MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9cdf462a12dc6e78757b7f1b3ad4fd9139cafd0b1e81d67d3d0141e2b09137e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9cdf462a12dc6e78757b7f1b3ad4fd9139cafd0b1e81d67d3d0141e2b09137e
SHA3-384 hash: ffe3fb8a59a434e2bbcfec1897940df14176d3d79eaf909d374c405d094ac15ee7b9a5de54948fc17d3edef0719f84a0
SHA1 hash: e2dfa81e1dd7c50ff86506e09c60f3883bb37b7c
MD5 hash: df12e9394a0b6fe9e3af1d48a7d77c7f
humanhash: enemy-california-stairway-fish
File name:BANK INFORMATION-M0025012022-971332pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:59'592 bytes
First seen:2022-01-25 15:19:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:kaltXa/eHUTQQQQQQxBdBgN6b5/2kWSC6WLrYlQ:kaltXa/eHUTQQQQQQ3dBft/2YWLrYlQ
Threatray 12'881 similar samples on MalwareBazaar
TLSH T13F436D42C2A24263E5A64B7270D34AC35FB0B00D5CF18AABD4C9715E8E9F3063557FDA
File icon (PE):PE icon
dhash icon 550959654d651945 (37 x Formbook, 28 x AgentTesla, 14 x RemcosRAT)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BANK INFORMATION-M0025012022-971332pdf.exe
Verdict:
No threats detected
Analysis date:
2022-01-26 00:19:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e397ae4c-e165-4b98-accc-a0dc6ca64830

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/222556/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Reading critical registry keys
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/61f0152ad73ca9d46487b654/reports/7be7e45f-10aa-41e7-98e2-7b5675508a48/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/12a04a9f-a1cd-4cc4-9b8d-050f88dd5eb8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/927620
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 560094 Sample: BANK INFORMATION-M002501202... Startdate: 26/01/2022 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 4 other signatures 2->49 10 BANK INFORMATION-M0025012022-971332pdf.exe 14 3 2->10         started        15 explorer.exe 2->15         started        process3 dnsIp4 33 transfer.sh 144.76.136.153, 443, 49739, 49752 HETZNER-ASDE Germany 10->33 31 BANK INFORMATION-M...2-971332pdf.exe.log, ASCII 10->31 dropped 57 Writes to foreign memory regions 10->57 59 Allocates memory in foreign processes 10->59 61 Injects a PE file into a foreign processes 10->61 17 aspnet_compiler.exe 10->17         started        file5 signatures6 process7 signatures8 35 Modifies the context of a thread in another process (thread injection) 17->35 37 Maps a DLL or memory area into another process 17->37 39 Sample uses process hollowing technique 17->39 41 2 other signatures 17->41 20 explorer.exe 17->20 injected process9 process10 22 WWAHost.exe 20->22         started        signatures11 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        27 explorer.exe 3 149 22->27         started        process12 process13 29 conhost.exe 25->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9cdf462a12dc6e78757b7f1b3ad4fd9139cafd0b1e81d67d3d0141e2b09137e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-25 13:03:07 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
11
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zhg7iyvbfxdopb2xw7y3hlkp3ejzzl6qwhub2z6t2akb4kyjcn7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
40c96d51be2ae8a3360f39a25e522304df5999e05d99eeeeffb79fdc8fbbfd62
Formbook
438844112d1161774efd0548c7398ead40d3b61423b9c0329d994dc54a681bde
Formbook
6d722da095632d50aa49b4749a4e7db323889aee6fad1ecc2c5dd999e63c645e
Formbook
75e51d5e7662ad2c7ee23822ebf5246ce2d3257734ef87883f57bbcffe13c5d2
Formbook
7f4888239060a411b5a521d19e88bb1158189634f764383c2c2fc0bb84e01169
Formbook
9050768f69225078f05d535401510a5b361dd071430e40639e869c7247621908
Formbook
b24fe0dd0ec4d61ac6903f6579d59dcffd17d0e002c96803a551aa3ab17367ef
Formbook
d277fc7f7001598fc7730b3bfec96ce2749f616d64fe20bcd403a599b1bc7c2c
Formbook
fa5511f4b07ca39be9b04bee49a2b103cf827a207d316d4d41bad9cede43c9bc
Formbook
+ 12'871 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:be4o loader rat suricata
Link:
https://tria.ge/reports/220125-sqrhlshgcm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
c9cdf462a12dc6e78757b7f1b3ad4fd9139cafd0b1e81d67d3d0141e2b09137e
MD5 hash:
df12e9394a0b6fe9e3af1d48a7d77c7f
SHA1 hash:
e2dfa81e1dd7c50ff86506e09c60f3883bb37b7c
Link:
https://www.unpac.me/results/affd48fc-c5c6-4857-806c-8f67f8a84c7d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c9cdf462a12d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c9cdf462a12dc6e78757b7f1b3ad4fd9139cafd0b1e81d67d3d0141e2b09137e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:buerloader_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

691a995701f125f441eba5f41c70fbbf7030b1162f80d85ad547053aeb3dac4e

Formbook

Executable exe c9cdf462a12dc6e78757b7f1b3ad4fd9139cafd0b1e81d67d3d0141e2b09137e

(this sample)

  
Dropped by
MD5 9a54f219eb3965603612c261ca5a4287
  
Dropped by
SHA256 691a995701f125f441eba5f41c70fbbf7030b1162f80d85ad547053aeb3dac4e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/222556/

Comments