MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f91e080cdc1fbe9586f0da5ac31afe72b931cf71d3b907495687316dfb82a3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f91e080cdc1fbe9586f0da5ac31afe72b931cf71d3b907495687316dfb82a3d
SHA3-384 hash: 1182b225213d0dbb0441fddb40649808f8aed01f248380a6e3275f77508d34b09a8538830d8a3b74bb89c25f5add4cde
SHA1 hash: a8ca837b18a458c7b77d5952dfbbd6640d2ea63f
MD5 hash: 2bb1c9b566c1e5e0b26cecffaad6b859
humanhash: timing-florida-monkey-uranus
File name:Ziraat Bankasi Swift Mesaji.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:732'672 bytes
First seen:2022-04-12 16:59:49 UTC
Last seen:2022-04-12 17:57:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:x7OHjj46Wn684qj9GnmJaQkv8VidWNhdYJJyJrATn5Sg2g6:EHftm6HqonFv/MdYJJmin5dh
Threatray 15'239 similar samples on MalwareBazaar
TLSH T1FBF4CF49FAA6C912E2A91337C0E7080407B4AB82D517D72F3791A6E54D433EB9D137EB
File icon (PE):PE icon
dhash icon 73432b4d556d597d (15 x SnakeKeylogger, 14 x AgentTesla, 12 x Formbook)
Reporter abuse_ch
Tags:exe FormBook geo TUR ZiraatBank

Intelligence

File Origin
# of uploads :
2
# of downloads :
393
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Ziraat Bankasi Swift Mesaji.exe
Verdict:
Malicious activity
Analysis date:
2022-04-12 23:25:21 UTC
Tags:
formbook trojan stealer opendir
Link:
https://app.any.run/tasks/1f48808e-e00c-45d3-ab1a-837267e35955

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/263187/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.GZQ.genEldorado.14590.2391.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe expand.exe obfuscated packed
Link:
https://www.filescan.io/uploads/6255b016ffe27d5119b7be98/reports/1f8d7488-0f76-4e20-bb0f-dc57a167eae9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2bc9ba27-4d4f-4c01-bf75-23ebfaeafd5e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/975633
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: CMSTP Execution Process Creation
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 608123 Sample: Ziraat Bankasi Swift Mesaji.exe Startdate: 12/04/2022 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 9 other signatures 2->50 9 Ziraat Bankasi Swift Mesaji.exe 3 2->9         started        process3 file4 28 C:\...\Ziraat Bankasi Swift Mesaji.exe.log, ASCII 9->28 dropped 52 Injects a PE file into a foreign processes 9->52 13 Ziraat Bankasi Swift Mesaji.exe 9->13         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 13->54 56 Maps a DLL or memory area into another process 13->56 58 Sample uses process hollowing technique 13->58 60 Queues an APC in another process (thread injection) 13->60 16 cmstp.exe 13->16         started        19 explorer.exe 13->19 injected process8 dnsIp9 34 Self deletion via cmd delete 16->34 36 Modifies the context of a thread in another process (thread injection) 16->36 38 Maps a DLL or memory area into another process 16->38 40 Tries to detect virtualization through RDTSC time measurements 16->40 22 cmd.exe 1 16->22         started        30 www.pokebets.com 19->30 32 parkingpage.namecheap.com 198.54.117.211, 49783, 80 NAMECHEAP-NETUS United States 19->32 42 System process connects to network (likely due to code injection or exploit) 19->42 24 autofmt.exe 19->24         started        signatures10 process11 process12 26 conhost.exe 22->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0f91e080cdc1fbe9586f0da5ac31afe72b931cf71d3b907495687316dfb82a3d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-12 17:00:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b6i6bagnyh56swdpbws2ymnp44vzghhxdu5za5evnbzrnx5yfi6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0173601f1ea39ad10aacbcbf5ec51ffb25c788380c0d3903844c0a7d753e7165
Formbook
33d9ff922b2b34291e7e84fee8cb11062f4e1eb56cff714fca88f8fa5b507c09
Formbook
5258b47989843d7dd2548de441187fa1e5541cf37e93857fb599479481502584
Formbook
6a8fcf46462495a6ca31dabec1ec76366500dd93fc659415aeb0730a2e013a81
Formbook
9a0be359a0a681bda8008fed45641514f27f5b6d12765cec65ac1d261166f3f2
Formbook
a0c4f2836d7b935bd927dc9727a0391762ba85f984656e77df325f9c5e8e6db4
Formbook
c980b05670bf5afdf79a65fb6e0f0e2ad6c7bf6833c23870848dcfcac3e1437b
Formbook
d1130fc195b0a91917f5ce05fcfc7863c66ae495f2ac0aa955b64376df71db1e
Formbook
df61432d145d18bbae2c09023908cf832d384f099ae6b00bfbaf22d39cec18f0
Formbook
eb3210b628ab723969c0e007b910b1b3898c5e901a28fb7ce99321535488bd99
Formbook
+ 15'229 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:as31 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220412-vhzv5adhfp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
73d2c8a67ddb9058954f848629dac22aa4ea924d053d605c15b9be0f29c27b26
MD5 hash:
6d1a334cab8da33b031a2b3890461a64
SHA1 hash:
535e782651f3371ec5112e615d2518bc5f50cf09
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/cb3b3e1b-0aea-436c-a70b-7069d5518b52/
Parent samples :
c6c0c397d2ebb9d9188e91750d7c04c17f59d70025fab943a03c82229549dd53
d1ca39fd3a44e5d54b0d5f6b578af0d1f48e78296cb15f5acede16368039e5fb
6c2acfd65d5b420d46e7aa930ab0b4fa1f1446d1ea7b872429ff02f11b8b1987
613151db2677d34450d7a67d1a78a167f3d5dade8afc2cc4e8309336857bb766
9bd32d94621a5a74385f189f23e647fc1431db38032d0433613f0bf08b51362a
f9ec408f51f4e31dbe8977db554dcda8e58e0f89eda485b361026b379f69eb6d
0f91e080cdc1fbe9586f0da5ac31afe72b931cf71d3b907495687316dfb82a3d
e6fff69c658eefdd7ba7deba86d09717b77aece9c9ca1a6e980f58ad3e2de86d
e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792
1bfc4e45067f4f1fc583289ac5f8ab3bba6403443f51d18c8546adf58de68501
aef1512bffbba03e4655ebcf9a164229f259aeb1224a716d05d1be67a55b528f
e1434d76244d2be8b84eb06a76100eed90c75406228c14c0d0b65218bb84800f
SH256 hash:
9cc0386efa4b55508f49c3fa8f29407970f16e060fd6092f5f7bde5744e0b317
MD5 hash:
88a6d8723efae4b2ce1aafddc23d23c9
SHA1 hash:
cafcf315d57fd1cb77f3ada2d08c9cf8c98d93a3
Link:
https://www.unpac.me/results/cb3b3e1b-0aea-436c-a70b-7069d5518b52/
SH256 hash:
e6e4c3f444c30200c45e6002edd8a05c43e9490bfc3f35db9a291dbcdaa6d9bf
MD5 hash:
ea31ca1a32971a14340716656d11c972
SHA1 hash:
c1a089800a124e0f5eb3e642f1cc7298a25ff763
Link:
https://www.unpac.me/results/cb3b3e1b-0aea-436c-a70b-7069d5518b52/
SH256 hash:
b4364bba1d1c0f9cd4f07899b646ab90c1fcee31a985cea8377960da1692903a
MD5 hash:
42d633e43e81a4b3b1e7c3e61a2bbcb4
SHA1 hash:
9e459eedfcd7d56b3917372066a55279e35a60fc
Link:
https://www.unpac.me/results/cb3b3e1b-0aea-436c-a70b-7069d5518b52/
SH256 hash:
0f91e080cdc1fbe9586f0da5ac31afe72b931cf71d3b907495687316dfb82a3d
MD5 hash:
2bb1c9b566c1e5e0b26cecffaad6b859
SHA1 hash:
a8ca837b18a458c7b77d5952dfbbd6640d2ea63f
Link:
https://www.unpac.me/results/cb3b3e1b-0aea-436c-a70b-7069d5518b52/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/263187/

Comments