MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 734e6dd5e26f004a7a170d9f9b9d46104c853b065985902c3b6bbd8585048b1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 734e6dd5e26f004a7a170d9f9b9d46104c853b065985902c3b6bbd8585048b1f
SHA3-384 hash: 0a43d9e519b9fb07d36b2d3f928f6e4136320b68ded6b0a85b50ccb6a162ab80a0a0cd3d5ab22f9f005127c397c7cd98
SHA1 hash: 541131d93939b974bf395fbea0b488396bfcc0a5
MD5 hash: c21b325e767023236084063df9ae68d8
humanhash: fanta-pip-mountain-louisiana
File name:c21b325e767023236084063df9ae68d8.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:773'120 bytes
First seen:2022-11-10 12:34:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:IcqXPom39oo3F5/W+B1BXY2NbeGzWcnl/lZh3HLgWLMfkc8KczVvahghgc:bjm3io3F93BHJN2cl/lZJHLgWYfkc8K0
Threatray 17'392 similar samples on MalwareBazaar
TLSH T135F4F082712D9B5AE39C7BB132E193617BA07E325913C15E29CC75CF85337484E31AAB
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13097/50/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
c21b325e767023236084063df9ae68d8.exe
Verdict:
Malicious activity
Analysis date:
2022-11-10 12:45:24 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/8430c9cf-c128-45e4-b73a-46440c0b5c2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/331924/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/636ceff720a0b4943a8ebb34/reports/e53a8a96-8cf1-4a57-9401-7b16640a8b0a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a188ece4-f346-4c61-a093-b68e5c2b6f37
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1110373
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 743055 Sample: WGwBG6VUfG.exe Startdate: 10/11/2022 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 8 other signatures 2->65 8 WGwBG6VUfG.exe 7 2->8         started        13 VBAdfzuimSND.exe 5 2->13         started        process3 dnsIp4 51 192.168.2.1 unknown unknown 8->51 43 C:\Users\user\AppData\...\VBAdfzuimSND.exe, PE32 8->43 dropped 45 C:\Users\...\VBAdfzuimSND.exe:Zone.Identifier, ASCII 8->45 dropped 47 C:\Users\user\AppData\Local\...\tmp2F0E.tmp, XML 8->47 dropped 49 C:\Users\user\AppData\...\WGwBG6VUfG.exe.log, ASCII 8->49 dropped 75 Uses schtasks.exe or at.exe to add and modify task schedules 8->75 77 Writes to foreign memory regions 8->77 79 Allocates memory in foreign processes 8->79 81 Adds a directory exclusion to Windows Defender 8->81 15 MSBuild.exe 8->15         started        18 powershell.exe 21 8->18         started        20 schtasks.exe 1 8->20         started        83 Multi AV Scanner detection for dropped file 13->83 85 Machine Learning detection for dropped file 13->85 87 Injects a PE file into a foreign processes 13->87 22 MSBuild.exe 13->22         started        24 schtasks.exe 1 13->24         started        file5 signatures6 process7 signatures8 93 Modifies the context of a thread in another process (thread injection) 15->93 95 Maps a DLL or memory area into another process 15->95 97 Sample uses process hollowing technique 15->97 99 Queues an APC in another process (thread injection) 15->99 26 explorer.exe 15->26 injected 30 rundll32.exe 15->30         started        32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 24->36         started        process9 dnsIp10 53 extreme25.com 50.70.252.135, 49714, 49715, 49716 SHAWCA Canada 26->53 55 www.capex-to-opex.net 89.31.143.1, 49699, 49700, 49701 QSC-AG-IPXDE Germany 26->55 57 17 other IPs or domains 26->57 89 System process connects to network (likely due to code injection or exploit) 26->89 91 Performs DNS queries to domains with low reputation 26->91 38 chkdsk.exe 13 26->38         started        41 autoconv.exe 26->41         started        signatures11 process12 signatures13 67 Tries to steal Mail credentials (via file / registry access) 38->67 69 Tries to harvest and steal browser information (history, passwords, etc) 38->69 71 Modifies the context of a thread in another process (thread injection) 38->71 73 Maps a DLL or memory area into another process 38->73
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/734e6dd5e26f004a7a170d9f9b9d46104c853b065985902c3b6bbd8585048b1f/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-11-10 07:44:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=onhg3vpcn4aeu6qxbwpzxhkgcbgikoyglgczalb3no6ylbiermpq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
137ab99c2cbf5b89d466a1208139b94be31e7668e94b9d0e35c41e180bbbd702
Formbook
32c5f893748d30548193994624dd516bf2bd343e03678a444e6f47d4123735fa
Formbook
4efed095f398feebacf3ccba9b08d00c398ea52424aca039d89ebd36580c0e96
Formbook
6d62d493cae6daf08828e14fc36c0dba18e7eb7f75ca390ec5d21ae0b3d2c9a3
Formbook
a242f1f9b948c1b173fd030a333e2492802d90a9a117f49928c218fcc8eca71b
Formbook
b271ec6f98a0ccdc009eea7a5c99970f9170ff653cb46c428d5bef6c3dcab1a4
Formbook
be9a528e67d3bf2dcd7acaaace72825a8702f13c39314499a839713c1cdd7cc9
Formbook
dc18df47b5b99206344abe7dc551b531f134a14e7f8c3390fb419167ce435f01
Formbook
f1d1416d4b589d934cce1e600841c29aecef85df061f26a24c5c0a0c8c64d7b7
Formbook
f22f3a7403575e52b54a15534d69908733c98aed07ce659d98a100eca3d4ac5b
Formbook
+ 17'382 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:fswe rat spyware stealer trojan
Link:
https://tria.ge/reports/221110-psc68ahha3/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2ffba2f4-8e11-48b2-8dec-3cb045abac05
Unpacked files
SH256 hash:
480fee0db2c67fa005d4827ff5b5269d8fb0722ebe9a2e23202e572f57cd249a
MD5 hash:
57cd43facf1ba79cfb7696dda3d5d2a9
SHA1 hash:
8ceab353af0094c4db027db444cc8ba19e756593
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/c5d51e8f-e472-424e-a71d-a78363d8887d/
Parent samples :
7b1689fbe7c8e84cad627ff61b7fcff876655c0fb42bfb0b539d5b59582a71ab
32c5f893748d30548193994624dd516bf2bd343e03678a444e6f47d4123735fa
4efed095f398feebacf3ccba9b08d00c398ea52424aca039d89ebd36580c0e96
734e6dd5e26f004a7a170d9f9b9d46104c853b065985902c3b6bbd8585048b1f
SH256 hash:
f29a7ee44b8c31c1a3f296b79df3f41d9146d2f6c55c7e5c1f4398b1ca8d3b20
MD5 hash:
39e38bb25b009100b4ecf29db33bd968
SHA1 hash:
614e9a04f5992bf088c754e13e4fa1e295e9bd05
Link:
https://www.unpac.me/results/c5d51e8f-e472-424e-a71d-a78363d8887d/
SH256 hash:
b91b28c7d9a5605193ad20a58833de1c6aa6fb61dbc07a7fa07558b973e51df5
MD5 hash:
be5bd00760a232a163ebdd52c88172f7
SHA1 hash:
f017a5a142c711d623ee3098e23dfda2328f56ec
Link:
https://www.unpac.me/results/c5d51e8f-e472-424e-a71d-a78363d8887d/
SH256 hash:
5cab8fecde91a4d2c9ac7f32d273e77aba512115b92faad2647b7c8c92b4025f
MD5 hash:
5f690069e4dc4abb2771666f0c5cb846
SHA1 hash:
a09987c5f1b5085cf8c56da9c30024a33b43b3f0
Link:
https://www.unpac.me/results/c5d51e8f-e472-424e-a71d-a78363d8887d/
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/c5d51e8f-e472-424e-a71d-a78363d8887d/
SH256 hash:
ab19f28c700d64814b0c55df868c30dfb94e0a1f9fb6f7bca05bac6eb78a4e52
MD5 hash:
1f2a6c02dcf9aa00a28a5039fb5b8ce0
SHA1 hash:
1ef480867d39b98368af7586a8e6ba38c0c3893a
Link:
https://www.unpac.me/results/c5d51e8f-e472-424e-a71d-a78363d8887d/
SH256 hash:
734e6dd5e26f004a7a170d9f9b9d46104c853b065985902c3b6bbd8585048b1f
MD5 hash:
c21b325e767023236084063df9ae68d8
SHA1 hash:
541131d93939b974bf395fbea0b488396bfcc0a5
Link:
https://www.unpac.me/results/c5d51e8f-e472-424e-a71d-a78363d8887d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/734e6dd5e26f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/734e6dd5e26f004a7a170d9f9b9d46104c853b065985902c3b6bbd8585048b1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 734e6dd5e26f004a7a170d9f9b9d46104c853b065985902c3b6bbd8585048b1f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/331924/
  
URLhaus
https://urlhaus.abuse.ch/url/2405524/
  
Delivery method
Distributed via web download

Comments