MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3638ac885ef63f3b5bfadd95b0f43c34c3854e2483adde873b3d5fca7a831632. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3638ac885ef63f3b5bfadd95b0f43c34c3854e2483adde873b3d5fca7a831632
SHA3-384 hash: 0c68f72ad5f15ec386682b3ba62f10d03849a759754dd768e278c3a241ff29bed0d4b00332fff9036bf16a95b87003f8
SHA1 hash: cf58a34fe69fd11825ce93160bce12d4db1112f7
MD5 hash: 88e07d255b86f16c9e457e832638c7a6
humanhash: massachusetts-orange-hawaii-foxtrot
File name:SWIFT001411983HNK.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:779'264 bytes
First seen:2021-05-11 05:49:58 UTC
Last seen:2021-05-11 07:18:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 146e24575086448ba589e1755a927ce7 (5 x Formbook)
ssdeep 6144:74K/u6D9ugCDprCUPoqDTIEyARtrhr+Ds0NXi6+TMSnnJvkCx2XYH0yNv93LJ9wz:74B6D9XcPJ0EnENIJV3HVNRz
Threatray 5'114 similar samples on MalwareBazaar
TLSH 9CF49D997E1488E1D0578538C9638676D6B27C055E2C934FE390FBBE9F33251AD2A323
Reporter lowmal3
Tags:FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/154743/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36878171.10484.20304.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a process from a recently created file
Launching a process
Sending a UDP request
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/779031
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 411427 Sample: SWIFT001411983HNK.exe Startdate: 11/05/2021 Architecture: WINDOWS Score: 100 43 www.lifecrops.com 2->43 45 www.dfjdfjfdjreu548458.xyz 2->45 47 HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com 2->47 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 6 other signatures 2->75 12 SWIFT001411983HNK.exe 2 2->12         started        signatures3 process4 file5 39 C:\Users\user\AppData\Local\XtZxp6.exe, PE32+ 12->39 dropped 41 C:\Users\user\...\XtZxp6.exe:Zone.Identifier, ASCII 12->41 dropped 15 XtZxp6.exe 2 12->15         started        process6 signatures7 89 Multi AV Scanner detection for dropped file 15->89 91 Maps a DLL or memory area into another process 15->91 93 Sample uses process hollowing technique 15->93 18 svchost.exe 15->18         started        process8 signatures9 61 Modifies the context of a thread in another process (thread injection) 18->61 63 Maps a DLL or memory area into another process 18->63 65 Sample uses process hollowing technique 18->65 67 2 other signatures 18->67 21 explorer.exe 18->21 injected 25 msiexec.exe 18->25         started        process10 dnsIp11 49 www.shortexts.com 103.224.212.219, 49747, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 21->49 51 tigerlandscaping.net 160.153.136.3, 49745, 80 GODADDY-AMSDE United States 21->51 53 11 other IPs or domains 21->53 77 System process connects to network (likely due to code injection or exploit) 21->77 27 XtZxp6.exe 1 21->27         started        30 help.exe 21->30         started        79 Tries to detect virtualization through RDTSC time measurements 25->79 signatures12 process13 signatures14 81 Maps a DLL or memory area into another process 27->81 83 Sample uses process hollowing technique 27->83 32 svchost.exe 27->32         started        85 Modifies the context of a thread in another process (thread injection) 30->85 87 Tries to detect virtualization through RDTSC time measurements 30->87 35 cmd.exe 1 30->35         started        process15 signatures16 55 Modifies the context of a thread in another process (thread injection) 32->55 57 Maps a DLL or memory area into another process 32->57 59 Sample uses process hollowing technique 32->59 37 conhost.exe 35->37         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3638ac885ef63f3b5bfadd95b0f43c34c3854e2483adde873b3d5fca7a831632/
Threat name:
Win64.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-11 00:43:39 UTC
AV detection:
17 of 47 (36.17%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gy4kzcc66y7tww723wk3b5b4gtbyktreqow55bz3hvp4u6udcyza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03735650255866b1c2592bcb4567cbcb2b9d23eea5430d2e7d7c6315abadb5ad
Formbook
27563e3971b4f2baf6bf551323b1538809038aa456d5e0c02dd5e6a902b8f0e6
Formbook
37a8922f49037f65771bc1e4ab9d7fbb4b1c27ce2bc79fe618705f4d90ad7615
Formbook
59dfc7b23638bdecf18820f02997f0065b139d6e1b0ac0628b51ad4aef0a57d5
Formbook
5bcba2a09d8758ca07490dfcd3859a64b3a0092ed7873a707e73346eefd4235e
Formbook
6878e1b95116d026a4e76c4e8130019f12391307af78a7efe50ce01eebe8ee3d
Formbook
91fa1797421a3393289ae3892d128158ca3a16efd453be49e0c38d5891deefba
Formbook
c651e973d7cc7d54b38d45b9c464889778e4262d3dfeb692cd87f0a2fd0d7079
Formbook
f96442a26d160132827a3b109acadaf4aad9dab625939103677cc93783c93ea6
Formbook
fd578808fbbd44d564598d6c46f512b9511531402f720afc67bcbf6d4d42f59a
Formbook
+ 5'104 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210511-ekpvlwrm22/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.sembrangpoki.com/epns/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3638ac885ef63f3b5bfadd95b0f43c34c3854e2483adde873b3d5fca7a831632

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3638ac885ef63f3b5bfadd95b0f43c34c3854e2483adde873b3d5fca7a831632

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/154743/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-11 06:03:30 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
2) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
3) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
4) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0030.005] Data Micro-objective::FNV::Non-Cryptographic Hash
7) [C0045] File System Micro-objective::Copy File
8) [C0052] File System Micro-objective::Writes File
9) [C0040] Process Micro-objective::Allocate Thread Local Storage
10) [C0017] Process Micro-objective::Create Process
11) [C0038] Process Micro-objective::Create Thread
12) [C0041] Process Micro-objective::Set Thread Local Storage Value
13) [C0018] Process Micro-objective::Terminate Process