MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4698bc9f2d175db34261a75b9af17e3a6da6e1bf2df9c287c37fcc133d421cd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4698bc9f2d175db34261a75b9af17e3a6da6e1bf2df9c287c37fcc133d421cd6
SHA3-384 hash: bb1491b73450eba045ca07e928bcea2ed8d29ed56b5ac866d754cb771b15971af95504b24440e4c9bf268800b2893719
SHA1 hash: 3f7004455e5390448c360c0201aa8ec61ea4bd1a
MD5 hash: 34f0a0bab5402fc66736cee86b1221bc
humanhash: cold-virginia-alpha-summer
File name:34f0a0bab5402fc66736cee86b1221bc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:699'392 bytes
First seen:2021-02-03 18:45:48 UTC
Last seen:2021-02-03 21:01:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:RZi9709qrDzeuxRV0AOpyKvloGewAGaQ0VLKYrSRcrLV4+Ob0cAnIDdy894bUtjd:RZYDauxJUJ9fgXLhrscrLV4+Ob0cAnp9
Threatray 3'737 similar samples on MalwareBazaar
TLSH 41E402243ABC5F4AE3B57FF90EB5A01027BD2A5A3425D3088EE129D92635F8D5A40F53
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
34f0a0bab5402fc66736cee86b1221bc.exe
Verdict:
Malicious activity
Analysis date:
2021-02-03 18:53:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2d1197db-1ce6-4a12-9870-bd1c47c0a8bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115431/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42827.16727.23532.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/598338
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 348207 Sample: Xi4vVgHekF.exe Startdate: 03/02/2021 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 10 other signatures 2->57 10 Xi4vVgHekF.exe 6 2->10         started        process3 file4 37 C:\Users\user\AppData\...\chWqXDfTzxGvP.exe, PE32 10->37 dropped 39 C:\Users\user\AppData\Local\...\tmpBC7F.tmp, XML 10->39 dropped 41 C:\Users\user\AppData\...\Xi4vVgHekF.exe.log, ASCII 10->41 dropped 61 Tries to detect virtualization through RDTSC time measurements 10->61 63 Injects a PE file into a foreign processes 10->63 14 Xi4vVgHekF.exe 10->14         started        17 schtasks.exe 1 10->17         started        19 Xi4vVgHekF.exe 10->19         started        21 Xi4vVgHekF.exe 10->21         started        signatures5 process6 signatures7 65 Modifies the context of a thread in another process (thread injection) 14->65 67 Maps a DLL or memory area into another process 14->67 69 Sample uses process hollowing technique 14->69 71 Queues an APC in another process (thread injection) 14->71 23 explorer.exe 14->23 injected 27 conhost.exe 17->27         started        process8 dnsIp9 43 allservice.center 37.61.214.188, 49740, 49765, 80 VELIANET-ASvelianetInternetdiensteGmbHDE Germany 23->43 45 www.3rud.net 74.220.199.6, 49760, 80 UNIFIEDLAYER-AS-1US United States 23->45 47 21 other IPs or domains 23->47 59 System process connects to network (likely due to code injection or exploit) 23->59 29 explorer.exe 12 23->29         started        signatures10 process11 dnsIp12 49 www.fred-auto-sport.com 29->49 73 System process connects to network (likely due to code injection or exploit) 29->73 75 Modifies the context of a thread in another process (thread injection) 29->75 77 Maps a DLL or memory area into another process 29->77 79 Tries to detect virtualization through RDTSC time measurements 29->79 33 cmd.exe 1 29->33         started        signatures13 process14 process15 35 conhost.exe 33->35         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4698bc9f2d175db34261a75b9af17e3a6da6e1bf2df9c287c37fcc133d421cd6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-03 12:24:10 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i2mlzhznc5o3gqtbu5nzv4l6hjw2nyn7fx44fb6dp7gbgpkcdtla._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2128551c6363325c0d054a9a4d19bd066a9bde70d6ee860535d298d6961b54d7
Formbook
42f1eae60298f6d5fba417912070ac64bb13c35d5f7d60fc207ebb14a6304219
Formbook
46a62d0c493c466428aacdd8d980868e7065e12a33216983b7efea8e013fe37e
Formbook
4c2ffa57352cd1e3b76fdf01f581046245fe70427377823464857ad32189dcba
Formbook
6ceed0880cf4e6861ae894331beef85274f7f6a3f8dbc19d4a5f4e41b239439e
Formbook
7052f92dce4eaee0a7a7046c6529d6ebc79ddb2ee6e487cf34c6c7cd5dfea6ee
Formbook
92463d5500d27c6270248dfa01e99a77cc33c5caab3ae357c424b3d42864a4f7
Formbook
c73732f1e8d7aff13f1c0ef733d9d4734ad81b12f27b414f0412204eb3373c71
Formbook
f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1
Formbook
fd3450b3f8973200c17fb786110c7a8f7c6994833137ca37322355d1ab9c8e82
Formbook
+ 3'727 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/210203-1grpj8s862/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.aubonmarcheduparc.com/rina/
Unpacked files
SH256 hash:
8855e020cd2d9a6079cf9496399da009cf6e0e966465c12ecba3545102eddf60
MD5 hash:
6cfcb1922adf8c5f47df0baa5bb98dfd
SHA1 hash:
6bf8fb6601447c3a9a14a189ac6d634b1ce00814
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/11cffe7f-25da-498a-b526-241be56c7146/
SH256 hash:
8fd86c399e70f588548d55d93335842d964b47d76e1426766070907e3ab32d95
MD5 hash:
a9ec47901e62c4a8ffd0a96833cc32d3
SHA1 hash:
e297f8d6c0aba849ef5c9597eca72ab976cdc01e
Link:
https://www.unpac.me/results/11cffe7f-25da-498a-b526-241be56c7146/
SH256 hash:
a2a0bbbe8c9ee88441356010f63455c50dfcafe663db757bbc453c815c51d720
MD5 hash:
11e80c54bfeff7f0c120dae46df0a8be
SHA1 hash:
d597b9b0dcac06f0aa00a931bb90de8eba564651
Link:
https://www.unpac.me/results/11cffe7f-25da-498a-b526-241be56c7146/
SH256 hash:
4698bc9f2d175db34261a75b9af17e3a6da6e1bf2df9c287c37fcc133d421cd6
MD5 hash:
34f0a0bab5402fc66736cee86b1221bc
SHA1 hash:
3f7004455e5390448c360c0201aa8ec61ea4bd1a
Link:
https://www.unpac.me/results/11cffe7f-25da-498a-b526-241be56c7146/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4698bc9f2d175db34261a75b9af17e3a6da6e1bf2df9c287c37fcc133d421cd6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 4698bc9f2d175db34261a75b9af17e3a6da6e1bf2df9c287c37fcc133d421cd6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/948953/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/115431/

Comments