MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0aaa10495fff6567ec8ecb5fa1ea118ad1b1230c77db540c0dd7cb6f1d26f6fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0aaa10495fff6567ec8ecb5fa1ea118ad1b1230c77db540c0dd7cb6f1d26f6fb
SHA3-384 hash: 8444efd6cebd8774d0e0e5e2c8862a98f4a8f0afd744c77da29640746db5d9cf79f086db71b790ced0d4a24fab2bd9d0
SHA1 hash: a2ae6c81c3ac4dc20a05a69ce116d39cc1c35ac8
MD5 hash: 406a64ab57ea700d2ecb90349fffe44a
humanhash: hawaii-chicken-robin-fix
File name:TT SWIFT COPY.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:857'600 bytes
First seen:2021-04-07 11:20:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:/twrBQB9+KtKvPDQpwryOvu26/iWEaW0iUuyq8a9:+19vPDQ+eO226/lBuw
Threatray 159 similar samples on MalwareBazaar
TLSH EC05E055ED8096E4CD2D93305A3BC83907237D7DA5B8940D31E93F733BBBAA30026A56
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: ip116.ip-147-135-107.us
Sending IP: 147.135.107.116
From: sales<sales@acalbfi.com>
Reply-To: bmathena@accesesdata.com
Subject: RE:Payment Confirmation
Attachment: TT SWIFT COPY.rar (contains "TT SWIFT COPY.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TT SWIFT COPY.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-07 11:37:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6c189887-5872-44ea-ba11-f2efa4306e08

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132831/
Detection(s):
SecuriteInfo.com.Artemis406A64AB57EA.26117.26383.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a service
Deleting a recently created file
Sending a UDP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668562
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383210 Sample: TT SWIFT COPY.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 10 other signatures 2->57 10 TT SWIFT COPY.exe 4 2->10         started        process3 file4 39 C:\Users\user\AppData\...\TT SWIFT COPY.exe, PE32 10->39 dropped 41 C:\...\TT SWIFT COPY.exe:Zone.Identifier, ASCII 10->41 dropped 43 C:\Users\user\...\TT SWIFT COPY.exe.log, ASCII 10->43 dropped 45 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 10->45 dropped 61 Writes to foreign memory regions 10->61 63 Injects a PE file into a foreign processes 10->63 14 TT SWIFT COPY.exe 10->14         started        17 AdvancedRun.exe 1 10->17         started        20 AdvancedRun.exe 1 10->20         started        signatures5 process6 dnsIp7 65 Modifies the context of a thread in another process (thread injection) 14->65 67 Maps a DLL or memory area into another process 14->67 69 Sample uses process hollowing technique 14->69 71 Queues an APC in another process (thread injection) 14->71 22 explorer.exe 14->22 injected 47 192.168.2.1 unknown unknown 17->47 26 AdvancedRun.exe 17->26         started        28 AdvancedRun.exe 20->28         started        signatures8 process9 dnsIp10 49 www.franquiaoriginal.com 22->49 59 System process connects to network (likely due to code injection or exploit) 22->59 30 cmd.exe 22->30         started        33 autochk.exe 22->33         started        signatures11 process12 signatures13 73 Modifies the context of a thread in another process (thread injection) 30->73 75 Maps a DLL or memory area into another process 30->75 77 Tries to detect virtualization through RDTSC time measurements 30->77 35 cmd.exe 1 30->35         started        process14 process15 37 conhost.exe 35->37         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0aaa10495fff6567ec8ecb5fa1ea118ad1b1230c77db540c0dd7cb6f1d26f6fb/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 07:53:00 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bkvbask775swp3eoznp2d2qrrli3ciymo7nvidan27fw6hjg635q._file
Verdict:
malicious
Similar samples:
1434167f6c381546867873364610b20cbe1946ea749f6bdf82ac18453951cc12
Formbook
1a2beaadeb5f9bc79af30c8a9e458bff69d4b481b305451afe68d0f1a9074da1
Formbook
2084b62c05ac13dfa48fde86f237473d35f3f169c030b829ceb49f3005b6451c
Formbook
2ecba20721fa9432e4e407b62f815f12b6fee820b5b348547175c36a274c7f16
Formbook
3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6
Formbook
7cece5ca77b93ef7c41219923e3c080c99bffcca2141cde0acc72dc17daa6211
Formbook
9e6fdb6456dfaf737767adb44ebdb84910cec8be91a12c2b7a37c84b5aed6104
Formbook
bcfcc5a278671fbe1b5f5f27c6d61921add83e57a0c61f80a165455b3fe0875a
Formbook
da2d92f0b457ef9553ed1043f410926daa39f4a8605e1725fd547428c59ce023
Formbook
e889d6dd8614cb0a6ff70e130c651068e04dce0f1694f7a16251e304d35d27d2
Formbook
+ 149 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210407-bmfg6lekm2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Nirsoft
Formbook
Malware Config
C2 Extraction:
http://www.the-techs.info/chue/
Unpacked files
SH256 hash:
c65c8788dc0fc6e300b0126c6ea11895c6edccda66a0ad724053b4bb9c0b423a
MD5 hash:
28510a0f9d0af28d6dea10f55e0d5a44
SHA1 hash:
4c0960348c36f92fb52157f3f4335664a0648918
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b89b7795-a141-41b3-bdcc-36b5e5cbe4b5/
Parent samples :
002ec09931d23f0e66d86eda11ce72113d3e29a1cd0bd296b83ee567981610d8
0aaa10495fff6567ec8ecb5fa1ea118ad1b1230c77db540c0dd7cb6f1d26f6fb
2e10edfbe7c4a7c9220db55d3c6f921262366908277a5483ff0faf5579e194f4
4f450fcf02d7006fd4fbea8c2cad999397672d44864f1e8c504633ce53c3d53d
890b8392c6add902841f3da3e66d6d82eb571b41c5abbc7df0685935e0d9d730
9dbdef7d88f84edb9e7e45115e8186915f6c37b0fd7b29b5db64689b14f28b9c
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/b89b7795-a141-41b3-bdcc-36b5e5cbe4b5/
SH256 hash:
cfee856b79c9e30bc9df6eef6d6367ae06c87e5f1f1f984a5f8787e474600176
MD5 hash:
19ab02734cd9217ce3898c25184fedec
SHA1 hash:
6c6852a6b90def24852884611486b231b9bd4e93
Link:
https://www.unpac.me/results/b89b7795-a141-41b3-bdcc-36b5e5cbe4b5/
SH256 hash:
72ebfe27f2e7a4131f98a1eb38b9a7331de1f424a5e3073464dbb7bc8c6334e4
MD5 hash:
a123101bd517ecc6b1555e8fa60b1de9
SHA1 hash:
1504de13775de42681e03297d45a3cc52974f55f
Link:
https://www.unpac.me/results/b89b7795-a141-41b3-bdcc-36b5e5cbe4b5/
SH256 hash:
0aaa10495fff6567ec8ecb5fa1ea118ad1b1230c77db540c0dd7cb6f1d26f6fb
MD5 hash:
406a64ab57ea700d2ecb90349fffe44a
SHA1 hash:
a2ae6c81c3ac4dc20a05a69ce116d39cc1c35ac8
Link:
https://www.unpac.me/results/b89b7795-a141-41b3-bdcc-36b5e5cbe4b5/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0aaa10495fff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0aaa10495fff6567ec8ecb5fa1ea118ad1b1230c77db540c0dd7cb6f1d26f6fb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar c128f40d739c542e4f3c410aa55e3ee769df37a7e282279927f09cae1d630f1b

Formbook

Executable exe 0aaa10495fff6567ec8ecb5fa1ea118ad1b1230c77db540c0dd7cb6f1d26f6fb

(this sample)

  
Dropped by
MD5 41c31ea7c8aa660e61fa6b5d33f82d13
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c128f40d739c542e4f3c410aa55e3ee769df37a7e282279927f09cae1d630f1b
Cape
Cape
https://www.capesandbox.com/analysis/132831/

Comments