MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 753c4a5c9bceed532539009df6ac3e0aa3c131297a082a2ee8ce6e94b05ced35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	753c4a5c9bceed532539009df6ac3e0aa3c131297a082a2ee8ce6e94b05ced35
SHA3-384 hash:	69daef557697f5f2012e46923c1f39792dd0a2d306034684a82e206ed43038fe4bac14f16f22bf9832d4c663a52115b1
SHA1 hash:	3c0aa406a244d8c354feb899d1befc8e819d5620
MD5 hash:	1b2c308a2a4524f9ac837a3788b53e46
humanhash:	purple-violet-aspen-uranus
File name:	Swift Copy.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	774'656 bytes
First seen:	2020-05-04 13:04:38 UTC
Last seen:	2020-05-04 15:05:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	226840561775b99befbf510bf424651d (8 x AgentTesla, 4 x Loki, 2 x NanoCore)
ssdeep	12288:QYIh/JDWJ31qKVD4sNe48ZoVX/tTIiPyN8/rvZVEbwFgxm4lJaxl:QF/Ds4LoVX1hagvZVxFgx1c
Threatray	5'077 similar samples on MalwareBazaar
TLSH	79F4AF26F1904837C3B32A3D9C4B9764B92ABE512E2865B52BF51D4C5F38FF13929087
Reporter	jarumlus
Tags:	FormBook

Intelligence

File Origin

# of uploads :

4

# of downloads :

103

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.InjectNET.14.9289.27285.UNOFFICIAL

Win.Dropper.Remcos-7759529-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Gathering data

Threat name:

Win32.Trojan.Formbook

Status:

Malicious

First seen:

2020-05-04 15:30:00 UTC

File Type:

PE (Exe)

Extracted files:

2

AV detection:

29 of 31 (93.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ou6euxe3z3wvgjjzaco7nlb6bkr4cmjjpieculxizzxjjmc45u2q._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a

2548272de2d930f99b953bf466d49d5f850f4f9105ff420937edfa9ae70aff7d

2a40a9e18303875b2db452783190820001c898e8374864fec29793bf43bbe401

82033c587c540fbcaec2ffdc139b837868711343f8a4e9ae61c306426028ace7

8cac0e47c8769e535bb8d4c6fc749aec4be79589a303cc89144cf07b2ba91b91

9f4f34d29b570678e75a8d37f943eca1e305f49e16e9ef39e0dd6a98746b164f

a91c5af7a94238bb1556b641b9f5bc7798133b3d699a9f3d5b88b8f8fc12f091

c0e1210ec3e11a5d71cdbf2edfb199539f891a1bdb27ccd97eaf0fb70891c615

f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c

f99691f533ca56e970f2be2d26ea424ac50bff2aa2bfd43482d0a166bece71eb

+ 5'067 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan persistence

Link:

https://tria.ge/reports/201109-epbw1pp4le/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Deletes itself

Reads user/profile data of web browsers

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.covpsychiz.info/sg03/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample