MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b34b6462f2ddb5cd51c1a06addb5a1fd3f69e5ea573bc2ab3d2eef0ac761022. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b34b6462f2ddb5cd51c1a06addb5a1fd3f69e5ea573bc2ab3d2eef0ac761022
SHA3-384 hash: 93b7d81306d16cfc1a025b55da538c8e083d30282b3eef8cf37be54904a7699e5caa0d5aec7586c70c48ee98d2b36cbe
SHA1 hash: 841bc92461ac9c6fc2541ab9951f13d91e40b9d2
MD5 hash: a4524c060b64455df18a31aa5f83d58f
humanhash: colorado-undress-orange-nebraska
File name:wire transfer.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:604'672 bytes
First seen:2021-08-02 05:24:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:3v/rJvejyzdLknMzRRRRR1GvVn9YM3qsSbDvQ9FAXABUC82jm4rPaqK06R:XdGEdYnYRRRRRMV9YMasjrAbC82CePh/
Threatray 7'235 similar samples on MalwareBazaar
TLSH T17DD4F12C23A89639D1BE07BC8425124143F8B663A557F35D9ED0A4F90DA37E3CB2619F
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
818
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
wire transfer.exe
Verdict:
Malicious activity
Analysis date:
2021-08-02 05:26:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b02b1c89-15f6-4a4b-bf1f-a18ed81dea76

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175627/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.677-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e6fccfc-a779-4d31-bc12-8701ae3ec907
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825355
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457765 Sample: wire transfer.exe Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 19 Found malware configuration 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 Antivirus / Scanner detection for submitted sample 2->23 25 6 other signatures 2->25 6 wire transfer.exe 3 2->6         started        process3 file4 17 C:\Users\user\...\wire transfer.exe.log, ASCII 6->17 dropped 9 wire transfer.exe 6->9         started        11 wire transfer.exe 6->11         started        13 wire transfer.exe 6->13         started        15 2 other processes 6->15 process5
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6b34b6462f2ddb5cd51c1a06addb5a1fd3f69e5ea573bc2ab3d2eef0ac761022/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 05:25:10 UTC
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nm2lmrrpfxnvzvi4didk3w22d7j7nhs6uvz3ykvt2lxpbldwcara._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
08a758993c43a321076d8bbc7d9352f1affee8ae44db80c1cf2ced2e6f2cfed2
Formbook
0c3d534f9d39f802e50ec5d61b2256192f5f3b8bb1e6908a6dcd2a3626582a64
Formbook
1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663
Formbook
3aeba8bab322ad2d34a8ffb2638587ed644551fd8ab8b93c7d5425dfc3ea93ed
Formbook
77f75ced9cfdb9bff40e705aaced15795f123e460db0fcb97463e0515aaf8af1
Formbook
94b5ba8b9cf0c9b6d3e790aadc37b8afb3099af0d151761d5c7196dd6fb81539
Formbook
9f51a8d040ff4b06c2340f4a54eb94e8243de2c214c2072b58b17632201ba1ea
Formbook
cc58e505c504c770a1031d30453615f7748b0618b872655ac79a059a072c194c
Formbook
e28c889ab69d687e864a575a571394099cfed302d28d41274ed77c63adcd0a69
Formbook
f2a1b48f82208d3d1bf4e613fd7c6a16f63c96ebb2c31ed502ec67cb6768b2f6
Formbook
+ 7'225 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat suricata
Link:
https://tria.ge/reports/210802-7ttpjr2qgn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.talleytv.com/ca84/
Unpacked files
SH256 hash:
e33b0d0b4b86f0dbb3d1278e68e88a650e5f3350694efb70be313761197b1969
MD5 hash:
471161f6f24e5d26b2db3e0ee18e80b5
SHA1 hash:
ed98f1178a5fe4b86fe0f7e4cd5ebbfba7483a30
Link:
https://www.unpac.me/results/34d800e7-1a61-49b2-83ec-a27ee8f0be44/
SH256 hash:
6b34b6462f2ddb5cd51c1a06addb5a1fd3f69e5ea573bc2ab3d2eef0ac761022
MD5 hash:
a4524c060b64455df18a31aa5f83d58f
SHA1 hash:
841bc92461ac9c6fc2541ab9951f13d91e40b9d2
Link:
https://www.unpac.me/results/34d800e7-1a61-49b2-83ec-a27ee8f0be44/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/6b34b6462f2ddb5cd51c1a06addb5a1fd3f69e5ea573bc2ab3d2eef0ac761022

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6b34b6462f2ddb5cd51c1a06addb5a1fd3f69e5ea573bc2ab3d2eef0ac761022

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/175627/

Comments