MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09cbeac5eba144d439480d11c57a96aa1a692684512b08ea92211267ff54508e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09cbeac5eba144d439480d11c57a96aa1a692684512b08ea92211267ff54508e
SHA3-384 hash: b75fb74e03b742aa15122066ae0ba42dbbe1fc6398cdf623d5aafe61ffa305a161a8c6b6264e703b8673e6442baff93e
SHA1 hash: 8721c3e79cd2914b0acdc5a4e30b99b3ff6ad0d7
MD5 hash: ff0420829a388cd77e63230be4502e82
humanhash: earth-video-floor-princess
File name:swift_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:779'264 bytes
First seen:2022-05-23 11:56:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:IVM2iNq2iNsUtQUBJB0+W1x8z9NIpe0cc7y/lbM2bKWwOm1Tx1rg73tt5:V1I15JB0N1x8YeX4YWWw3j
Threatray 13'081 similar samples on MalwareBazaar
TLSH T124F4D09CF25078DED52B8E7A59B41C14AF20BA23976FD11B1063225A493D3D3CA17EE3
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
swift_pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-05-24 01:50:05 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/a5de5f47-57c2-440f-9226-8bd95d1ad63e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273654/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/628b76c53223462f89dd418d/reports/7e02b776-f5de-435e-8965-aeba758917b9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/119953a6-b931-49a4-8bab-6400ca4aaf08
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999735
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 632237 Sample: swift_pdf.exe Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 40 www.vulkan-platinum-online.info 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 8 other signatures 2->48 10 swift_pdf.exe 7 2->10         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\VaJuwezuAq.exe, PE32 10->32 dropped 34 C:\Users\...\VaJuwezuAq.exe:Zone.Identifier, ASCII 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmp8F83.tmp, XML 10->36 dropped 38 C:\Users\user\AppData\...\swift_pdf.exe.log, ASCII 10->38 dropped 50 Uses schtasks.exe or at.exe to add and modify task schedules 10->50 52 Adds a directory exclusion to Windows Defender 10->52 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 swift_pdf.exe 10->14         started        17 powershell.exe 25 10->17         started        19 schtasks.exe 1 10->19         started        signatures6 process7 signatures8 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 21 explorer.exe 14->21 injected 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        process9 process10 27 chkdsk.exe 21->27         started        signatures11 58 Modifies the context of a thread in another process (thread injection) 27->58 60 Maps a DLL or memory area into another process 27->60 62 Tries to detect virtualization through RDTSC time measurements 27->62 30 explorer.exe 143 27->30         started        process12
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/09cbeac5eba144d439480d11c57a96aa1a692684512b08ea92211267ff54508e/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-05-22 00:24:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 41 (43.90%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bhf6vrplufcniokibui4k6uwvingsjuekevqr2useejgp72ukcha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0e5dd52da4fa3d13be08ae1fdf59eddbcce0fe300006f0e84d7f885cb61ff0bb
Formbook
2de49b3102da5350531a70b7d670ce8c1a9da5d664d7530325780b9d19aed395
Formbook
3f38d14b57be8821c36b5a3b35fee281a0371fb2b41cbecb2f788c29a34f05ef
Formbook
7c9b9fd316c451b92af97cb1c8caf087ab4ab69fbe9f8b79f2acc2757b52d6a0
Formbook
b0d8448b8f1001c389a1d64989666d531e4a82339d3f63c3156a078af86ebbcf
Formbook
ba3eb6491a8a4953418407379da280e591d403f2ada5f3ac941bcfaab1951418
Formbook
bbf76a25feb60b000b42552adce5f72d871a82d6c6ed3bb72a7f8d94c8886f4d
Formbook
d28ec863f551e43cf222a709ffea536ae6ab72833ede819c28db0dc91f50f024
Formbook
e793dac4e4c4c8553c02cbe177b1de4759bf777d150eca151c53e9c58f6b23d3
Formbook
+ 13'071 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n6g4 loader rat suricata
Link:
https://tria.ge/reports/220523-n4lr3ageel/
Behaviour
Creates scheduled task(s)
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
bcc1ff0c7bc4d1ffc8fede4bfc00ebdc331e53138e7d56a542a2a6a62ff037b6
MD5 hash:
db208c90e3042616c1553e7177404d84
SHA1 hash:
8bf78458fb2ae652936ca7bfaf62937faccdfa41
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/fb9c3d52-6228-4f2d-86fd-2118072ebaf4/
Parent samples :
a6c9f393ac5677eeccc1451ed5e1fd58c52771c06673781ce495eb956c7b867a
8a10a7d039e501feb322fc8d7777353ce540f23ffdf76a402852106581334e56
e01aab97bf2805546ef29b22bb0d9e3e2205d4a319faaf6f7f4ce966b8aaa149
44c088af1487247b48ef427d49ce3be93642e593f3ba4d730ba41d56ce17b66b
b409cabbc8dbdfa8a3d1a60cb225f27386dfcc61b3f7379812218b6660ef654f
8ff19d8ae3d48bed91963633eaf4fe35d96eca6c6bfa0dd4fe4cc54b4492c2d4
c9c30e8b5fcdba36818cdb867d9c3aa29ab421ea94eb77d2eb82001c8d9e770e
e54460b814db593c07a06645065eb94fa5fcf08b77a459d1ce79ce401d3e0075
fe830bb897373330395a82f70ff277acfa996e18dbbd5c74ebc9496e00e3c363
e793dac4e4c4c8553c02cbe177b1de4759bf777d150eca151c53e9c58f6b23d3
09cbeac5eba144d439480d11c57a96aa1a692684512b08ea92211267ff54508e
e2bb153627e7cbf914f93bdfa91d1a44b4e405bd277090e1d1a4dac106f13a41
SH256 hash:
378c2cd986a090931f4fd4df0136b421dd7b1ba19b723048861f5c235751dbc8
MD5 hash:
fc3ac978af9d34b92b22122ac103ace0
SHA1 hash:
f4a2e42eda15213a62184276391c66ef162b2de6
Link:
https://www.unpac.me/results/fb9c3d52-6228-4f2d-86fd-2118072ebaf4/
SH256 hash:
e48be56350c7d7e57a95e6d2367aaa81c960d4c2628aa70c5cf7c66e0c2fe5c5
MD5 hash:
6e1a594be00154b8685607ae714524a6
SHA1 hash:
94155f084c13425f66174a3ab3dd06551d541fa0
Link:
https://www.unpac.me/results/fb9c3d52-6228-4f2d-86fd-2118072ebaf4/
SH256 hash:
a59c12cbd005ff9bd3fab5671bdbb3c3adc75fe60408b59a184fe6a8596f3462
MD5 hash:
7be3a17985b2c69c0831b0ae54344106
SHA1 hash:
5cbebf2c6dd66d9adf9c8c56dd9aa226a35bc2bf
Link:
https://www.unpac.me/results/fb9c3d52-6228-4f2d-86fd-2118072ebaf4/
SH256 hash:
09cbeac5eba144d439480d11c57a96aa1a692684512b08ea92211267ff54508e
MD5 hash:
ff0420829a388cd77e63230be4502e82
SHA1 hash:
8721c3e79cd2914b0acdc5a4e30b99b3ff6ad0d7
Link:
https://www.unpac.me/results/fb9c3d52-6228-4f2d-86fd-2118072ebaf4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09cbeac5eba144d439480d11c57a96aa1a692684512b08ea92211267ff54508e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 09cbeac5eba144d439480d11c57a96aa1a692684512b08ea92211267ff54508e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/273654/

Comments