MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d524551cdd54b82c03f7121e7ff86cd4b2f79a524d886be9adb3f281793865f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d524551cdd54b82c03f7121e7ff86cd4b2f79a524d886be9adb3f281793865f9
SHA3-384 hash: 26fa1bcc8ab8244adfeb504b3c1ff4ef4df74325be0f31611a238adf3c71b610f0fffe215770418c97538fb35d2e0163
SHA1 hash: 8b5ee6131aa4037903595c985877bfaab60ee15b
MD5 hash: 3920ec889386f316abb272f0cd4db16d
humanhash: orange-sink-skylark-pizza
File name:Swift copy.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:284'672 bytes
First seen:2020-07-28 13:36:41 UTC
Last seen:2020-07-28 15:02:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:kcF3O7P0l2uy3UWkyovqh9YoCCnkOwImG4Uhc7HQp:kQouyEWtovqDYoCswnUhSH
Threatray 4'979 similar samples on MalwareBazaar
TLSH 1A54BFA54FF7C265C35F46BC9A7D6D0903B992EB242F7F852389F1394983181B21B70A
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: rajatengineering.com
Sending IP: 95.211.253.194
From: Accountant<accountant@rajatengineering.com>
Subject: RE: TT REMITTANCE PAYMENT
Attachment: Swift copy.zip (contains "Swift copy.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Agenttesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33700/
Detection(s):
SecuriteInfo.com.Fareit-FVK3920EC889386.25449.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Launching cmd.exe command interpreter
Creating a window
Setting browser functions hooks
Enabling autorun with Startup directory
Unauthorized injection to a system process
Unauthorized injection to a browser process
Sending an HTTP GET request to an infection source
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/400410
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected FormBook malware
Drops PE files to the startup folder
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 252558 Sample: Swift copy.exe Startdate: 28/07/2020 Architecture: WINDOWS Score: 100 73 www.mdr-gni-treatment-option.info 2->73 75 www.howcuty.com 2->75 77 2 other IPs or domains 2->77 85 Multi AV Scanner detection for domain / URL 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for dropped file 2->89 91 8 other signatures 2->91 11 Swift copy.exe 4 2->11         started        signatures3 process4 file5 63 C:\Users\user\s.exe, PE32 11->63 dropped 65 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 11->65 dropped 67 C:\Users\user\s.exe:Zone.Identifier, ASCII 11->67 dropped 111 Maps a DLL or memory area into another process 11->111 113 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->113 15 RegAsm.exe 11->15         started        18 Swift copy.exe 11->18         started        signatures6 process7 signatures8 135 Modifies the context of a thread in another process (thread injection) 15->135 137 Maps a DLL or memory area into another process 15->137 139 Sample uses process hollowing technique 15->139 141 2 other signatures 15->141 20 explorer.exe 4 6 15->20 injected 25 Swift copy.exe 18->25         started        27 RegAsm.exe 18->27         started        process9 dnsIp10 79 www.thefrenchmaxcompany.com 20->79 81 www.jbgrrz.info 20->81 83 4 other IPs or domains 20->83 61 C:\Users\user\AppData\...\3f1ppxnha4nh.exe, PE32 20->61 dropped 93 System process connects to network (likely due to code injection or exploit) 20->93 95 Benign windows process drops PE files 20->95 29 mstsc.exe 1 17 20->29         started        33 msdt.exe 20->33         started        35 WWAHost.exe 20->35         started        41 3 other processes 20->41 97 Maps a DLL or memory area into another process 25->97 37 Swift copy.exe 25->37         started        39 RegAsm.exe 25->39         started        99 Modifies the context of a thread in another process (thread injection) 27->99 101 Sample uses process hollowing technique 27->101 file11 signatures12 process13 file14 69 C:\Users\user\AppData\...\2-5logrv.ini, data 29->69 dropped 71 C:\Users\user\AppData\...\2-5logri.ini, data 29->71 dropped 121 Detected FormBook malware 29->121 123 Tries to steal Mail credentials (via file access) 29->123 125 Tries to harvest and steal browser information (history, passwords, etc) 29->125 43 cmd.exe 1 29->43         started        127 Tries to detect virtualization through RDTSC time measurements 33->127 129 Maps a DLL or memory area into another process 37->129 45 Swift copy.exe 37->45         started        48 RegAsm.exe 37->48         started        50 RegAsm.exe 37->50         started        131 Modifies the context of a thread in another process (thread injection) 39->131 133 Sample uses process hollowing technique 39->133 52 conhost.exe 41->52         started        signatures15 process16 signatures17 54 conhost.exe 43->54         started        115 Maps a DLL or memory area into another process 45->115 56 RegAsm.exe 45->56         started        59 Swift copy.exe 45->59         started        117 Modifies the context of a thread in another process (thread injection) 48->117 119 Sample uses process hollowing technique 48->119 process18 signatures19 103 Modifies the context of a thread in another process (thread injection) 56->103 105 Maps a DLL or memory area into another process 56->105 107 Sample uses process hollowing technique 56->107 109 Writes to foreign memory regions 59->109
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d524551cdd54b82c03f7121e7ff86cd4b2f79a524d886be9adb3f281793865f9/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 13:38:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2usfkhg5ks4cya7xciph76dm2szppgssjwegx2nnwpzic6jymx4q._file
Verdict:
malicious
Similar samples:
387119236c9bd4c60215cab8efae3cdd16a0fe9906d83016b2dc8ee425fad40d
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
714e525a436fc97ce8b8e31b63c79e8f13cc0577c80f613f825cafdf7fddeb1f
FormBook
7da1749d927d6d2f4f8175bb1cef8c4a92793b107d24d661d83bd55c57e83df8
FormBook
8d8f0c6fdcd021f11d41e3da7521ec78e5460def24bd61f7eb15879788fafcc2
FormBook
9b861daa0a7b4276df89a7ec49d2dd3388366ad60a3058df70525313799a0d05
FormBook
a9e4a57e85cb473702863d801a78af3c4e224ac70be4f29a99ae9f2433c0c48d
FormBook
c79a75bdb7f50439434aef1de18f5eaa857b9c0affd00f8e40ef85348df6cf57
FormBook
d0604fe76ff35e2311825f1822171208bd472c764dfbdbf45e20fad47f6a4472
FormBook
fe3306e3cb623199393790e95304cf4d0a24ce092ed2c5c82b48658e987fa56c
FormBook
+ 4'969 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/200728-87dh1bt98n/
Behaviour
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Gathers network information
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Enumerates system info in registry
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Gathers network information
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
Drops startup file
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d524551cdd54/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d524551cdd54b82c03f7121e7ff86cd4b2f79a524d886be9adb3f281793865f9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 5561749633c999afe767c7558a6b941b024924629fa18bc1aebb95251aa3e659

FormBook

Executable exe d524551cdd54b82c03f7121e7ff86cd4b2f79a524d886be9adb3f281793865f9

(this sample)

  
Dropped by
MD5 b6f4cd75bf2fbfd7b1d2c6170261323a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33700/
  
Dropped by
SHA256 5561749633c999afe767c7558a6b941b024924629fa18bc1aebb95251aa3e659

Comments