MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 239c18582da00658ece4b6d51f5a1f923bc63ede887fdf5b820c82a3723f394a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 239c18582da00658ece4b6d51f5a1f923bc63ede887fdf5b820c82a3723f394a
SHA3-384 hash: 889ba3c982d83af417e98c62918205ca875884e873840f0eee2e590791e23734995cd4933c80cc061a2166e0de68b3e9
SHA1 hash: 76595877d28c884913df6b8f20285f41df0f7476
MD5 hash: 465973fa54e5fd54a551b13a73f2c6cd
humanhash: connecticut-oklahoma-jupiter-monkey
File name:SWIFT.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:287'232 bytes
First seen:2024-09-26 13:09:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:U7QHHIJOFNEpsUSKIDEQoI0N1ryniSxGqBFWiQHTVSO:Uk4OnEpsUSKIDEQJu1unips9IQ
Threatray 102 similar samples on MalwareBazaar
TLSH T1355422F3AB85C0D5E9252EF15E9EAF9541898F4B1D364BC56B073C5A7338290623C32D
Magika pebin
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
381
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SWIFT.exe
Verdict:
No threats detected
Analysis date:
2024-09-23 08:25:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/df1e9763-5dc3-4b0a-a5ea-e1817a0be8c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f55d2d56c487103d52cf8e
Tags:
Encryption Zpack Injection Exploit Zpack
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
microsoft_visual_cc overlay packed
Link:
https://www.filescan.io/uploads/66f55d32f71b9c224c132d50/reports/146ebe26-6bd4-404f-8f06-53594d32393c/overview
Verdict:
Malicious
Labled as:
Mikey.Generic
Link:
https://www.hybrid-analysis.com/sample/239c18582da00658ece4b6d51f5a1f923bc63ede887fdf5b820c82a3723f394a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71371f3d-6739-4209-9038-db89884bd2cb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1519450
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/239c18582da00658ece4b6d51f5a1f923bc63ede887fdf5b820c82a3723f394a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/239c18582da00658ece4b6d51f5a1f923bc63ede887fdf5b820c82a3723f394a/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-09-21 21:30:53 UTC
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eoobqwbnuadfr3hew3kr6wq7si54mpw6rb756w4cbsbkg4r7hffa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
18e5ff8af38bd3bd2a0a497543241be74cf4ce575cc5c564cd34e6e3f41122aa
Formbook
3666991ba9b1b0ab338f41c37c0bfe3a8ae0fbfbde9820679a76362a610a0b23
Formbook
3fe4c784dfb841053360622561788dacfc8e4b81567bc461e4cd33e61d2d1e64
Formbook
72837dda6a46fef393a6420f045e6ae543908430d3a09fe8d4bfb6f6679c5b53
Formbook
7a54497b3213ca0a232b8483c0f23046b9d51a6c9816f768ec30094a72c47a9a
Formbook
ca250fac11d944eeee4de9f6191feb075091f76fd25e13dd070dd497a9279f01
Formbook
d662f78e5e0c62cdc866836476cc59a0f26edd95d9e14fd2f246792c39f44096
Formbook
df3c78262e1d216441fe9888920c87ee92fd963b4b3823e3e99b208b8b5b6101
Formbook
f320ff644d3fdfa1aab47e0e534e0c109cdc85022a7b692559c27a16e94696fa
Formbook
fca9f9323e43242411c9cd339b86c9aa465c6d59adc66bb6492eb237d5435446
Formbook
+ 92 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/240926-qdvy6asara/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
stealer formbook
YARA:
formbook_crypter
Link:
https://app.threat.zone/submission/c8d98189-0a9a-4571-8f13-7598cd5a3505
Unpacked files
SH256 hash:
b57b9f6e0b3a46f90643f10f5b880252db16406b35ec5ce7ebfe530c8d744598
MD5 hash:
0680288d9f6618b5f24f8052d5f97a28
SHA1 hash:
99033f4498ced61c2436947881b6c6479856e791
Detections:
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
Link:
https://www.unpac.me/results/ae747bdc-88cf-457d-978c-935e884c2574/
SH256 hash:
239c18582da00658ece4b6d51f5a1f923bc63ede887fdf5b820c82a3723f394a
MD5 hash:
465973fa54e5fd54a551b13a73f2c6cd
SHA1 hash:
76595877d28c884913df6b8f20285f41df0f7476
Link:
https://www.unpac.me/results/ae747bdc-88cf-457d-978c-935e884c2574/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/239c18582da0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/239c18582da00658ece4b6d51f5a1f923bc63ede887fdf5b820c82a3723f394a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 239c18582da00658ece4b6d51f5a1f923bc63ede887fdf5b820c82a3723f394a

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments