MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0270f3ff7e3cfcb914e58ad2f0528d86a48d07d695dbd4a9a95d27cc93f75581. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0270f3ff7e3cfcb914e58ad2f0528d86a48d07d695dbd4a9a95d27cc93f75581
SHA3-384 hash: 71b64937420cbf59182d4c3ac0f2f98220a81d0087c456518bfb760a3e803aa6280a07eb40dadfed55514d206b36fae2
SHA1 hash: 4fc82686427bdce4b4ec79e9409aa6c8b673be53
MD5 hash: df17b50036873f8f633a4556bc6b4c04
humanhash: lima-ack-snake-pip
File name:Swift Copy pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:18'944 bytes
First seen:2023-12-18 06:43:48 UTC
Last seen:2023-12-18 17:28:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:chH4KB0Via9CWPK+hEWMtG2vbKuXKD7gNr9GNR6nZ09re8:m3BAfzOg2xaDo4cny9re8
TLSH T128822913B56D4B22E529C73EC49BD5523334E6012F03C64AB47B1F873D633AEE946265
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:exe FormBook payment

Intelligence

File Origin
# of uploads :
4
# of downloads :
305
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468239/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.18156.25877.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/657fea34f4b6e5e1634e89e7/reports/8cf32c28-a550-4542-a35f-b24e8c3a1fb2/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0270f3ff7e3cfcb914e58ad2f0528d86a48d07d695dbd4a9a95d27cc93f75581
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/431ffbd0-72d6-42c5-87bf-bcf55971b017
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1363798
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1363798 Sample: Swift_Copy_pdf.exe Startdate: 18/12/2023 Architecture: WINDOWS Score: 100 29 www.wildroseenterprises.com 2->29 31 www.sparknplay.com 2->31 33 4 other IPs or domains 2->33 43 Snort IDS alert for network traffic 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 13 other signatures 2->49 11 Swift_Copy_pdf.exe 15 3 2->11         started        signatures3 process4 dnsIp5 41 confirmyourinfo.com 142.202.136.11, 443, 49729 PanamaservercomPA Reserved 11->41 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->59 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Injects a PE file into a foreign processes 11->63 15 Swift_Copy_pdf.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 2 1 15->18 injected process9 dnsIp10 35 shops.myshopify.com 23.227.38.74, 49736, 80 CLOUDFLARENETUS Canada 18->35 37 www.alateam.top 60.25.160.139, 80 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN China 18->37 39 dou4q4ivph6mr.cloudfront.net 13.35.116.40, 49737, 80 AMAZON-02US United States 18->39 51 System process connects to network (likely due to code injection or exploit) 18->51 22 wscript.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0270f3ff7e3cfcb914e58ad2f0528d86a48d07d695dbd4a9a95d27cc93f75581
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0270f3ff7e3cfcb914e58ad2f0528d86a48d07d695dbd4a9a95d27cc93f75581/
Threat name:
ByteCode-MSIL.Trojan.Seraph
Create hunting rule
Status:
Malicious
First seen:
2023-12-18 03:30:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ajyph736ht6lsfhfrljpauunq2si2b6wsxn5jknjlut4ze7xkwaq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:zgrat campaign:sr62 rat spyware stealer trojan
Link:
https://tria.ge/reports/231218-hhgnbshcfn/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Detect ZGRat V1
Formbook
ZGRat
Unpacked files
SH256 hash:
0270f3ff7e3cfcb914e58ad2f0528d86a48d07d695dbd4a9a95d27cc93f75581
MD5 hash:
df17b50036873f8f633a4556bc6b4c04
SHA1 hash:
4fc82686427bdce4b4ec79e9409aa6c8b673be53
Link:
https://www.unpac.me/results/e3416264-489c-4b5a-b578-fa23406c31b7/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0270f3ff7e3c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0270f3ff7e3cfcb914e58ad2f0528d86a48d07d695dbd4a9a95d27cc93f75581

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip a044c7a7ed6d74bd186f5dcb18ca3dd1e75d3a72f434beeb973c994f6f2f1a15

Formbook

Executable exe 0270f3ff7e3cfcb914e58ad2f0528d86a48d07d695dbd4a9a95d27cc93f75581

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 a044c7a7ed6d74bd186f5dcb18ca3dd1e75d3a72f434beeb973c994f6f2f1a15
Cape
Cape
https://www.capesandbox.com/analysis/468239/
  
Dropped by
MD5 422e5564794772875d98af7d2b1548f9

Comments