MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f6a10bdc0e72b2b49bfdb61c307c72c8fe2fc9dd5ede0cfabc63ea5aabf9a4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f6a10bdc0e72b2b49bfdb61c307c72c8fe2fc9dd5ede0cfabc63ea5aabf9a4f
SHA3-384 hash: d337b5ee2b07eb36ebb4a10ac52e3bc7e940fdd94735544ee17b95ecf8a5ad32a593157d345b103e5862e4153f97920c
SHA1 hash: 75ade46af0660d715cdbbe2b7a90424d4d84945d
MD5 hash: 03b17f12c5b5fc5fbfbaa76399e8002f
humanhash: south-india-bulldog-early
File name:Swift.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:219'282 bytes
First seen:2022-04-25 08:51:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:oNeZg14JHXuf5KmE+rZOuTdcC2xIC90pLXg4Psgff:oN8HXG1NOiSPxbCLX7PsOf
Threatray 15'158 similar samples on MalwareBazaar
TLSH T17E240243FD64C4BEE8B61673497BA29A09D52C3D06B01D4F87CD7B6C3832263469962F
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 131163e1e1e1e1a0 (17 x SnakeKeylogger, 7 x Formbook, 2 x AveMariaRAT)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/266277/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
Reading critical registry keys
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/626661312f162d9fdf650c45/reports/b6657aa1-0a0c-4585-91a1-731e9aaab8e7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/90c1d4d2-986b-4183-b648-ecee1d1708ba
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/982279
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 614766 Sample: Swift.exe Startdate: 25/04/2022 Architecture: WINDOWS Score: 100 35 www.openft.xyz 2->35 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 4 other signatures 2->59 12 Swift.exe 18 2->12         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\Temp\gynoox.exe, PE32 12->33 dropped 15 gynoox.exe 12->15         started        process6 signatures7 69 Tries to detect virtualization through RDTSC time measurements 15->69 18 gynoox.exe 15->18         started        process8 signatures9 45 Modifies the context of a thread in another process (thread injection) 18->45 47 Maps a DLL or memory area into another process 18->47 49 Sample uses process hollowing technique 18->49 51 Queues an APC in another process (thread injection) 18->51 21 explorer.exe 18->21 injected process10 dnsIp11 37 www.hxtz54.com 119.28.91.18, 80 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 21->37 39 www.xn--ekr703aymjgvi.group 21->39 41 2 other IPs or domains 21->41 61 System process connects to network (likely due to code injection or exploit) 21->61 25 msdt.exe 12 21->25         started        signatures12 process13 dnsIp14 43 www.hxtz54.com 25->43 63 Modifies the context of a thread in another process (thread injection) 25->63 65 Maps a DLL or memory area into another process 25->65 67 Tries to detect virtualization through RDTSC time measurements 25->67 29 cmd.exe 1 25->29         started        signatures15 process16 process17 31 conhost.exe 29->31         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2f6a10bdc0e72b2b49bfdb61c307c72c8fe2fc9dd5ede0cfabc63ea5aabf9a4f/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-25 08:52:04 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f5vbbpoa44vswsn73nq4gb6hfsh6f7e52xw6bt5lyy7klkv7tjhq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0f571806c2d2a6fc5ec6d45df5150d762b4bedee7da83c4b3b887970f12d2da0
Formbook
0fc662db75eaa85eb49edf6f71b68072802ce24b87cf3ef9c2eb30d76e988512
Formbook
1db0c14308c42fd03886fdef546388f61558e612fce7f7043c28c822ac0c9b5e
Formbook
6b765d70d97e0b3d8da0d871555d9d284bd08e85034ad45447bde1aadd2b2878
Formbook
805d05e4bc4ea60742052443cb9e2a4b3527aee8f311862ed37ec98559884555
Formbook
8dce368d13b52cf207fa4139ed76adb6cc547ab99de8c3f6e5a5cbc6e391d26f
Formbook
99bb3d1c9a2a4dad6465a81df1008b91f5836e51ce0463da76b31f9758dd9b62
Formbook
9cd0bbacb06bc4a961772ad5dac574736247fa7604116855118ecabb6926643b
Formbook
e5f85b9f804c783c4c580dae508a4e2b9455727a3ede511f9b6ead8ca2b91dc8
Formbook
e68d65f2d19ca4d1d09bfc86fad9464689e1453f3c4488ef75dbb84041f22518
Formbook
+ 15'148 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:hsot loader rat suricata
Link:
https://tria.ge/reports/220425-kspsssgabm/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
f72993da75396849b8f58292a3fc1692bd5f9df07fc0526cb3b4e4af427f53e9
MD5 hash:
f681eb16d79cca0fd14a7796d6d8b45d
SHA1 hash:
a90f0607f42b7c1c6fe96c620a21fc6a525e059b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/63828ae0-db6a-4aae-954f-a1245ee46215/
Parent samples :
2f6a10bdc0e72b2b49bfdb61c307c72c8fe2fc9dd5ede0cfabc63ea5aabf9a4f
99f7e07f84e40e362b58d7b84110898eda66ce1e6906b2e27f1e9a9cae90e548
e6151eb0148e2cc0e89eabc995cb5e6620131a8a658d1eb3c78da753066543be
e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce
SH256 hash:
428a93604f67ed28baf755599a0b87fca69a26e04a047a5dcaea8816d1fb837c
MD5 hash:
cac59ae3259fcb4fa88990e20838b784
SHA1 hash:
71c1f22756464af1a5e56a9b7217c353f65078ce
Link:
https://www.unpac.me/results/63828ae0-db6a-4aae-954f-a1245ee46215/
SH256 hash:
52fbc113091c842e90f2d31c4091d7ae895c4e648d57678b7e6248df836aa5b9
MD5 hash:
5aa3b487ea5b9302520fa45a4df2cc7c
SHA1 hash:
a5b1c6552fd5e83cf7aaa731d0324dcb2d063358
Link:
https://www.unpac.me/results/63828ae0-db6a-4aae-954f-a1245ee46215/
SH256 hash:
2f6a10bdc0e72b2b49bfdb61c307c72c8fe2fc9dd5ede0cfabc63ea5aabf9a4f
MD5 hash:
03b17f12c5b5fc5fbfbaa76399e8002f
SHA1 hash:
75ade46af0660d715cdbbe2b7a90424d4d84945d
Link:
https://www.unpac.me/results/63828ae0-db6a-4aae-954f-a1245ee46215/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2f6a10bdc0e7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f6a10bdc0e72b2b49bfdb61c307c72c8fe2fc9dd5ede0cfabc63ea5aabf9a4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:pdb2
Create hunting rule
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 2f6a10bdc0e72b2b49bfdb61c307c72c8fe2fc9dd5ede0cfabc63ea5aabf9a4f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/266277/

Comments