MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8d37a049741165d6b12f21013b1fd461a6aa76354ab58b3bd06c8f0459af19a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	f8d37a049741165d6b12f21013b1fd461a6aa76354ab58b3bd06c8f0459af19a
SHA3-384 hash:	39091274e5761093720e3a8a4dd664835c32231fc8aa9153226adbfeb06c241ecc2bcaffd8882aeff694078d330091fe
SHA1 hash:	652d7364f120467ac4a02d9ffd9ce99fb527a592
MD5 hash:	93c924a60c4635eb999d8e8b3c542b91
humanhash:	six-mango-nuts-earth
File name:	Swift Copy.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	350'720 bytes
First seen:	2020-05-06 14:54:02 UTC
Last seen:	2020-05-06 15:47:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:kuRwT2MGHoWXvvhCYKW8F3zqotAuhwL3fAD47lTCs:kuR4lQXh9KhFzLa3f17ks
Threatray	5'305 similar samples on MalwareBazaar
TLSH	2974C01FA38CC13BCEEE09F9F1D5150683B5E3099292EF9A9E4454EBFC47381950329A
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

2

# of downloads :

89

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.MSIL.GenKryptik.EIVB.26071.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Noon

Status:

Malicious

First seen:

2020-05-06 14:53:43 UTC

File Type:

PE (.Net Exe)

AV detection:

23 of 31 (74.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7djxubexielf22ys6iibhmp5iyngvj3dksvvrm55a3eparm26gna._file

Verdict:

malicious

Similar samples:

20e92b95515f7d7b8d27d829bbceec491cc48d3e05997b6d9523919c468d5dd8

590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23

5c9e82fe640647e8a6f884da87e1948da693e678c6ef642c562ad782eee824d7

6f95416c1006a499c7012c6cde49a27f83223c665cf9b28764030afeb04bf697

7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6

b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893

b57c9384280389b262d09cb4fa5b5465aadd4aaba2afb6d48c5d6e7c3f8d923e

b801afb5529bee671ee0219b95450122f641260b372695c89d7bdc5c2c227b65

d13d1c39956ee9f7123416a5b52f9f631aaeca544d1af3fb48b446485c59d377

e3f68e3679fc2ab587e712ce137e107318ebaa6bd5e724a76200bb10c945312b

+ 5'295 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan persistence

Link:

https://tria.ge/reports/201109-m7ly7v9aqe/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Gathers network information

Modifies Internet Explorer settings

Suspicious use of UnmapMainImage

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of web browsers

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.salomdy.com/c0w/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample