MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8
SHA3-384 hash:	2b73bd6a330722d68321e40e5f24429f49b1f92f694ce29935745000dee378e7795b218ed4db71b365df6733bf3dbebd
SHA1 hash:	bd841ace9bde9a84951136d225d00669d6a1bb63
MD5 hash:	1ebb5662a4db4d0de84de9baa6646010
humanhash:	july-massachusetts-july-golf
File name:	Swift Invoice.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	373'440 bytes
First seen:	2023-09-27 06:39:02 UTC
Last seen:	2023-09-27 07:42:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 39 x GuLoader, 22 x RemcosRAT)
ssdeep	6144:BnPdudwDs05IazU7f7ftdBuksY7j/PaeggCWrh4jCV771IsUlsbIBJsgMGfk5j/w:BnPdw05Qf7fHBu27jSQMm77aBlJslGGo
Threatray	12 similar samples on MalwareBazaar
TLSH	T127842381265AC65FE4925F31CC3D978AFF6ADA25319D1F1B2724291C38663536B0F383
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	JAMESWT_WT
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

284

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Swift Invoice.exe

Verdict:

Malicious activity

Analysis date:

2023-09-27 06:39:18 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/ebe7f510-d9d2-4316-9cc2-4f254c3df3e4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/451457/

Detection(s):

SecuriteInfo.com.Trojan.Loader.1550.16495.8549.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Sending a custom TCP request

Сreating synchronization primitives

Unauthorized injection to a recently created process by context flags manipulation

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin masquerade overlay packed shell32

Link:

https://www.filescan.io/uploads/6513ce0733582f234e044480/reports/389d7125-c55b-4654-a3ac-83e5ff98da46/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/47c56742-f30b-4f6f-91ec-7585dca3bdd8

Result

Threat name:

FormBook, NSISDropper

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1314987

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample has a suspicious name (potential lure to open the executable)

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8/

Threat name:

Win32.Trojan.NSISInject

Status:

Malicious

First seen:

2023-09-26 23:16:53 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 35 (62.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=brt4zvvxeljfxpute2j272gqrfkvlujeijuzciwiqegs2zqq4kua._file

Verdict:

malicious

Label(s):

formbook

Formbook

58357272406c20e677f34777d792bdecc67f8502616621858a609d9cd8e3bd7e

Formbook

59e8d4adc87713d6243f1130289d36da2fbd84aca576a0bc1a99d1728f29c756

Formbook

7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4

Formbook

86c93b4c01ca5cf2a505360e36677d0f5e5c159ba32a84019c8ef0e1e28cd596

Formbook

8ac1c0f03f5591ee9291e375cb28afa7175defc336e2d3e834a339d4a8b4d7a6

Formbook

c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed

Formbook

dc5eb730f1df702be89804ca234b60fec5fed7b6ed8d6c719f7006f40775f888

Formbook

+ 2 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/230927-henbpshh29/

Behaviour

Gathers network information

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

Unpacked files

SH256 hash:

c6949cba7800c96fad244bc6dd6e8b11b82182b5b43c9b8c1be09b227f76b5dc

MD5 hash:

8f0e8cee28f31350d3fe6b312b800813

SHA1 hash:

426db9ea11953fa825972827e0d4dd17872bbcc3

Link:

https://www.unpac.me/results/2591cbd4-321e-4136-a545-f96dc98b7448/

SH256 hash:

0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8

MD5 hash:

1ebb5662a4db4d0de84de9baa6646010

SHA1 hash:

bd841ace9bde9a84951136d225d00669d6a1bb63

Link:

https://www.unpac.me/results/2591cbd4-321e-4136-a545-f96dc98b7448/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0c67ccd6b722/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/451457/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample