MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34e32621d9d21c70cf705d5306ea55c636b4561f48a32abb91abe9c8ecf77f82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34e32621d9d21c70cf705d5306ea55c636b4561f48a32abb91abe9c8ecf77f82
SHA3-384 hash: 402488d9f9c62e565435081971a3fecadc473cbc822ed8e3bbb54e9c9a928679618a5ee7c85c55f9b41591dc2491b03e
SHA1 hash: 7e0eaae1a912cf7033601cdcc0dc561509970a0c
MD5 hash: d48fbec5c6a2edf4893023951dd6c021
humanhash: quiet-solar-pluto-yellow
File name:d48fbec5c6a2edf4893023951dd6c021
Download: download sample
Signature Formbook
Create hunting rule
File size:325'632 bytes
First seen:2021-08-24 12:35:29 UTC
Last seen:2021-08-24 17:33:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:nP9bVJieaB7jiR7Y3rhYthO7umz72OB8wh1bNNcw3RybSx:nlhQihIGDLyVB8wTMw
Threatray 5'065 similar samples on MalwareBazaar
TLSH T1E364D02537A08BE5F4A9777C8125810023F6DB2FE376C719BF9AC5DE04AE9918642373
dhash icon 489669d8d8699648 (53 x AgentTesla, 24 x SnakeKeylogger, 16 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
340
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Neworder.xlsx
Verdict:
Malicious activity
Analysis date:
2021-08-24 11:37:26 UTC
Tags:
encrypted exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/917519e0-34ed-4ea0-95bd-c9a4fab5ec0a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/181903/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.24372.29935.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a9d1619-4e58-475e-92de-8fab954af5dc
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/838232
Signature
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 470664 Sample: U14s4IbToI Startdate: 24/08/2021 Architecture: WINDOWS Score: 100 39 www.thursdayrelax.club 2->39 41 www.beijingqie9.icu 2->41 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 10 other signatures 2->55 10 U14s4IbToI.exe 1 2->10         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\U14s4IbToI.exe.log, ASCII 10->37 dropped 67 Tries to detect virtualization through RDTSC time measurements 10->67 69 Injects a PE file into a foreign processes 10->69 14 U14s4IbToI.exe 10->14         started        17 powershell.exe 15 10->17         started        signatures6 process7 file8 71 Modifies the context of a thread in another process (thread injection) 14->71 73 Maps a DLL or memory area into another process 14->73 75 Sample uses process hollowing technique 14->75 77 Queues an APC in another process (thread injection) 14->77 20 explorer.exe 3 14->20 injected 33 C:\Users\user\AppData\Roaming\...33ewApp.exe, PE32 17->33 dropped 35 C:\Users\user\...35ewApp.exe:Zone.Identifier, ASCII 17->35 dropped 79 Drops PE files to the startup folder 17->79 81 Powershell drops PE file 17->81 24 conhost.exe 17->24         started        signatures9 process10 dnsIp11 43 movieworldart.com 50.87.223.209, 49726, 80 UNIFIEDLAYER-AS-1US United States 20->43 45 www.dhruvdhing.com 198.24.151.139, 49729, 80 SSASN2US United States 20->45 47 13 other IPs or domains 20->47 57 System process connects to network (likely due to code injection or exploit) 20->57 26 rundll32.exe 20->26         started        29 NewApp.exe 1 20->29         started        signatures12 process13 signatures14 59 Modifies the context of a thread in another process (thread injection) 26->59 61 Maps a DLL or memory area into another process 26->61 63 Tries to detect virtualization through RDTSC time measurements 26->63 65 Injects a PE file into a foreign processes 29->65 31 NewApp.exe 29->31         started        process15
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/34e32621d9d21c70cf705d5306ea55c636b4561f48a32abb91abe9c8ecf77f82/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 12:36:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
32
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04e127c5bdf94f075639d7f44badd25223f3ebeede44258367413d8463505020
Formbook
3edf6811850efc722b39737bf3623a42127e728f0c32a0a6ab7c66044838d307
Formbook
583dbd13e7e7f24599e11c5dc3039eda53acff81cf09a110b51b035cccf4ad09
Formbook
5c8d039da52a39b80531b80b28e53060c2bfefb747ef5477d100bb3c819c089b
Formbook
719604b516f11740266b2c7a8a61129f779caf4c1f9e16bac35d39f5792a009b
Formbook
94b77677478f890b5f9e0561aebc0f66b1b2fc4494d016e9b5a70ed0ba20980b
Formbook
94ec59e8f70de9f2fc9a4774fc7ed32a7a0495115a813537f77c9aeb505a5bc4
Formbook
b2697b1c939e346a4adcf8ed2cb4a0e493f2390a54a0457c95fea5485c2fa19b
Formbook
cf993c713cfe3b22bd4978530f420e2dc54c38d106ad5fc5a9aacb1e377b81e2
Formbook
d8de6668573d3ceb90b6794ad11ce332f7d7ece1d4cc1c40b2279ebcdc71b5dd
Formbook
+ 5'055 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ars4 loader rat
Link:
https://tria.ge/reports/210824-wvpfn8k3se/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.126020cp.com/ars4/
Unpacked files
SH256 hash:
bfa12a2456d40d6c32a1f4e35bd43c81f6f67466234faed8fec19397d0e6d808
MD5 hash:
7a7927bac28be846b2fd2a5d10ba0676
SHA1 hash:
67a7b8616fc8e7aa7bb7a6e2521548e67a7caa2d
Link:
https://www.unpac.me/results/27b91922-a988-46b7-914a-815dc830051c/
Parent samples :
fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d
80dd6d009a2b7ab7aa393d063048320db5ea3920a4fd9cca4a0a76f12183273f
SH256 hash:
eb5270402a0cd8b0fe30df951319c9e498c67c346175ccd2c988a961f4bb18d0
MD5 hash:
b6dfbc916fe4c17ff1b49ba9e994106d
SHA1 hash:
855d134dc5539803ee604051b868514f014d9f52
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/27b91922-a988-46b7-914a-815dc830051c/
SH256 hash:
34e32621d9d21c70cf705d5306ea55c636b4561f48a32abb91abe9c8ecf77f82
MD5 hash:
d48fbec5c6a2edf4893023951dd6c021
SHA1 hash:
7e0eaae1a912cf7033601cdcc0dc561509970a0c
Link:
https://www.unpac.me/results/27b91922-a988-46b7-914a-815dc830051c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/34e32621d9d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34e32621d9d21c70cf705d5306ea55c636b4561f48a32abb91abe9c8ecf77f82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:buerloader_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 34e32621d9d21c70cf705d5306ea55c636b4561f48a32abb91abe9c8ecf77f82

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1560036/
Cape
Cape
https://www.capesandbox.com/analysis/181903/

Comments


Avatar
zbet commented on 2021-08-24 12:35:31 UTC

url : hxxp://75.127.7.165/pnb/vbc.exe