MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9d9a78770bcd89cf5a0875a3c099bd2be2f6460878aa6db722f3fcd2319f322. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9d9a78770bcd89cf5a0875a3c099bd2be2f6460878aa6db722f3fcd2319f322
SHA3-384 hash: b097a30e8eff5927c71a067810ad2a33b5191cfaf282dd2bd0a4b22bfb33977b08744b586492bba5e7879c5b00388036
SHA1 hash: 4604cef04122023bf3a35083b2e7ab8edfa5b329
MD5 hash: 695ce44856e02eff7fcb34067f8c1df3
humanhash: oscar-white-uncle-fillet
File name:695ce44856e02eff7fcb34067f8c1df3
Download: download sample
Signature Formbook
Create hunting rule
File size:177'152 bytes
First seen:2022-01-21 18:08:14 UTC
Last seen:2022-01-21 20:18:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 768:vZ/Bcb9W1aYVtSHPWclhVm13jtJXtg5k4ZaDBo+CO8nYOj0B:h/Bcb9Wi5k4ZaDBo+CO8nPj0B
Threatray 12'062 similar samples on MalwareBazaar
TLSH T14604C335EAF7DDB0CA52093BA12CFA2D0D1D2D791D67F8492458FD23AEB6ACC9840171
File icon (PE):PE icon
dhash icon 58cbdadadadadd58 (9 x SnakeKeylogger, 6 x Formbook, 4 x Loki)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
331
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
695ce44856e02eff7fcb34067f8c1df3
Verdict:
Malicious activity
Analysis date:
2022-01-22 04:33:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8cd4f71e-5082-4373-9c98-d9227f694e87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221555/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.35002.8501.16973.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed replace.exe strictor
Link:
https://www.filescan.io/uploads/61eaf6c5d32385db63167b59/reports/a1495b15-2feb-4e49-8a2e-db8b87c80b74/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/78fbbc1f-1672-4cc4-a2c1-a5b494603fee
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925420
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 557898 Sample: Qv0gDzyU31 Startdate: 21/01/2022 Architecture: WINDOWS Score: 100 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 63 8 other signatures 2->63 9 Qv0gDzyU31.exe 15 7 2->9         started        process3 dnsIp4 51 trietlongvinhvien.info 150.95.104.46, 49717, 80 RUNSYSTEM-AS-VNGMO-ZcomRunsystemJointStockCompanyVN Viet Nam 9->51 37 C:\Users\user\AppData\Roaming\...\update..exe, PE32 9->37 dropped 39 C:\Users\user\...\update..exe:Zone.Identifier, ASCII 9->39 dropped 41 C:\Users\user\AppData\...\Qv0gDzyU31.exe.log, ASCII 9->41 dropped 65 Creates an undocumented autostart registry key 9->65 67 Encrypted powershell cmdline option found 9->67 69 Tries to detect virtualization through RDTSC time measurements 9->69 71 Injects a PE file into a foreign processes 9->71 14 Qv0gDzyU31.exe 9->14         started        17 powershell.exe 9 9->17         started        19 Qv0gDzyU31.exe 9->19         started        file5 signatures6 process7 signatures8 73 Modifies the context of a thread in another process (thread injection) 14->73 75 Maps a DLL or memory area into another process 14->75 77 Sample uses process hollowing technique 14->77 79 Queues an APC in another process (thread injection) 14->79 21 explorer.exe 14->21 injected 81 Uses ping.exe to check the status of other devices and networks 17->81 23 PING.EXE 1 17->23         started        26 PING.EXE 1 17->26         started        28 PING.EXE 1 17->28         started        30 3 other processes 17->30 process9 dnsIp10 32 wlanext.exe 21->32         started        43 yahoo.com 74.6.143.25 YAHOO-3US United States 23->43 45 192.168.2.1 unknown unknown 23->45 47 74.6.231.21 YAHOO-NE1US United States 28->47 49 74.6.231.20 YAHOO-NE1US United States 30->49 process11 signatures12 53 Self deletion via cmd delete 32->53 55 Tries to detect virtualization through RDTSC time measurements 32->55 35 cmd.exe 32->35         started        process13
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d9d9a78770bcd89cf5a0875a3c099bd2be2f6460878aa6db722f3fcd2319f322/
Threat name:
ByteCode-MSIL.Downloader.PsDownload
Create hunting rule
Status:
Malicious
First seen:
2022-01-21 04:56:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
21 of 28 (75.00%)
Threat level:
  3/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0626da1000aa221c4f0c47872a0f33eabff9d952bdca540c6e35083e8a0ffabe
Formbook
6d1ae3278059d592ae7c4426df9456553b8abfbc3bd90ce0f8d1792e94ae95c2
Formbook
8392408d685d10ddf024a7e4f47976e03a00fd787bd4ee0932766c4b9b278bc0
Formbook
c63cb761da677849b8382eb1d926569f00a04d57f2c789b63e7f2eb2e368a00c
Formbook
db4d5bd36f923fdd47daf48ace971f47e9764d27a2f88241f09c754c042efc28
Formbook
ec575e5cdf3da323c27e65f3042586173ca50ba0682b733a61f0b47f80c3004e
Formbook
f136f4f9c59c4ff2582063222c6df106a3d1e3d7d9220ff73e3cb2ec487fe1db
Formbook
fa070ad21750a69c17bd104ae6fac4b05d12fe9d689101a38553619519f7edfb
Formbook
+ 12'052 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:a6ms rat spyware stealer trojan
Link:
https://tria.ge/reports/220121-wrfpaaaeh5/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
d9d9a78770bcd89cf5a0875a3c099bd2be2f6460878aa6db722f3fcd2319f322
MD5 hash:
695ce44856e02eff7fcb34067f8c1df3
SHA1 hash:
4604cef04122023bf3a35083b2e7ab8edfa5b329
Link:
https://www.unpac.me/results/226742a8-8c19-472a-a7f1-f787bb4d8854/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9d9a78770bcd89cf5a0875a3c099bd2be2f6460878aa6db722f3fcd2319f322

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe d9d9a78770bcd89cf5a0875a3c099bd2be2f6460878aa6db722f3fcd2319f322

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1996186/
Cape
Cape
https://www.capesandbox.com/analysis/221555/

Comments


Avatar
zbet commented on 2022-01-21 18:08:15 UTC

url : hxxp://trietlongvinhvien.info/.tmb/ID4/Onxeq.exe