MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 201f068c15e749ce1d3bd1a8e48909a9b0e8e5b0774b0eb2abc9096449fdbe67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 201f068c15e749ce1d3bd1a8e48909a9b0e8e5b0774b0eb2abc9096449fdbe67
SHA3-384 hash: c4e664d127a67b95f0557860c346bb554fbd16acf7b4f8c4a74b775f3d9517298b1cc8bd9201bc4bb47b77d6b1f92bd2
SHA1 hash: e74cf3642e4bd4b3f616bc5230edd5312d97ecfc
MD5 hash: b8ead540e40416915bd3f6134f2017bb
humanhash: saturn-montana-mississippi-illinois
File name:SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:916'480 bytes
First seen:2021-01-19 07:54:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:NdJneKHwrJDoOCo42Y1e0Lwuiq0jnR5wI4LrgCDsxSXHHyUsE:FKqPgYUGwuDzQ3CHHXs
Threatray 3'679 similar samples on MalwareBazaar
TLSH 4B159E2222C95F5CF0BE93756028041797F6F852D725EB5EBDC490DA0A62FC2CB9A713
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

From: International payments department <office@cncautomatizari.ro>
Subject: SWIFT Payment DOOEL EUR 74,246.41 20210101950848
Attachment: SWIFT Payment DOOEL EUR 74,246.41 20210101950848.gz (contains "SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exe
Verdict:
Malicious activity
Analysis date:
2021-01-19 08:05:49 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/29cc9b36-0fd2-4a76-a40d-47e0e18e51cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112822/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584633
Signature
.NET source code contains potential unpacker
Benign windows process drops PE files
Creates an undocumented autostart registry key
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 341356 Sample: SWIFT Payment DOOEL EUR 74,... Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 37 www.superrmpay.com 2->37 39 superrmpay.com 2->39 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 9 other signatures 2->57 11 SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exe 3 2->11         started        signatures3 process4 file5 35 SWIFT Payment DOOE...10101950848.exe.log, ASCII 11->35 dropped 71 Injects a PE file into a foreign processes 11->71 15 SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exe 11->15         started        signatures6 process7 signatures8 73 Modifies the context of a thread in another process (thread injection) 15->73 75 Maps a DLL or memory area into another process 15->75 77 Sample uses process hollowing technique 15->77 79 Queues an APC in another process (thread injection) 15->79 18 explorer.exe 6 15->18 injected process9 dnsIp10 41 superrmpay.com 103.117.212.32, 80 WEBWERKS-ASWebWerksIndiaPvtLtdIN India 18->41 43 www.woundhealth.info 216.92.3.110, 49742, 49767, 49790 PAIR-NETWORKSUS United States 18->43 45 22 other IPs or domains 18->45 31 C:\Program Files (x86)\...\vgaenwtlrh.exe, PE32 18->31 dropped 33 C:\Users\user\AppData\...\vgaenwtlrh.exe, PE32 18->33 dropped 59 System process connects to network (likely due to code injection or exploit) 18->59 61 Benign windows process drops PE files 18->61 23 svchost.exe 1 12 18->23         started        file11 signatures12 process13 dnsIp14 47 www.superrmpay.com 23->47 49 superrmpay.com 23->49 63 System process connects to network (likely due to code injection or exploit) 23->63 65 Creates an undocumented autostart registry key 23->65 67 Tries to steal Mail credentials (via file access) 23->67 69 4 other signatures 23->69 27 cmd.exe 1 23->27         started        signatures15 process16 process17 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/201f068c15e749ce1d3bd1a8e48909a9b0e8e5b0774b0eb2abc9096449fdbe67/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 06:03:04 UTC
AV detection:
4 of 46 (8.70%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eapqndav45e44hj32guojcijvgyorznqo5fq5mvlzeewisp5xztq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
034a88044cda55e5e899dda57067450bb725109dcfc9147d6ae41d7b08584734
Formbook
41440a2e9db109558bde920dddba0eee3a5f269eef4c0d80eedf6a0bf0445a70
Formbook
6acec5800bb6a457e47029754e9eb7d6bf405ff56ea9f074741dabfdac141c18
Formbook
82327e5e44156cddbd2dd77556fc746dad24eeaedc11733c82729c7d0c10a1e7
Formbook
9763034a6f6e93c907471ca361e619f5fe5ec0b3aeb301cd046bd877c62aaea7
Formbook
ad03ca16b05c593894d3cf90ea6ebe56f3ce6dc94dc0675234f357893f3aadfa
Formbook
e4e84d03d4cb709d737f9ee3e69b40d797e452d83faa35f0a06bb78a87ad0984
Formbook
e79083b58aae06c0413f65d3979fcad177112e4f49ef3568d0b52392b07ff720
Formbook
e973f018b330b3afa0ce25d89e8e5eece3d187309e27265718cd333c28332c0b
Formbook
f1422701954b6c0116802819526ba75f414beda5419f80445d321885d8732473
Formbook
+ 3'669 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210119-1872j4y4f6/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.boundlesshealthyliving.com/isub/
Unpacked files
SH256 hash:
7e815a5d5af8a905a933cceb51e312d8c4706a7a3bb598908dea7fe80c52cecd
MD5 hash:
65c05e0622497d4a50f4155032540480
SHA1 hash:
5239ae262d152d9684e33b05bda4ab4e7c87e614
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/f06ecbfc-0dd8-40b1-b4b7-21305ad07067/
SH256 hash:
52d35fabfc97d3e903b5d9eb253e8f84d1dfee2967fa9dde6d6ca37cc61951c5
MD5 hash:
b5a7f2596efe4c5fc5f5d2c733d49259
SHA1 hash:
c121578124375dc293e4daf12fac22442a8131b6
Link:
https://www.unpac.me/results/f06ecbfc-0dd8-40b1-b4b7-21305ad07067/
SH256 hash:
b7e2a80913eab174a004c34e7d241023e65f212e722ca23a4e3d64f93b1dc09c
MD5 hash:
381f059195cfb9b6d012fed8c3cf45b3
SHA1 hash:
b2f5434cb2ff64bda0eb411c4ee93910fdc926b8
Link:
https://www.unpac.me/results/f06ecbfc-0dd8-40b1-b4b7-21305ad07067/
SH256 hash:
201f068c15e749ce1d3bd1a8e48909a9b0e8e5b0774b0eb2abc9096449fdbe67
MD5 hash:
b8ead540e40416915bd3f6134f2017bb
SHA1 hash:
e74cf3642e4bd4b3f616bc5230edd5312d97ecfc
Link:
https://www.unpac.me/results/f06ecbfc-0dd8-40b1-b4b7-21305ad07067/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/201f068c15e749ce1d3bd1a8e48909a9b0e8e5b0774b0eb2abc9096449fdbe67

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz 250ca7dd991b5dd7b63c98901c3d285be7e6eceb6fe6bd556d65632afaafe5fa

Formbook

Executable exe 201f068c15e749ce1d3bd1a8e48909a9b0e8e5b0774b0eb2abc9096449fdbe67

(this sample)

  
Dropped by
MD5 7c29a1a7c6cc0a7c4fa6b58c40d0c2f2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112822/
  
Dropped by
SHA256 250ca7dd991b5dd7b63c98901c3d285be7e6eceb6fe6bd556d65632afaafe5fa

Comments