MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0de500897b8ed984575c14906255f694bee3fdade7cc369f7c0a51185ec61ba0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0de500897b8ed984575c14906255f694bee3fdade7cc369f7c0a51185ec61ba0
SHA3-384 hash: a7d3eb84a24771b4e73cc1f4c16b998a34bb2b5f011df4ea42010b8d43a47a9dfa096efa0db7f785394c6ff280dd04d4
SHA1 hash: 39b90382d1dc864da688d87bd2d259ba97cd54e3
MD5 hash: 9e5a7159e8726752eb5f52b79044f76b
humanhash: sixteen-ten-mobile-burger
File name:Swift Copy.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:660'452 bytes
First seen:2022-10-22 12:41:08 UTC
Last seen:2022-10-24 17:57:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:ebKIsc04oiSX46H4eXk+8dlaRyJgf2VVVDHnK/gaVC7Q:ebzIbs65U/IyLVHDqnqQ
Threatray 2'059 similar samples on MalwareBazaar
TLSH T141E45A11658A6092C9043A78315C7BA826252FD3CAF3898C196DB68BDDDDF03173B5FE
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d490531064c80d2d (3 x RemcosRAT, 2 x AgentTesla, 2 x Loki)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Swift Copy.exe
Verdict:
Malicious activity
Analysis date:
2022-10-21 20:49:07 UTC
Tags:
remcos keylogger
Link:
https://app.any.run/tasks/4263d1b5-31f9-4056-8c69-e4f5da0adcf5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/322655/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.26316.14554.22923.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending an HTTP GET request
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/44429/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6353e51b339362a6061b44f1/reports/b615fb53-e331-45c6-a635-261697ab10a7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0e9ffea8-62f1-40ad-9930-2c3a21aa19cd
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1095502
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 728143 Sample: Swift Copy.exe Startdate: 22/10/2022 Architecture: WINDOWS Score: 100 57 geoplugin.net 2->57 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for dropped file 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 4 other signatures 2->73 8 Swift Copy.exe 18 2->8         started        11 iljuthnqojogv.exe 2 2->11         started        14 iljuthnqojogv.exe 2 2->14         started        signatures3 process4 file5 47 C:\Users\user\AppData\Local\...\txlggolmv.exe, PE32 8->47 dropped 16 txlggolmv.exe 1 5 8->16         started        49 C:\Users\user\AppData\Local\Temp\62C1.tmp, PE32 11->49 dropped 75 Multi AV Scanner detection for dropped file 11->75 77 Machine Learning detection for dropped file 11->77 79 Found hidden mapped module (file has been removed from disk) 11->79 20 WerFault.exe 10 11->20         started        22 conhost.exe 11->22         started        24 iljuthnqojogv.exe 11->24         started        51 C:\Users\user\AppData\Local\Temp\7BC7.tmp, PE32 14->51 dropped 81 Maps a DLL or memory area into another process 14->81 26 WerFault.exe 10 14->26         started        28 conhost.exe 14->28         started        30 iljuthnqojogv.exe 14->30         started        signatures6 process7 file8 41 C:\Users\user\AppData\...\iljuthnqojogv.exe, PE32 16->41 dropped 43 C:\Users\user\AppData\Local\Temp\B8F5.tmp, PE32 16->43 dropped 45 C:\Users\user\AppData\Local\Temp\B2EA.tmp, PE32 16->45 dropped 59 Multi AV Scanner detection for dropped file 16->59 61 Machine Learning detection for dropped file 16->61 63 Contains functionality to steal Chrome passwords or cookies 16->63 65 4 other signatures 16->65 32 txlggolmv.exe 2 14 16->32         started        35 WerFault.exe 23 9 16->35         started        37 conhost.exe 16->37         started        39 txlggolmv.exe 16->39         started        signatures9 process10 dnsIp11 53 41.216.183.226, 41900, 49699 AS40676US South Africa 32->53 55 geoplugin.net 178.237.33.50, 49701, 80 ATOM86-ASATOM86NL Netherlands 32->55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0de500897b8ed984575c14906255f694bee3fdade7cc369f7c0a51185ec61ba0/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-10-20 22:57:48 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 42 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bxsqbcl3r3myiv24csigevpwss7oh7nn47gdnh34bjirqxwgdoqa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2f53875cb56cc1a1f69655fcfca71ac0f952b8d582bda33e101d8b262e38d0f9
Formbook
31edb5c9a0590d100f941cfcb0c142abf141fba4a90c6bddb6c7fc59b4475f28
Formbook
8c2653e4d9998668579383d87f291afe6ba5740ec3bc6d8f44618c0f9af77189
Formbook
8e7d1931cfe215a12acad3beb975cd78099a295a721069b35c05b469e2f703f9
Formbook
9378e7d749031db44b0ba686cfaf2bb02011e7877f688f4edd601fb48fdbdd7e
Formbook
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
Formbook
b45dbf75dd0de5a62cb362bcc26b59cdd6a7adae8a74c71c30e7db9c36b20265
Formbook
e7a7431b7c5f7d73f80f8474e5d62a3620a639c762ea78b0266ff867c048a153
Formbook
+ 2'049 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221022-pxb5qadbb4/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dc76240e-a9e5-42a7-af10-f5a866b256b7
Unpacked files
SH256 hash:
f3a27988f1a0da94a6e71b6c0497f8baa8ae1f3c919029240fa198e1f6c067e3
MD5 hash:
f3f932bd1d5ebfe17389c8ddf99604f5
SHA1 hash:
a67b3f08ee4c818032a325f884e83cc96f32b62d
Link:
https://www.unpac.me/results/1685f53f-3f7a-4014-a0ae-9638147773d8/
SH256 hash:
b004491771d05dc604c8f1a7b169673e9b7a7f33c4833bcfa50c5e76b8c9a1d8
MD5 hash:
b30ad3ec69c35a44bd720e88e07e283e
SHA1 hash:
52a834e399eb4fcac0a4bc0b1f53634da776aecf
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/1685f53f-3f7a-4014-a0ae-9638147773d8/
Parent samples :
8573105c4b67affc024eec0b64c4f4c2f2e7f52d31b5eec059d6d8dc6f0a3743
0de500897b8ed984575c14906255f694bee3fdade7cc369f7c0a51185ec61ba0
76bf90f97131f4b187fbdfce5a1f02224e30a752782cbcd7f9a5d90a043de128
dae79c591e41fac5133e80652d94e8c1cc42e62381a38f2dc11c42360547afe7
f6d04e26f4e1ccafc73107d102606ed5e528fcb2e6451f568241b840152454ee
ac2022d039991daaa6b3f05a7d2324b55247446b4f0b20f0feb36d22fd21d428
522de9141cf7d1449c48f439b23bbc53be3de244e1baf817759b64eedfe5ae00
f9dbb342e635717b55ef19c20e7943858acf892e6040a9a4f3609eaa41981bc9
284749a242c7dcee6d5f8d71bb4de12ccbc7f7acc24a8fb795859b0393f23577
SH256 hash:
0de500897b8ed984575c14906255f694bee3fdade7cc369f7c0a51185ec61ba0
MD5 hash:
9e5a7159e8726752eb5f52b79044f76b
SHA1 hash:
39b90382d1dc864da688d87bd2d259ba97cd54e3
Link:
https://www.unpac.me/results/1685f53f-3f7a-4014-a0ae-9638147773d8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0de500897b8ed984575c14906255f694bee3fdade7cc369f7c0a51185ec61ba0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 0de500897b8ed984575c14906255f694bee3fdade7cc369f7c0a51185ec61ba0

(this sample)

  
Dropped by
Formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/322655/

Comments