MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 069a900aaa6ab5e4b9279cf5bd47e7123c37787f87ac58d6e64383685371ba52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 069a900aaa6ab5e4b9279cf5bd47e7123c37787f87ac58d6e64383685371ba52
SHA3-384 hash: 6044f256844f906231457212bc4e4482e503ff4753f0fcb7340e81b29ce33cfb16ce55c16b7222d9b92609ad719c3981
SHA1 hash: 317ee43a8116aae39f3de3279620ecff4ac05b2c
MD5 hash: f19e6012ff248b9b380bb420080258ce
humanhash: nebraska-wisconsin-oven-mars
File name:SWIFT 00395_IMG.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:14'050'919 bytes
First seen:2021-05-04 06:46:17 UTC
Last seen:2021-05-04 07:01:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 64 x GuLoader, 54 x Loki)
ssdeep 6144:2PXF9XW/sQjFKjwpmGyt/4RQiTf9d03rFxJn:EXGj/wGywQiD03v
Threatray 4'971 similar samples on MalwareBazaar
TLSH 18E6BFD42A52DE79E8920BB1DC25CA124EB04F9C81D5660E77E8772573F378314EFA0A
Reporter lowmal3
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SWIFT 00395_IMG.bin
Verdict:
Malicious activity
Analysis date:
2021-05-04 09:09:45 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/422cc197-a97f-47df-afa6-a7f32e108121

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.15528.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/709376
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 403611 Sample: SWIFT 00395_IMG.exe Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 31 www.boxj66.com 2->31 33 boxj66.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 4 other signatures 2->47 11 SWIFT 00395_IMG.exe 19 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\3bypcf8qb.dll, PE32 11->29 dropped 57 Writes to foreign memory regions 11->57 59 Maps a DLL or memory area into another process 11->59 15 svchost.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 2 other signatures 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.puzed.net 180.150.102.39, 49756, 80 WIDEBAND-AS-APAussieBroadbandAU Australia 18->35 37 crickescore.com 103.20.212.182, 49761, 80 NETMAGIC-APNetmagicDatacenterMumbaiIN India 18->37 39 20 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 msdt.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/069a900aaa6ab5e4b9279cf5bd47e7123c37787f87ac58d6e64383685371ba52/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-05-04 06:47:11 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2njacvknk26jojhtt232r7hci6do6d7q6wfrvxgiobwqu3rxjja._file
Verdict:
malicious
Similar samples:
01476f904e668758ea516e84f359d6d0a4d85dadc179a51788a214ea46ff9dec
Formbook
4061fb72cf023e7dbc619c0d3ee7c66e1acbb3810aba3fae2592f400d4ee1006
Formbook
63b94415ccf2fabff3be3a811ded9a5306d68ac197adc07d7c2be3b313e8a665
Formbook
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248
Formbook
a9c3d37d324e9b6a0ebf9f9369c68cc288117edc4657d086b0fbc0cbafee9e64
Formbook
cd292d4cdb5ff8f2de087a09de2a152722d910f1df7ce7b65e6480be9ae77fdf
Formbook
e4938a8244543631ae11deb46e8b4cc3f0a8b8b7c2d4a1246f5bfadb29e0094c
Formbook
f45a023c86d834183f3073c05227d6f40686aef4a71b3893b823be493d7aae83
Formbook
f8edd84ac10813b2f9fc0d5e76a5f0036eb56e37197b45653d67403a52ef4a76
Formbook
f96442a26d160132827a3b109acadaf4aad9dab625939103677cc93783c93ea6
Formbook
+ 4'961 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210504-68xzxh96mn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.seroungift.com/bbqo/
Unpacked files
SH256 hash:
0c3c61ba24bb070c77191b1134e337148ea90e9814083ffb84edf58ee497a2ef
MD5 hash:
71d2d0b499c40f82a6cdd1ecdc4df303
SHA1 hash:
ae42e7a68b3affc5f56238fc46fb2faaad75b890
Link:
https://www.unpac.me/results/67d589f0-b3e2-4680-9e91-1a59efa2a128/
SH256 hash:
069a900aaa6ab5e4b9279cf5bd47e7123c37787f87ac58d6e64383685371ba52
MD5 hash:
f19e6012ff248b9b380bb420080258ce
SHA1 hash:
317ee43a8116aae39f3de3279620ecff4ac05b2c
Link:
https://www.unpac.me/results/67d589f0-b3e2-4680-9e91-1a59efa2a128/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/069a900aaa6ab5e4b9279cf5bd47e7123c37787f87ac58d6e64383685371ba52

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 069a900aaa6ab5e4b9279cf5bd47e7123c37787f87ac58d6e64383685371ba52

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-04 06:59:52 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [C0032.001] Data Micro-objective::CRC32::Checksum
2) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0046] File System Micro-objective::Create Directory
6) [C0048] File System Micro-objective::Delete Directory
7) [C0047] File System Micro-objective::Delete File
8) [C0049] File System Micro-objective::Get File Attributes
9) [C0051] File System Micro-objective::Read File
10) [C0050] File System Micro-objective::Set File Attributes
11) [C0052] File System Micro-objective::Writes File
12) [E1510] Impact::Clipboard Modification
13) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
14) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
15) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
16) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
17) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
18) [C0017] Process Micro-objective::Create Process
19) [C0038] Process Micro-objective::Create Thread