MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 034a88044cda55e5e899dda57067450bb725109dcfc9147d6ae41d7b08584734. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 034a88044cda55e5e899dda57067450bb725109dcfc9147d6ae41d7b08584734
SHA3-384 hash: b5a405a7735f90ec55d7a152786ee5ee9dc049bf51c9e2e0a74eaf9c02b14b8fa891eb4e5c5ea32515b4e515d7e9298b
SHA1 hash: 8ce8dc75f001d54a622844034d4159268c4bf994
MD5 hash: 22f9f9ee353bd2cb4fa8402de52626c2
humanhash: twenty-friend-kentucky-snake
File name:LOWE COPY.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:974'848 bytes
First seen:2021-01-15 07:12:13 UTC
Last seen:2021-01-15 09:12:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:noPE+Wz8/2VLq0NK0cuBqQj3Chnkdyx6wJKkCh6kvk:od4uj0cucO3CJkIx7skChb
Threatray 3'373 similar samples on MalwareBazaar
TLSH E1254A819B805B04EA7C63BD2429086057F7EB6AF3F8F75CED85B0B56B9391540FE086
Reporter abuse_ch
Tags:exe FormBook Yahoo


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: sonic310-15.consmr.mail.bf2.yahoo.com
Sending IP: 74.6.135.125
From: Afzal Saleem <afzal.impressions@yahoo.com>
Subject: URGENT
Attachment: LOWE COPY.rar (contains "LOWE COPY.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LOWE COPY.exe
Verdict:
Malicious activity
Analysis date:
2021-01-15 07:39:02 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/45c175f7-9956-4a0b-ba42-00218a275642

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112176/
Detection(s):
SecuriteInfo.com.Artemis22F9F9EE353B.14040.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/582255
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 340166 Sample: LOWE COPY.exe Startdate: 15/01/2021 Architecture: WINDOWS Score: 100 34 www.oldeny.com 2->34 36 www.jobcarepro.com 2->36 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 7 other signatures 2->52 11 LOWE COPY.exe 3 2->11         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\LOWE COPY.exe.log, ASCII 11->32 dropped 62 Injects a PE file into a foreign processes 11->62 15 LOWE COPY.exe 11->15         started        18 LOWE COPY.exe 11->18         started        signatures6 process7 signatures8 64 Modifies the context of a thread in another process (thread injection) 15->64 66 Maps a DLL or memory area into another process 15->66 68 Sample uses process hollowing technique 15->68 70 Queues an APC in another process (thread injection) 15->70 20 explorer.exe 15->20 injected process9 dnsIp10 38 sbq58.com 45.221.108.223, 49699, 49719, 80 sun-asnSC South Africa 20->38 40 a-emeservice.com 162.214.103.133, 49716, 80 UNIFIEDLAYER-AS-1US United States 20->40 42 21 other IPs or domains 20->42 54 System process connects to network (likely due to code injection or exploit) 20->54 24 msdt.exe 12 20->24         started        signatures11 process12 dnsIp13 44 www.jobcarepro.com 24->44 56 Modifies the context of a thread in another process (thread injection) 24->56 58 Maps a DLL or memory area into another process 24->58 60 Tries to detect virtualization through RDTSC time measurements 24->60 28 cmd.exe 1 24->28         started        signatures14 process15 process16 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/034a88044cda55e5e899dda57067450bb725109dcfc9147d6ae41d7b08584734/
Threat name:
ByteCode-MSIL.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-01-15 07:13:06 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=anfiqbcm3jk6l2ez3wsxaz2fbo3skee5z7eri7lk4qoxwccyi42a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3571d3ca49f3c593d4b34f2d7bd9aa8ab2b0bfb99111a2a2561a0d25d494fa2f
Formbook
7aa2116b5dcb055987e0e18b5e2f869eae15f6093adfd55b6a6d28b8be53dcb4
Formbook
7cce0fb3ca1f67eb737ad33944f7d2a2e860abf82ebb435ae69b9e415a859d4b
Formbook
8daa411eb30ad00d9be98b72d66343cd681616040c1b825a4b35bfc2a27ee1de
Formbook
90f2c4a6ef44f74b478893cdd505c759dbe924f984daf87726ba7e64edd091c4
Formbook
a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d
Formbook
bcba31709cecf79a6996bda8b48a9e891db6de827c852404634a96d248560ba3
Formbook
bda9b47b8a3ca85a643a426750e309fe77d948e2d6f704a8a56ba452dd1531ae
Formbook
cf881c52980129f685da1dee4674018fa0fc1db346565dd917ae0160ce26b25d
Formbook
f1c600a86d9492512f5c80574f885bc0b2c0f058419f58b1c8800eb6e1502713
Formbook
+ 3'363 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210115-dhe6y3b7ms/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.a-emeservice.com/m8ec/
Unpacked files
SH256 hash:
02a06df8bc08403d77a462276015276a6f4fdc441c533cb75f58ef17dd607091
MD5 hash:
0cde4f93609628c9805d616f7c97893e
SHA1 hash:
add10d0a19ac3273555dbd07d3d946ccddc26e37
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ef6fab92-fd6b-443b-8349-596745a02466/
SH256 hash:
201a4b8e38c65af67ba94ceeee17e8ad422cb94762bbd3784ab933bf409e516c
MD5 hash:
5ed0d252d91d6b6b9b16afa6a7a83c1a
SHA1 hash:
c891497634717bc31bb0d4088cecb66f53e16530
Link:
https://www.unpac.me/results/ef6fab92-fd6b-443b-8349-596745a02466/
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
Link:
https://www.unpac.me/results/ef6fab92-fd6b-443b-8349-596745a02466/
SH256 hash:
034a88044cda55e5e899dda57067450bb725109dcfc9147d6ae41d7b08584734
MD5 hash:
22f9f9ee353bd2cb4fa8402de52626c2
SHA1 hash:
8ce8dc75f001d54a622844034d4159268c4bf994
Link:
https://www.unpac.me/results/ef6fab92-fd6b-443b-8349-596745a02466/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/034a88044cda55e5e899dda57067450bb725109dcfc9147d6ae41d7b08584734

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 0f3a83add3ec8389474db46604eab021c94767177700748dc548f9d72c0b7e58

Formbook

Executable exe 034a88044cda55e5e899dda57067450bb725109dcfc9147d6ae41d7b08584734

(this sample)

  
Dropped by
MD5 e6fcd247651f6410c4c7bd425b0bcbe1
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112176/
  
Dropped by
SHA256 0f3a83add3ec8389474db46604eab021c94767177700748dc548f9d72c0b7e58

Comments