MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34cb445ac6f9c3dc60d465baa8ffbbca5abaf84fce4ff7075628e6cd1d41c559. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34cb445ac6f9c3dc60d465baa8ffbbca5abaf84fce4ff7075628e6cd1d41c559
SHA3-384 hash: 64435db201d3882f50e5b66738f46d934a5d492339661f25b107518ae67161c3d560aafad8d27c1090dfd9627b4fc37d
SHA1 hash: 9a47f80d537e8f6b56440169a73dba51222a607c
MD5 hash: 889c873694152d8246fa478aba1eb0ee
humanhash: september-fourteen-chicken-muppet
File name:350129441.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'505'856 bytes
First seen:2020-12-22 06:50:02 UTC
Last seen:2020-12-23 02:43:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:VvYfDOQkfwF1nrIaQJf01WfH42mrJJA6W7pv4Tkl/WI2f23bzXfMeeilzDaDetVn:VvGU
Threatray 3'292 similar samples on MalwareBazaar
TLSH 53654D02498168CBD7B3D090A34DC2D6B38795DCE7EA5FD4AE20E25532CC4B7EB69D81
Reporter cocaman
Tags:exe FormBook

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:Dec 21 23:41:41 2020 GMT
Valid to:Dec 21 23:41:41 2021 GMT
Serial number: AAF7F7D292C8A5BB09C70307ED3EFD
Thumbprint Algorithm:SHA256
Thumbprint: 9883F6641D50C2C8C3F1749BAA459C22293DE091D2FC12CEA82C59284EB88EBB
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
350129441.exe
Verdict:
Malicious activity
Analysis date:
2020-12-22 07:04:45 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/2294daaa-5845-453a-8b59-17b3d029cc85

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108817/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.56260.25313.10230.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/567934
Signature
.NET source code contains very large strings
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/34cb445ac6f9c3dc60d465baa8ffbbca5abaf84fce4ff7075628e6cd1d41c559/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-12-22 01:14:37 UTC
File Type:
PE (.Net Exe)
AV detection:
19 of 28 (67.86%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gtfuiwwg7hb5yygumw5kr753zjnlv6cpzzh7ob2wfdtm2hkbyvmq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
16a4855bceb4df02e0478cd72972a6e7f144f2278fedb239c2cb696cf6bf7199
Formbook
2693356eb785b39160f0dd89c916020ab5ae032faaa931b30c393e93da2740e4
Formbook
277cbccaab65669d5d245b53cc8dec596db650f30daf23c62b8a54cf93867b8d
Formbook
333a258f45e7a8baaab72b1539859a00bca7309a8d641490329184977090b540
Formbook
52f5f69cea97498f63733e3ea43b67e840177c68d4370531a008c6e7f4fc9abb
Formbook
5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19
Formbook
82ec33dd4f26eab172d8a0fc536751d12153a3f7175351da311a7059217c670e
Formbook
9f1f45b03b4f7909d0bbd7aa98895a0fcd314db228a7a233512c857ad86e7e86
Formbook
b1b8f6dcd1c8d12e5a79a8d16dd62d0900d552ba435178b691f4497d338cc704
Formbook
bd3bf49f455f519888272ddfe3e9a0603958e64e3bed5a80078bddf65276def2
Formbook
+ 3'282 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201222-t11vaft8jj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.ameeraglow.com/6bu2/
Unpacked files
SH256 hash:
34cb445ac6f9c3dc60d465baa8ffbbca5abaf84fce4ff7075628e6cd1d41c559
MD5 hash:
889c873694152d8246fa478aba1eb0ee
SHA1 hash:
9a47f80d537e8f6b56440169a73dba51222a607c
Link:
https://www.unpac.me/results/4b3ee296-81f6-40dc-a341-26a6cfb6b81e/
SH256 hash:
b309232768b48216bcf39ec4169fbf8a7d43933a265b3fec615adfb75d752ef3
MD5 hash:
7db26338b3e376b65cc8f32f51f61ab5
SHA1 hash:
4fc040224d639982d76b79a5dd9f6389861e07af
Link:
https://www.unpac.me/results/4b3ee296-81f6-40dc-a341-26a6cfb6b81e/
SH256 hash:
e191e90988e68a5ee9e76f56900119fd9c1e5bf792f6dcb16c8ec0478809d44d
MD5 hash:
4f6fd7cd1ec4c174bf76fea4c5299e85
SHA1 hash:
f13ed977c3f75c2c9ada9d06feb96209e83445e5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4b3ee296-81f6-40dc-a341-26a6cfb6b81e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34cb445ac6f9c3dc60d465baa8ffbbca5abaf84fce4ff7075628e6cd1d41c559

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip ff7fb891cb3d9f0767178b55c62c814a362e14e236eb496d5a88dae07602a3e3

Formbook

Executable exe 34cb445ac6f9c3dc60d465baa8ffbbca5abaf84fce4ff7075628e6cd1d41c559

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 ff7fb891cb3d9f0767178b55c62c814a362e14e236eb496d5a88dae07602a3e3
Cape
Cape
https://www.capesandbox.com/analysis/108817/

Comments