MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 934c0c527c6c1513a45e1ad40bf4bd52f3ab507837b0ec0c7b0cd5db209b2b11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	934c0c527c6c1513a45e1ad40bf4bd52f3ab507837b0ec0c7b0cd5db209b2b11
SHA3-384 hash:	8a9213a83dc79b9e4673f33e031380ad2148e83b63d4a964359ee700fb6b99963f469aeac4b5cfec0ebafa15106c6f17
SHA1 hash:	7ed1ad8f0875565288c0198fa7313ef14c8f76af
MD5 hash:	57abdcd0874d8925ea03ffb485954c41
humanhash:	nebraska-ceiling-blossom-wisconsin
File name:	FPR-69418.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'162'752 bytes
First seen:	2024-09-09 08:39:13 UTC
Last seen:	2024-09-23 16:30:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	24576:xAHnh+eWsN3skA4RV1Hom2KXMmHav4ScnAAO0o+k13K/5:Ih+ZkldoPK8YavwAz0413e
Threatray	363 similar samples on MalwareBazaar
TLSH	T19E35AD0273E1C036FFAB92739B69B24696BD7D654123852F13982DB9BD701B1133E263
TrID	63.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 11.6% (.EXE) Win64 Executable (generic) (10523/12/4) 7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 5.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
File icon (PE):
dhash icon	5c5d8e3db1b7f949 (1 x Formbook)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

416

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

FPR-69418.exe

Verdict:

No threats detected

Analysis date:

2024-09-09 08:46:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/01d64f59-d613-4ad7-b62a-d92850a44055

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.FileRepMalware.19729.28596.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66deb466ee4e8155781713fd

Tags:

Autoit

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

autoit epmicrosoft_visual_cc fingerprint keylogger lolbin microsoft_visual_cc nymeria packed shell32

Link:

https://www.filescan.io/uploads/66deb467ac80a0110f66d289/reports/82802419-60ea-493f-8baa-ce96811188df/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/934c0c527c6c1513a45e1ad40bf4bd52f3ab507837b0ec0c7b0cd5db209b2b11

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/156e789a-f975-4f8a-be70-40fc207d60dd

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1507796

Signature

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/934c0c527c6c1513a45e1ad40bf4bd52f3ab507837b0ec0c7b0cd5db209b2b11

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/934c0c527c6c1513a45e1ad40bf4bd52f3ab507837b0ec0c7b0cd5db209b2b11/

Threat name:

Win32.Trojan.ShellcodeCrypter

Status:

Malicious

First seen:

2024-09-07 15:18:50 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 38 (47.37%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sngayut4nqkrhjc6dlkax5f5klz2wudyg6yoydd3btk5wie3fmiq._file

Verdict:

malicious

Formbook

6d1cfff093998c807b9c5dc3fd122adbea40c5bad0cad4cbe10b43932c28bdd9

Formbook

9a2ebcdc6008be237ef88cb4042305090c4c4e9202a6805d76f9aaaa6a84def9

Formbook

9e445bda203f7d03e3b375d25b2f9e50f1d7b8f8136c13f3c6b387bc54c54da1

Formbook

a8ffe6b81162389192b5918c8781034befc621582c589f9335bf392ff2df864f

Formbook

bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375

Formbook

df27f957caf63ff475d1fdbe1b997be86e3386ee12662def309874fae4e89914

Formbook

+ 353 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/240909-kkwalszclr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/90390d72-6561-4cdc-9a31-f3fc625e42df

Unpacked files

SH256 hash:

eafec201c16b7112482b690ed7e0dbc5c26ab009fb159286cdc4e92b4f9af4a2

MD5 hash:

db1450f713950668896e91c38a51574a

SHA1 hash:

228567bf1808530c4a8c17f3198e04e4278937e8

Detections:

win_formbook_g0

win_formbook_w0

Link:

https://www.unpac.me/results/5e62bcd0-6a37-49a6-8e5c-e28423821a90/

Parent samples :

73667740e86476db201a712fccd4244cdd9e4127f208f7731b4710531a45a12f
9244f2b8ccdc1ed4270a282ccbd1c47723621dd508889e224806884a98737c70
1ad124eaa94abf39429ff17430d28524022fc147054ffe0bbb25dbbf9a404434
642475685812ab7bbc355bb0012722266572aeadc8af18e4a4b0498229deb385
99e143144585b210119ead96a354e3425f4b84a58a7554de9e89aa3a9154c21f
6a717f5f84b5af7691335c86bd25b64fbb9d73b40dfcd9010901c40de6603dff
4f6d14b81ef333607075b46913e6cb434d5003f37f2a1f372e0328b44af5e76e
594db372022016f6e585ebdba18d74c642ce91613bdb2925d11b0e499c9d46d9
c2f4d2c93d321bffcb638ea1c04436cc5d3837af03c9ad2517e7f4d2eebce887
934c0c527c6c1513a45e1ad40bf4bd52f3ab507837b0ec0c7b0cd5db209b2b11

SH256 hash:

8238962f93ef7cc52b395d801e5ca8e35fe40430dfadf814a7e760c1036404a4

MD5 hash:

d3bf241b2fca9f2567e88c3d4362b7bd

SHA1 hash:

8eb9d6501bf12b57c7e2b5f9a814c9fe1892024b

Link:

https://www.unpac.me/results/5e62bcd0-6a37-49a6-8e5c-e28423821a90/

SH256 hash:

934c0c527c6c1513a45e1ad40bf4bd52f3ab507837b0ec0c7b0cd5db209b2b11

MD5 hash:

57abdcd0874d8925ea03ffb485954c41

SHA1 hash:

7ed1ad8f0875565288c0198fa7313ef14c8f76af

Detections:

AutoIT_Compiled

SUSP_Imphash_Mar23_3

Link:

https://www.unpac.me/results/5e62bcd0-6a37-49a6-8e5c-e28423821a90/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/934c0c527c6c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/934c0c527c6c1513a45e1ad40bf4bd52f3ab507837b0ec0c7b0cd5db209b2b11

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 934c0c527c6c1513a45e1ad40bf4bd52f3ab507837b0ec0c7b0cd5db209b2b11

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileExW KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_API	Supports Windows Networking	MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample