MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed1cf9eefa4217ae91026ef61399f2c7a56110944d7be5c0b9459704453ea639. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed1cf9eefa4217ae91026ef61399f2c7a56110944d7be5c0b9459704453ea639
SHA3-384 hash: 574f3a264ebc8479fdc106ee06206d2e8910da0447d469e93ed25f2ec017ccb294e5a2fcb979aa5c21e2b9b8d2997d58
SHA1 hash: 9fb3fab0a153dea55af90a4c2db455f9ef36140f
MD5 hash: dacfe9fb5b30790a96cf0fa6447446d4
humanhash: uniform-purple-georgia-minnesota
File name:Swift.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:335'360 bytes
First seen:2020-05-19 05:46:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d5fad844b2c47cd92aae84559cf2b888 (6 x FormBook)
ssdeep 6144:8fLk8CPa4LWhA46QlaJsElwTfn3Y1YN4shXDzdki:8Tr4Ln2aCswLI24shzzdk
Threatray 5'114 similar samples on MalwareBazaar
TLSH D1648C25A56CDEBCD53F4177BA92CD6A8ECE4CB3606E4C19C4B8F341C87C782C596226
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail.huclangia.tk
Sending IP: 64.52.172.117
From: VITECH S.R.L <info@vitechsrl.it>
Subject: Please find attached SWIFT copy
Attachment: New.Invoice.img (contains "Swift.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-05-18 22:14:39 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5uopt3x2iil25eicn33bhgpsy6swceeujv56lqfziwlqirj6uy4q._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
trickbot
Create hunting rule
Similar samples:
109c73a382ad3562b4fa1c6cb8627104627490e93425ade372451f6f4426007b
FormBook
223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a
FormBook
322427854deccec94e7331e8d3faa9f2701289b8e2faac322889c5b04d6b8f5e
FormBook
5628310c6fe718d77dadbc5c8cb6238faa27942517b590c2a87c07aadca429d6
FormBook
62e14fd32e9017316aebcd340ef6c5c69176f457194d332e2aec17cab7de0787
FormBook
a26f2c3365de0a5e3a9868ba0de16f81807076b54abc15625fdda5d730dd809c
FormBook
a91c5af7a94238bb1556b641b9f5bc7798133b3d699a9f3d5b88b8f8fc12f091
FormBook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
FormBook
ceec91127018aba0be51981277015baf08e3f0ef6fbd0a5efe5821fa698ba645
FormBook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
FormBook
+ 5'104 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-kzm2qr6nzn/
Behaviour
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Deletes itself
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.covpsychiz.info/ta/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img 3de9b75931d4679c1f1f2407142c9f5d1349f82a83e771c3893b30f2dc5bf5e2

FormBook

Executable exe ed1cf9eefa4217ae91026ef61399f2c7a56110944d7be5c0b9459704453ea639

(this sample)

  
Dropped by
MD5 465398a96fa2e3bfec8a603ef8639203
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3de9b75931d4679c1f1f2407142c9f5d1349f82a83e771c3893b30f2dc5bf5e2

Comments