MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0be1cd04cb84003839d5438dda8e2c40e89857f5c48300e59cac9db26ae7ebed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0be1cd04cb84003839d5438dda8e2c40e89857f5c48300e59cac9db26ae7ebed
SHA3-384 hash: ee797a821ac019d74b86c23050e3cc6619f4157545ff4e1152a330c6f50dd3fca3e48da56136dc6c595992e72359fd22
SHA1 hash: 8138c17c987fcfa2602604949206992b7d7d05f7
MD5 hash: 408c8de1cf7d5ec31e6c857f9900fa62
humanhash: glucose-bravo-kentucky-mountain
File name:rSWIFT_COPY_010100301.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:322'380 bytes
First seen:2023-08-15 13:54:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:/Ya6345n3Ji/36d0+TAUk6TBx55go8jydElSG/bTFxzaopw0/KqJYJxlycesDj+:/Yd45Z79sq518jjlSGDXzDpVJYJnyceT
Threatray 3'638 similar samples on MalwareBazaar
TLSH T10B64130663E0C563E5A22A70AC30A6777BEEDD161480669F9780CB887DB1FB0DC1F765
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rSWIFT_COPY_010100301.exe
Verdict:
Suspicious activity
Analysis date:
2023-08-15 13:56:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c2e2c839-d3b8-4aa2-a1b0-7da1079e5db0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442860/
Detection(s):
Porcupine.Trojan.Win32.Strab.gen.158198.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Sending a custom TCP request
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102897/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0be1cd04cb84003839d5438dda8e2c40e89857f5c48300e59cac9db26ae7ebed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d053b5b8-4258-4b89-960c-5a3ae8f47435
Result
Threat name:
NSISDropper, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1291504
Signature
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0be1cd04cb84003839d5438dda8e2c40e89857f5c48300e59cac9db26ae7ebed/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-10 15:16:41 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bpq42bglqqadqooviog5vdrmidujqv7vysbqbzm4vso3e2xh5pwq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1dcb47034c751dcf14fe9d403725465f4e1c87cdf4fb15d32ddc731a56a98c70
Formbook
32a70d3b6c2a40554037f062ea3e768888ca7c4f05b7e2b1f66f4acb05a67aa7
Formbook
572e8b2c173dc361f25400cbbba7a980cea2dcdf91e1245902f31d05387cec1f
Formbook
628aa31e938f6407d365b1c833953f4d5b696c08c55b2b9905e2ab6dd724039b
Formbook
73fcb67b2963eb502947947794103b675de48f616249d746e64baff106042038
Formbook
99ec8b8e93e7a91dab1a16b9353333fa340d52569de4b88f5703bbc5a666211c
Formbook
a715a5da20dda10eb010a386479f0be39ebd5ab37b8dc1a468e389226be22ae8
Formbook
bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb
Formbook
e4a99b5f1c54a4b58b8d9377b28bc93860c4a9e567abc8cd3f9cc4a1f9d3c942
Formbook
fd9e7154fa56208655424e51f68199716e3e39ca42e12b0b96d1dfe60bd9bdcd
Formbook
+ 3'628 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230815-q74hdsba72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
7243499e498823d1f6db5407ceea0f12e009bfa837f9355fd7bfd94af94b9b53
MD5 hash:
afc9661c91e47851309ffb6d42444537
SHA1 hash:
ef3e5acf3a454ae51295f29b03f6c5b04af58c1a
Link:
https://www.unpac.me/results/1cc26e35-4cd7-4598-95d0-fd3406d93d19/
SH256 hash:
0be1cd04cb84003839d5438dda8e2c40e89857f5c48300e59cac9db26ae7ebed
MD5 hash:
408c8de1cf7d5ec31e6c857f9900fa62
SHA1 hash:
8138c17c987fcfa2602604949206992b7d7d05f7
Link:
https://www.unpac.me/results/1cc26e35-4cd7-4598-95d0-fd3406d93d19/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 0be1cd04cb84003839d5438dda8e2c40e89857f5c48300e59cac9db26ae7ebed

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/442860/

Comments