MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 734b40e27ccf789d7d026f77bc37042e0c14ea994a3b48636253a2ce3c484db6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 734b40e27ccf789d7d026f77bc37042e0c14ea994a3b48636253a2ce3c484db6
SHA3-384 hash: 887a8985fea972c2305e0a13d9cbbe07338b60d3966eb7c23144882513d4b6eba311872e2b7aebf67f0ce15d8496d696
SHA1 hash: bcd55dcc98897004171101a34555a5a52102549a
MD5 hash: af391ee598dcad6563b79a84a3976215
humanhash: social-single-delaware-spring
File name:af391ee598dcad6563b79a84a3976215
Download: download sample
Signature Formbook
Create hunting rule
File size:272'260 bytes
First seen:2023-06-20 07:11:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:vYa6YQFSXM2GDkA5w6f/FQapX1etE/DvIrcGlXT:vY+aSnwDzl6micOT
Threatray 2'075 similar samples on MalwareBazaar
TLSH T10744126075E1C1ABD85383B1AB7E16634FF2A42318A6B74B1B708E5D3D37681B61F306
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
af391ee598dcad6563b79a84a3976215
Verdict:
Suspicious activity
Analysis date:
2023-06-20 07:14:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/69b98406-f6ef-4884-9737-a3cb0536a55c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400901/
Detection(s):
Sanesecurity.Malware.28885.BadCo.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/649151fb73cb23e4dbf7e176/reports/f54f6f3c-c034-4e6a-a9f5-d30c87f0131a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/734b40e27ccf789d7d026f77bc37042e0c14ea994a3b48636253a2ce3c484db6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e46e1ea-2cb3-4954-b26d-f7ddca26229f
Result
Threat name:
NSISDropper, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1257969
Signature
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/734b40e27ccf789d7d026f77bc37042e0c14ea994a3b48636253a2ce3c484db6/
Threat name:
Win32.Trojan.Nemesis
Create hunting rule
Status:
Malicious
First seen:
2023-06-20 03:49:54 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=onfubyt4z54j27icn533ynyefygbj2uzji5uqy3ckorm4pcijw3a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
53304618643cdc79b032becca67d8f5b29e7202ec25e7bb724ce712a03ec6592
Formbook
69870e2a61815839fdc55f251a07c89580dc6c1725f850288c4dc190c08b7175
Formbook
96df49e0deef67a2fc032cf1018662606bdef066655c1f31f135ccf8e68bace5
Formbook
9c3860c6744d8b2718e1109e327795014997a81b0e21706a96242d0f8d52f55b
Formbook
a1662b8e9f60ae12d014dc7bf567d136abef56c45d76b65c765c71d411c7ee8f
Formbook
ae5b79157725bbacf7138beacbb877a5144a3e5818232b5949032941df21f7a4
Formbook
b541c7be67db127dfc53c8b8830d80d99a7389b1b40815057a4f4cdb64f37691
Formbook
dac75f90478b07cd9c53c36a4d2b01e73b7e31554a9bfec57bd328031ec15017
Formbook
db9bbd49b5b6cf0d0faa600dbdf08a4a56a3f3a37931c70792911481c4a56b24
Formbook
ddb24ba8d91f511ca86554d35f16cb9ef5d6103f5275c90217bc8ddb35111616
Formbook
+ 2'065 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230620-h1hncabg9v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
03c4f763814e6afc8a12413f0abf68c786175c769b5595d8951de24cecde58f8
MD5 hash:
16415e3114b130b8dae30636158a937b
SHA1 hash:
a5b11d55110bf707b334cf0b40c2389b5fbdc4a3
Link:
https://www.unpac.me/results/47d158e6-9a98-41a4-a385-9510cbc274f1/
SH256 hash:
734b40e27ccf789d7d026f77bc37042e0c14ea994a3b48636253a2ce3c484db6
MD5 hash:
af391ee598dcad6563b79a84a3976215
SHA1 hash:
bcd55dcc98897004171101a34555a5a52102549a
Link:
https://www.unpac.me/results/47d158e6-9a98-41a4-a385-9510cbc274f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/734b40e27ccf789d7d026f77bc37042e0c14ea994a3b48636253a2ce3c484db6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 734b40e27ccf789d7d026f77bc37042e0c14ea994a3b48636253a2ce3c484db6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2666905/
Cape
Cape
https://www.capesandbox.com/analysis/400901/

Comments


Avatar
zbet commented on 2023-06-20 07:11:47 UTC

url : hxxp://103.131.57.119/OneDrive/lsass.exe