MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33c7844de9677b2c4be5d2a81442404c46ed64d8e0f11214005aee8b7dd2c9be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33c7844de9677b2c4be5d2a81442404c46ed64d8e0f11214005aee8b7dd2c9be
SHA3-384 hash: a2a8096fe3086020c07479e19a672e4a9e6b8f10e5c27f9363416d8142e629e740169e239d7d0e57c9a8fbd6dec8d0e8
SHA1 hash: 42f86e7ce568db78b788d2190c0ddaccb1a1f5d8
MD5 hash: ad2aa3ca2bc8e5c9fb98e2d6423bc732
humanhash: two-missouri-ack-uniform
File name:TT_Swift_Copy..exe
Download: download sample
Signature Formbook
Create hunting rule
File size:784'896 bytes
First seen:2020-07-17 13:56:00 UTC
Last seen:2020-07-17 15:11:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:5rMnqjzGYIdjMxMSo15GXacXYp3uyAjrMnnmn2k4zUcaBWTaCnV7AN1qD:5rvxguwcLjrcaahVAN1
Threatray 5'113 similar samples on MalwareBazaar
TLSH 3AF419F7964D81C2C4AF9EBCC4820B710997EDC5F0F5A60B03667C363676BA0E88556B
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27399/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.59975.26745.28183.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389088
Signature
Benign windows process drops PE files
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246736 Sample: TT_Swift_Copy..exe Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for domain / URL 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 5 other signatures 2->54 10 TT_Swift_Copy..exe 3 2->10         started        process3 file4 40 C:\Users\user\...\TT_Swift_Copy..exe.log, ASCII 10->40 dropped 68 Tries to detect virtualization through RDTSC time measurements 10->68 70 Injects a PE file into a foreign processes 10->70 14 TT_Swift_Copy..exe 10->14         started        signatures5 process6 signatures7 72 Modifies the context of a thread in another process (thread injection) 14->72 74 Maps a DLL or memory area into another process 14->74 76 Sample uses process hollowing technique 14->76 78 Queues an APC in another process (thread injection) 14->78 17 explorer.exe 1 6 14->17 injected process8 dnsIp9 42 www.mansiobok.info 63.250.47.242, 49716, 80 NAMECHEAP-NETUS United States 17->42 44 www.eliteliquidators.com 54.208.77.124, 49717, 49718, 49719 AMAZON-AESUS United States 17->44 46 www.yeye17171.com 17->46 32 C:\Users\user\AppData\...\ojol96lxy0av.exe, PE32 17->32 dropped 56 System process connects to network (likely due to code injection or exploit) 17->56 58 Benign windows process drops PE files 17->58 22 cmd.exe 1 18 17->22         started        26 ojol96lxy0av.exe 17->26         started        file10 signatures11 process12 file13 34 C:\Users\user\AppData\...\9L-logrv.ini, data 22->34 dropped 36 C:\Users\user\AppData\...\9L-logri.ini, data 22->36 dropped 38 C:\Users\user\AppData\...\9L-logrf.ini, data 22->38 dropped 60 Detected FormBook malware 22->60 62 Tries to steal Mail credentials (via file access) 22->62 64 Tries to harvest and steal browser information (history, passwords, etc) 22->64 66 3 other signatures 22->66 28 cmd.exe 1 22->28         started        signatures14 process15 process16 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/33c7844de9677b2c4be5d2a81442404c46ed64d8e0f11214005aee8b7dd2c9be/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2020-07-17 07:14:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
172842029f8937753e79843e36fcb4715c0f3a9de4b256585847df48caf8e10f
Formbook
27cbd2139f326adf45adefa425f7295af578ac5d9ecceab36da74c5af53def1f
Formbook
4a6187dd467be22cbd3eab6807d368c37535c488af22442498423da8124f35fa
Formbook
6023812166224ffe7f3ff3efacddccd27c4ae1f09aa2dc9e2f5c8557d6bb4382
Formbook
82a761b4157d1fa4e99dbf36c0f30935b19a1dd9875e330d81a70877aa07bc8a
Formbook
8b6267e9733bf74cb555493e85cfe2391d3ca07a94d054421b0bb76a1d892a7c
Formbook
a9089afb7795019bd9b1a2395b387a6c9957d499f10ff2929bf8d65c9913f453
Formbook
afc658f07e5da5c8071754e973e37fb7712e1f13a5a23a6baf440cd35e60fd76
Formbook
cd48e7228ffe8ca44b77d71d3fabd0d77b07a7c6cae4239ea83568389c20731d
Formbook
ecb66b3c2799764e4b3a10e4197fe47f1fe3f60ab10ad1c76733d712fb674873
Formbook
+ 5'103 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200717-6y8e9v6fen/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
System policy modification
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33c7844de9677b2c4be5d2a81442404c46ed64d8e0f11214005aee8b7dd2c9be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/27399/

Comments