MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca9d13706dad307a2021d1fa1683e46b5b9670b92ad0ee5e474cbea0620d6299. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca9d13706dad307a2021d1fa1683e46b5b9670b92ad0ee5e474cbea0620d6299
SHA3-384 hash: ef56002ceaa88911111a10f4e84f646ac0573961f88af308e1896ce1abf135c51cfb11d155defd752d4ad9e9b84ccc38
SHA1 hash: 4958e9f636a2c75aa9f6ad46ad12a4a36513e482
MD5 hash: e2e2b1bd1df8d460c9b1d11097429d16
humanhash: sad-december-foxtrot-maine
File name:e2e2b1bd1df8d460c9b1d11097429d16
Download: download sample
Signature Formbook
Create hunting rule
File size:308'224 bytes
First seen:2021-09-03 09:02:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a5f1519af792c7c894446b2b7f883ca8 (2 x Stop, 1 x CryptBot, 1 x Smoke Loader)
ssdeep 6144:qBIRwnGF/wPiDHwUT5ssghL4lvNqRzeCIj6l6+ky+NjKyOS/2qV4:DNwPiDHN57ghLuvMUj6Y+khhKfS/R4
Threatray 7'736 similar samples on MalwareBazaar
TLSH T1EC64BE30BBA1C035F5B712F465B687BCA42A7A701B3050CBA2D52AEE16347E4DD3179B
dhash icon e8e8e8e8aa66a499 (51 x RaccoonStealer, 27 x ArkeiStealer, 22 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
07480bba-fa44-48a3-2fa4-08d96ea0b1e6f6bb9f24-a9ee-566e-562d-a9a852cf498f_1630649167.eml
Verdict:
Malicious activity
Analysis date:
2021-09-03 06:46:37 UTC
Tags:
encrypted exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/68241fb7-7cee-4da6-a338-4162a53d3e95

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185083/
Detection(s):
Win.Packed.Generic-9890178-0
Create hunting rule

Win.Malware.Generic-9890222-0
Create hunting rule

Win.Dropper.Raccoon-9890239-0
Create hunting rule

Win.Packed.Generic-9890255-0
Create hunting rule

Win.Malware.Generic-9890308-0
Create hunting rule

Win.Dropper.StopCrypt-9890322-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eacfa7b1-750f-4926-b37f-0cb4da5623f2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/844774
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ca9d13706dad307a2021d1fa1683e46b5b9670b92ad0ee5e474cbea0620d6299/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 03:14:22 UTC
AV detection:
18 of 43 (41.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zkorg4dnvuyhuibb2h5bna7ennnzm4fzflio4xshjs7kayqnmkmq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1f608cb60e33615fb8a94a9d240d27cf99bbe344e24a486ed3311623611930a0
Formbook
314c2feb9e8798e4676b9350faba5721af148fa1e04fcaac8e698bbb027aa7cd
Formbook
8909a6a1081cf2202e33dbc0e496c5be450f360b8f2d63a05c8c671d5ffb00de
Formbook
8e36abaf554e37c743a7874d53dcc57751e88be673ac98c5abaa873984cb6e23
Formbook
b36a2901bfafd8723bfddd0388f65b0a46237b063ca33edbf773bb589f929981
Formbook
b83afeb8225d897dcac8a075bfda8659a64ac5b6c7db788e6913bf7e168caacf
Formbook
ea66d2f582f9da718979a56b628e19a5712e41e979808cb84a8cb427fbe1ab30
Formbook
f782375e80f3a68b36457886ac1c6490e2497e6c9fb3ffdb33c1679597f0770e
Formbook
f792fdad86a8e30cb364d54392dd57b58b7699a17ef35b716f1a115516adfe10
Formbook
+ 7'726 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:imi7 loader rat
Link:
https://tria.ge/reports/210903-kz3cgagaam/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Xloader Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Xloader
Malware Config
C2 Extraction:
http://www.southerngiggle.com/imi7/
Unpacked files
SH256 hash:
ea88e40b750a9f44289afb18b9096c14c1a0d81ae92bd236fe3fd15bf9f8dd27
MD5 hash:
8110d942a1afd5a03fb68ef51e9bce54
SHA1 hash:
d22bf05fd3f760e6f65d5ab239adf71c25f0be09
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2945da6e-c173-43b7-a5dc-1654f2f23727/
Parent samples :
3c30562fe4d02debdc7ff0d3a101e4807010b779166bbafd25ae0fd068b7255a
12de2f015642b7430fdf5e76d186dc2c38161f4e2238e84d8dd9e4125d3bceec
4474153b57e54b4c94dc0c4e063dde0a7f296bc8f20a7a5d41d99d91c4239cc0
b83afeb8225d897dcac8a075bfda8659a64ac5b6c7db788e6913bf7e168caacf
bf9f97f369f730dbe091c7a5304ae2503f61eb0f226bfc763e0681cf07035618
ca9d13706dad307a2021d1fa1683e46b5b9670b92ad0ee5e474cbea0620d6299
01459f26c9c160284fbb5d73fe3e2c05634295c07c78b9667107950526af179c
4bd5c83d0ec09eb7019537466d0c3c1469986dce8c358041f65be1a60a6b6fe4
SH256 hash:
ca9d13706dad307a2021d1fa1683e46b5b9670b92ad0ee5e474cbea0620d6299
MD5 hash:
e2e2b1bd1df8d460c9b1d11097429d16
SHA1 hash:
4958e9f636a2c75aa9f6ad46ad12a4a36513e482
Link:
https://www.unpac.me/results/2945da6e-c173-43b7-a5dc-1654f2f23727/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca9d13706dad307a2021d1fa1683e46b5b9670b92ad0ee5e474cbea0620d6299

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe ca9d13706dad307a2021d1fa1683e46b5b9670b92ad0ee5e474cbea0620d6299

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1588340/
Cape
Cape
https://www.capesandbox.com/analysis/185083/

Comments


Avatar
zbet commented on 2021-09-03 09:02:22 UTC

url : hxxp://103.133.106.199/ibm/vbc.exe