c6148e679e3

SH256 hash:

c9ab023170f993a0fa7889aceffcd8d85ce9f43dcb14bca321f95c6148e679e3

MD5 hash:

e21e24d85db1ff3225b5dd1a2284cf27

SHA1 hash:

444affa0955539375013da28c2a62cb7294c4a91

Link:

https://www.unpac.me/results/61e08a61-670b-45aa-8576-9ab12067d5b4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Azorult

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c9ab023170f993a0fa7889aceffcd8d85ce9f43dcb14bca321f95c6148e679e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator