MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0147e3a3767779416793b448e91735385875aa8bf66c7ac653ad3759a4576811. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0147e3a3767779416793b448e91735385875aa8bf66c7ac653ad3759a4576811
SHA3-384 hash: 39b9f5f0672cbbc5534014414cfd2ae3bfb2a816217048745f30480b840455c0f929869e0864c9c4c23a7c6db00ffc1d
SHA1 hash: 3651acac18cb644f7788aa660473441dfb9e9f84
MD5 hash: 34e143e62500eec4c51e46bd141a4503
humanhash: enemy-xray-colorado-bravo
File name:SWIFT26102022-58454857453739.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:674'304 bytes
First seen:2022-10-27 02:18:43 UTC
Last seen:2022-10-29 09:17:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:sWyh78oeGLo4RCyDNLsclpNQ2xv9tqYfr5qDEpfsAIHnD:PorLooCyDNLbTNQu11fdyEpfsAkn
TLSH T194E41217E962C2B9C6FA37B208931B28377F2256D143CF545BCFA9F515D32002A0ABD9
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 301070e8e8e47930 (6 x SnakeKeylogger, 5 x AgentTesla, 4 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SWIFT26102022-58454857453739.exe
Verdict:
Malicious activity
Analysis date:
2022-10-27 02:20:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/42d0b4c2-3aeb-4c38-8b08-ddfa135701be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/324642/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.64470.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c0a6571-1cd0-4005-8379-af47c7773621
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1098844
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0147e3a3767779416793b448e91735385875aa8bf66c7ac653ad3759a4576811/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-26 02:06:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=afd6hi3wo54ucz4twreosfzvhbmhlkul6zwhvrstvu3vtjcxnaiq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:obc0 rat spyware stealer trojan
Link:
https://tria.ge/reports/221027-crt25aacf4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook
Unpacked files
SH256 hash:
051d9618a30b73fd686845613153ff9d205af37cc510433c33c86f4b0001d37a
MD5 hash:
1567143a0555f6d465253eac2c9dc918
SHA1 hash:
ce0dc76be57d4c47155673a26771d245c288240a
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/c13d756c-843b-4912-af44-c91da58c6e49/
Parent samples :
0147e3a3767779416793b448e91735385875aa8bf66c7ac653ad3759a4576811
5ef0ce98ef6699dad95065eae1ec65b5aeb092310f916c9cf2030ffb7dd676b3
SH256 hash:
3b3f21a314c332e544e58a88624c09989b21efb9e19509ccee232f05b5a84a94
MD5 hash:
0c2bf4e7c3c474420264909eca94285e
SHA1 hash:
3900aa159d353f5dff52a6876264a09b8063b10b
Link:
https://www.unpac.me/results/c13d756c-843b-4912-af44-c91da58c6e49/
SH256 hash:
1154f15601d51ebe1fa0bac52e63c4835bb37326f06d85f8067c0f2f1c0557e3
MD5 hash:
3cde741e20ecace412dd757f6e812210
SHA1 hash:
f682a7b475fd512077386ac0e3a23c213dadf2e7
Link:
https://www.unpac.me/results/c13d756c-843b-4912-af44-c91da58c6e49/
SH256 hash:
bc444c4ec803b91da7af06cb0eb233fe69f565067f89544bf750fc17a9ede6dd
MD5 hash:
b52058082749f08bbcb7036b0d4189e8
SHA1 hash:
90365baf6b18ff3139da00cd5caf30660643110e
Link:
https://www.unpac.me/results/c13d756c-843b-4912-af44-c91da58c6e49/
SH256 hash:
248a7c4997aacb14ca032daf9668636839f921d0a3403f09a3b0ccfdc948cbf1
MD5 hash:
a7952169b04a2c6a39661aad59e79dcf
SHA1 hash:
88722f1a32c913307c0c6385b04478a79fabd12b
Link:
https://www.unpac.me/results/c13d756c-843b-4912-af44-c91da58c6e49/
SH256 hash:
878889924dc3afc5dd7976076cac6cf8ec9c283dc5bfd3fbdf5b5314decc6ec6
MD5 hash:
b8289d3a8b539ff49b61b2150603fa9e
SHA1 hash:
42dd701a1360b554b8f2fe270ab14d4b8b939969
Link:
https://www.unpac.me/results/c13d756c-843b-4912-af44-c91da58c6e49/
SH256 hash:
0147e3a3767779416793b448e91735385875aa8bf66c7ac653ad3759a4576811
MD5 hash:
34e143e62500eec4c51e46bd141a4503
SHA1 hash:
3651acac18cb644f7788aa660473441dfb9e9f84
Link:
https://www.unpac.me/results/c13d756c-843b-4912-af44-c91da58c6e49/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/0147e3a3767779416793b448e91735385875aa8bf66c7ac653ad3759a4576811

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 0147e3a3767779416793b448e91735385875aa8bf66c7ac653ad3759a4576811

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/324642/

Comments