MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34e23668337ce3dc96cec4ace686aa660d2935b1aab8f94978257a7012c2bbb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34e23668337ce3dc96cec4ace686aa660d2935b1aab8f94978257a7012c2bbb4
SHA3-384 hash: 776c27d841bcfda93d54a7a91c10187302a19233410317ce83ca4fd9c92bb0cb13e05fde0a789e96a0ca3738c5beb482
SHA1 hash: d7455a6cda30a8b258a471b9ff14c4e8db075838
MD5 hash: 2e445cf287769000660e81966e76990c
humanhash: wisconsin-nineteen-alanine-mexico
File name:2e445cf287769000660e81966e76990c
Download: download sample
Signature Formbook
Create hunting rule
File size:705'536 bytes
First seen:2023-01-26 09:25:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:bSkOvbnR8ey/ZhJuXDJzFqIG6jxoM+/BvMmr4iQBzOnj8+V0XYCVTn3fwqZizzB:PvJ+XGgoB/BvMsttYQJMiZ
TLSH T1FBE4AD1023ED9E40F6BE4B7896B9505213B77C967973E21D8EC130DE4EB2B10AB45B27
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 7eeceeccd6c2f2f2 (14 x Formbook, 9 x AgentTesla, 8 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2e445cf287769000660e81966e76990c
Verdict:
Malicious activity
Analysis date:
2023-01-26 09:25:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/45803318-bede-45dd-bdff-b6b9560750af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/357051/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d2472dfcc41339192ea6e6/reports/d23b5efd-9bfb-46a7-affb-0acce6b83106/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68907e07-598c-47de-b31d-18199730a48c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1159410
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Deletes itself after installation
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 792147 Sample: 8ClxEvJqX2.exe Startdate: 26/01/2023 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 7 other signatures 2->62 8 8ClxEvJqX2.exe 7 2->8         started        12 CaBQpNdOYriyuO.exe 5 2->12         started        process3 file4 42 C:\Users\user\AppData\...\CaBQpNdOYriyuO.exe, PE32 8->42 dropped 44 C:\...\CaBQpNdOYriyuO.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\Users\user\AppData\Local\...\tmp8002.tmp, XML 8->46 dropped 48 C:\Users\user\AppData\...\8ClxEvJqX2.exe.log, ASCII 8->48 dropped 72 Uses schtasks.exe or at.exe to add and modify task schedules 8->72 74 Adds a directory exclusion to Windows Defender 8->74 14 8ClxEvJqX2.exe 8->14         started        17 powershell.exe 21 8->17         started        19 schtasks.exe 1 8->19         started        21 8ClxEvJqX2.exe 8->21         started        76 Multi AV Scanner detection for dropped file 12->76 78 Machine Learning detection for dropped file 12->78 23 CaBQpNdOYriyuO.exe 12->23         started        25 schtasks.exe 1 12->25         started        signatures5 process6 signatures7 82 Modifies the context of a thread in another process (thread injection) 14->82 84 Maps a DLL or memory area into another process 14->84 86 Sample uses process hollowing technique 14->86 88 Queues an APC in another process (thread injection) 14->88 27 explorer.exe 3 6 14->27 injected 31 conhost.exe 17->31         started        33 conhost.exe 19->33         started        35 conhost.exe 25->35         started        process8 dnsIp9 50 sexopornoxx.store 81.88.48.71, 49714, 80 REGISTER-ASIT Italy 27->50 52 themesterofsuepnse.rest 141.98.16.169, 49732, 49733, 49735 QUICKPACKETUS Netherlands 27->52 54 13 other IPs or domains 27->54 80 System process connects to network (likely due to code injection or exploit) 27->80 37 msiexec.exe 13 27->37         started        40 msiexec.exe 27->40         started        signatures10 process11 signatures12 64 Tries to steal Mail credentials (via file / registry access) 37->64 66 Tries to harvest and steal browser information (history, passwords, etc) 37->66 68 Deletes itself after installation 37->68 70 2 other signatures 37->70
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34e23668337ce3dc96cec4ace686aa660d2935b1aab8f94978257a7012c2bbb4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-26 06:07:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gtrdm2btptr5zfwoyswonbvkmygssnnrvk4psslyev5haewcxo2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230126-ld7kqsef5t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
a9629cd7fe82edfc031bde838ac6a2d57d7234ef8f13c57d35ef4b2b4e1314eb
MD5 hash:
952fec003ec9dd49b8165bc8a7be5a6c
SHA1 hash:
8af1113dc517487af61a1a328116889c835c5bd7
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/f370c0aa-1ab8-4ecd-86bc-492c576477ba/
SH256 hash:
1ea3291d96e33e84ef0f0b0385ace4bfbaf66c68c76ec717e218fe5e7e1dccfc
MD5 hash:
756fa8590400a5a6750c6c1aa3832762
SHA1 hash:
4d52fa133db22265a1b9eaa4cb7b9375f0f273b5
Link:
https://www.unpac.me/results/f370c0aa-1ab8-4ecd-86bc-492c576477ba/
SH256 hash:
54d781f0dee6692c47390edf1ada295fb17a7e80ed5ccd58ab14c6ddf80a0ad8
MD5 hash:
4f6caebd865502f7c8046fbae3284c61
SHA1 hash:
be357e832bf6f61454875b37a1759cf1c5fa5ca4
Link:
https://www.unpac.me/results/f370c0aa-1ab8-4ecd-86bc-492c576477ba/
SH256 hash:
411569f9f0b865c651adc1234d23f86cd98fe5cd641704702276e9882be113b6
MD5 hash:
7648892096f37af50468509c5b051180
SHA1 hash:
a56a074c2770152761f6c4975db0e9f7d57f8cda
Link:
https://www.unpac.me/results/f370c0aa-1ab8-4ecd-86bc-492c576477ba/
SH256 hash:
a182971c0de952c50e91790238569987832b217aa30738707c0cdd06eb15b470
MD5 hash:
8cd24824eae10ccac1abc836083906f2
SHA1 hash:
95f5e9230acf9c5055a42ffcd613541bb5bee9f4
Link:
https://www.unpac.me/results/f370c0aa-1ab8-4ecd-86bc-492c576477ba/
SH256 hash:
b698bb3ea1eec465855c8be6e51fe311121b1257a2151edeb6891c32db824086
MD5 hash:
6df6411800e0700b04e1579bf5e7578b
SHA1 hash:
4c53375aeb2aa8f9484970234c963a7a9cea09ae
Link:
https://www.unpac.me/results/f370c0aa-1ab8-4ecd-86bc-492c576477ba/
SH256 hash:
34e23668337ce3dc96cec4ace686aa660d2935b1aab8f94978257a7012c2bbb4
MD5 hash:
2e445cf287769000660e81966e76990c
SHA1 hash:
d7455a6cda30a8b258a471b9ff14c4e8db075838
Link:
https://www.unpac.me/results/f370c0aa-1ab8-4ecd-86bc-492c576477ba/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/34e23668337c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34e23668337ce3dc96cec4ace686aa660d2935b1aab8f94978257a7012c2bbb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 34e23668337ce3dc96cec4ace686aa660d2935b1aab8f94978257a7012c2bbb4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2518858/
Cape
Cape
https://www.capesandbox.com/analysis/357051/

Comments


Avatar
zbet commented on 2023-01-26 09:25:14 UTC

url : hxxp://103.167.85.122/googlesave/vbc.exe