MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 047ca53bf616a52ba6946c0a6cf6676a3030b0baf6d987b6268203caebd87b74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 047ca53bf616a52ba6946c0a6cf6676a3030b0baf6d987b6268203caebd87b74
SHA3-384 hash: 267a4fb6b2c8fcaacb09dbc6f046036b0815d566735bbeadc84e656a391c01d563341906f1db66ae66e13a1db60b25ea
SHA1 hash: c3623078edc8673f2337e840869b02cfed3d64e2
MD5 hash: 064a51fe70b2fe972c704f8d9a5e9a3d
humanhash: mexico-seventeen-berlin-fruit
File name:USD 12,371.35 SWIFT report.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:758'424 bytes
First seen:2021-06-23 10:56:05 UTC
Last seen:2021-06-23 11:46:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c3f32a5a9887698ede69b21a2d37fd6f (2 x Formbook, 1 x AveMariaRAT)
ssdeep 12288:+TnjcRRQA6nHTLYhi3pw45sVUTpVnb7x3VYq/:+Tj66nHTb9QUTppb7x3+U
Threatray 6'072 similar samples on MalwareBazaar
TLSH E6F47DD5A38005F6D0572A3D9E0767A8F8157EE03E419EDEE6E87E4A2F79380349D04B
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
USD 12,371.35 SWIFT report.exe
Verdict:
Malicious activity
Analysis date:
2021-06-23 11:00:51 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/c9675936-3a2c-44d7-ba10-c70ee9a4e41c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167786/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/241b84ed-0590-4c57-8988-93bb135acf53
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806520
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 438931 Sample: USD 12,371.35 SWIFT report.exe Startdate: 23/06/2021 Architecture: WINDOWS Score: 100 43 www.dirtylyxx.com 2->43 75 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->75 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 5 other signatures 2->81 9 explorer.exe 4 2->9         started        13 USD 12,371.35 SWIFT report.exe 1 19 2->13         started        signatures3 process4 dnsIp5 45 northtlc.com 160.153.136.3, 49783, 80 GODADDY-AMSDE United States 9->45 47 www.virtualtoursthailand.com 69.163.198.8, 49782, 80 DREAMHOST-ASUS United States 9->47 53 7 other IPs or domains 9->53 83 System process connects to network (likely due to code injection or exploit) 9->83 16 Fwecwhf.exe 13 9->16         started        20 Fwecwhf.exe 13 9->20         started        22 WWAHost.exe 9->22         started        49 cdn.discordapp.com 162.159.134.233, 443, 49755, 49756 CLOUDFLARENETUS United States 13->49 51 192.168.2.1 unknown unknown 13->51 35 C:\Users\Public\Libraries\...\Fwecwhf.exe, PE32 13->35 dropped 85 Writes to foreign memory regions 13->85 87 Allocates memory in foreign processes 13->87 89 Creates a thread in another existing process (thread injection) 13->89 91 Injects a PE file into a foreign processes 13->91 24 secinit.exe 13->24         started        file6 signatures7 process8 dnsIp9 37 162.159.130.233, 443, 49781, 49784 CLOUDFLARENETUS United States 16->37 39 cdn.discordapp.com 16->39 55 Machine Learning detection for dropped file 16->55 57 Writes to foreign memory regions 16->57 59 Allocates memory in foreign processes 16->59 26 DpiScaling.exe 16->26         started        41 cdn.discordapp.com 20->41 61 Creates a thread in another existing process (thread injection) 20->61 63 Injects a PE file into a foreign processes 20->63 29 DpiScaling.exe 20->29         started        65 Tries to detect virtualization through RDTSC time measurements 22->65 31 cmd.exe 1 22->31         started        67 Modifies the context of a thread in another process (thread injection) 24->67 69 Maps a DLL or memory area into another process 24->69 71 Sample uses process hollowing technique 24->71 73 Queues an APC in another process (thread injection) 24->73 signatures10 process11 signatures12 93 Tries to detect virtualization through RDTSC time measurements 26->93 33 conhost.exe 31->33         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/047ca53bf616a52ba6946c0a6cf6676a3030b0baf6d987b6268203caebd87b74/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-06-23 10:56:11 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ar6kko7wc2ssxjuunqfgz5thniydbmf263mypnrgqib4v26ypn2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2bc537df04cceb724dbfd9b6bb93a837f184bf5f1b759b3cb9f474d94a1acec2
Formbook
2cea4d259b54152c7e175ed0739e4c4c70050a49d07cacae4d9003032e7d9990
Formbook
4ab9d09d0ffc49408cb40fe30791e2dbe7d6ea5cec1d44d509c0032b7b0322c5
Formbook
82c32dd8462adfec60639b321066c7f9a9e5377dfd442bcf2537a036e8ce7218
Formbook
8700797586a744fd3e998733ed63ab6f721bacd87c6796ea7f5c1a8f2c17a3f4
Formbook
8e7766e7538b196a7d96e8c11fa2a09d86b9248a130d23381e62b32db0d7a7e0
Formbook
a47054787772fce1a96257aa9f1a70356fb752ba73ee714beed7826796db3a13
Formbook
bb8edab2af37d542c7774e5f5253e1de86fc80525f29e0e274747378201a3537
Formbook
c764bf06209113f83fe298495818adf186b5746c299ac93aab0d8ff4f080626c
Formbook
eb8c5fa3da30f5d972e7d30767099990aadce5af9e046a2765b0c64222eab118
Formbook
+ 6'062 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader loader persistence rat trojan
Link:
https://tria.ge/reports/210623-7ws3rnr4xa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Adds policy Run key to start application
Xloader Payload
ModiLoader, DBatLoader
Xloader
Malware Config
C2 Extraction:
http://www.asconstructionin.com/m3rc/
Unpacked files
SH256 hash:
a962b300b10f701e3a3c8b4691a11161dd919a542e3ee79b890bfef413c15aa8
MD5 hash:
78c33a69fd2a9e77abcd07eed8b13cf7
SHA1 hash:
dc698bff43357d0e1b5e9c8ccfdf28e2a190aa02
Link:
https://www.unpac.me/results/624bb9eb-fcdc-47f4-ac2c-1bfc8b21ffbd/
SH256 hash:
047ca53bf616a52ba6946c0a6cf6676a3030b0baf6d987b6268203caebd87b74
MD5 hash:
064a51fe70b2fe972c704f8d9a5e9a3d
SHA1 hash:
c3623078edc8673f2337e840869b02cfed3d64e2
Link:
https://www.unpac.me/results/624bb9eb-fcdc-47f4-ac2c-1bfc8b21ffbd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/047ca53bf616a52ba6946c0a6cf6676a3030b0baf6d987b6268203caebd87b74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 047ca53bf616a52ba6946c0a6cf6676a3030b0baf6d987b6268203caebd87b74

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/167786/

Comments