MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9953c25aba720427a7122609ba2ec3ed42861e9acd631dc5f2a0deb3d8508b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9953c25aba720427a7122609ba2ec3ed42861e9acd631dc5f2a0deb3d8508b5
SHA3-384 hash: 7f833ed06e4a28a92b31fa931476cd5f7a5e10f5752866157902229d03dc7dfd7c8238b32d9c90e1cf50697e63dd31c5
SHA1 hash: e5ea01305c8447e01d78733d7982b79ac45b6581
MD5 hash: c6d0aca39ecb129499f77720fbaa92b1
humanhash: eight-ohio-twenty-music
File name:SecuriteInfo.com.W32.AIDetectNet.01.10684.28141
Download: download sample
Signature Formbook
Create hunting rule
File size:630'784 bytes
First seen:2022-07-05 03:42:43 UTC
Last seen:2022-07-22 10:26:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:j/BePSVM+qV7k4IET/r0dQ93CLrC2FsEbAosT4qBY4s/h:jBZZMkILr0d08C2JssqO4s/
TLSH T155D40270F3690967CAED84F88080936003BA876A6961EBCCDD8572D657C67F141FEB93
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70f0c4d2d2c4f070 (11 x AgentTesla, 7 x Formbook, 5 x Loki)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
5
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.10684.28141.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62c3b386783441cda106df90/reports/6756aceb-8015-4905-8499-41ed1a0a1a94/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/694ca839-1179-49f1-97ba-b7dcd1b7bf30
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1024538
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d9953c25aba720427a7122609ba2ec3ed42861e9acd631dc5f2a0deb3d8508b5/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-07-05 03:43:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3gktyjnlu4qee6trejqjxixmh3kcqypjvtlddxc7fig6wpmfbc2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:nn40 loader rat
Link:
https://tria.ge/reports/220705-d9w5waffa2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
eb34d25f79cf69105cc87e8e8f902fce7bc2dc4c80d5c1dc510cf60b3859dfb3
MD5 hash:
f8fbac0b58d026c8dd80df878e2e7774
SHA1 hash:
69de8ce161c2fdd0d10aee01a20a1e3b2b51237c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
XLoader
Create hunting rule
Link:
https://www.unpac.me/results/dd31446a-abef-4bc6-b29e-8f643a58664d/
Parent samples :
9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538
4413a2e6e778cdc5dd839816a62d25e68095be325a28036b45f85716405a2d18
c9777cb78779de98104f1a01584f9df07e39b7ace7d5e6686d225e7261bd9447
0cfac9ebd9e0bb5a2f128f38b9879e4f103208c8559a68a18bb099fa2b8bf18e
1d9fc02237d06ae3ee5ea85ae14a05ab41ee99f03ac660e3f6360ac6864bf7fd
d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d
35ddf428695769bb87459e0848cfae7eb62a86c91c8bb33a2caa23c5fbc43b73
d9953c25aba720427a7122609ba2ec3ed42861e9acd631dc5f2a0deb3d8508b5
SH256 hash:
1512787bbe744e65e6ad3dfec13310cd8e2cb7f50bc9595cf86a804668c3e179
MD5 hash:
da556cb6149f4bc639623578dcb8fd36
SHA1 hash:
cac0f55386b9f3ad8576ee6c76e6e6d0dd45cd11
Link:
https://www.unpac.me/results/dd31446a-abef-4bc6-b29e-8f643a58664d/
SH256 hash:
70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca
MD5 hash:
30d61a3a3e26c2bca2eb766990132d7c
SHA1 hash:
94f9742d5f21b13f7d8d194fe938193cbb6a0d4d
Link:
https://www.unpac.me/results/dd31446a-abef-4bc6-b29e-8f643a58664d/
SH256 hash:
3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae
MD5 hash:
9ea556e333e216a65aa09c102f36004f
SHA1 hash:
814c07f1dc68bd61840384aac3aa8346d9f8148f
Link:
https://www.unpac.me/results/dd31446a-abef-4bc6-b29e-8f643a58664d/
SH256 hash:
16810003e0f80ee90c335d6cfe30b4e99b1e556fcc77bed122ca01d80480a113
MD5 hash:
2e7abaeb76343ad951843f21a5686280
SHA1 hash:
085e3aff859f13512af42a3fbd4e1d43c717aede
Link:
https://www.unpac.me/results/dd31446a-abef-4bc6-b29e-8f643a58664d/
SH256 hash:
d9953c25aba720427a7122609ba2ec3ed42861e9acd631dc5f2a0deb3d8508b5
MD5 hash:
c6d0aca39ecb129499f77720fbaa92b1
SHA1 hash:
e5ea01305c8447e01d78733d7982b79ac45b6581
Link:
https://www.unpac.me/results/dd31446a-abef-4bc6-b29e-8f643a58664d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d9953c25aba7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe d9953c25aba720427a7122609ba2ec3ed42861e9acd631dc5f2a0deb3d8508b5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2253897/
  
Delivery method
Distributed via web download

Comments