MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3af2c0904f3729e0408f6479f4222d5fbcf695f2b5cd32e8737e8690661bb18b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 18

Intelligence 18 IOCs YARA 7 File information Comments

SHA256 hash:	3af2c0904f3729e0408f6479f4222d5fbcf695f2b5cd32e8737e8690661bb18b
SHA3-384 hash:	e59543a52397b6dfd878da1b2aa5eafe3d45f4a0ca063bd5f04f7f0ed1d5a53b0a040e8dd85a8e24e8d89b53a3ec421c
SHA1 hash:	3848bd9a52433f94bb77b41e77620323b3faa0e0
MD5 hash:	b63f00f4bbecd14217d4d9de887ff832
humanhash:	cold-lamp-mobile-helium
File name:	swift.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	300'777 bytes
First seen:	2023-02-15 11:57:46 UTC
Last seen:	2023-02-15 14:03:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 429 x GuLoader)
ssdeep	6144:vYa6N0CqudwpubkE5cYtAqStGC3BjAsnlE7wbWs6tV1w2HIN58Zj:vYv1q0bLOYtAqSZBjxnlEMqs6v258F
TLSH	T1E354137976CDC4BBF96202726D3553E26EB6F92124F2550B1B801A8E3FB24426D1F362
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

199

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

swift.exe

Verdict:

Malicious activity

Analysis date:

2023-02-15 12:00:33 UTC

Tags:

formbook xloader trojan stealer

Link:

https://app.any.run/tasks/cc329282-7e66-499c-8da3-2b6ff228b6de

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/366542/

Detection(s):

SecuriteInfo.com.Trojan.Garf.Gen.6.18739.24268.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Searching for synchronization primitives

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/70321/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63ecc8cc178c324d143e49b5/reports/615cc0bf-6e48-4320-843a-aea342256311/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/3af2c0904f3729e0408f6479f4222d5fbcf695f2b5cd32e8737e8690661bb18b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/12779f1b-36fa-4062-a2c7-6914c39922e1

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1175645

Behaviour

Behavior Graph:

n/a

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/3af2c0904f3729e0408f6479f4222d5fbcf695f2b5cd32e8737e8690661bb18b/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-02-15 11:58:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 25 (84.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hlzmbecpg4u6aqepmr47iirnl66pnfpswxgtf2dtp2djazq3wgfq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:k04s rat spyware stealer trojan

Link:

https://tria.ge/reports/230215-n46ggabf33/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Formbook payload

Formbook

Unpacked files

SH256 hash:

f87a495d1f7e306fa8112d09a8f205248bbd13ba623a818489ba6768ab5f8ff2

MD5 hash:

7eea6f906e8fce8ddcb55c4e4e418e60

SHA1 hash:

bc5ceca647a64879607af73226ab5d40d574ba7d

Link:

https://www.unpac.me/results/287c16d8-9934-4d1c-b86e-d145f947f8fd/

SH256 hash:

3af2c0904f3729e0408f6479f4222d5fbcf695f2b5cd32e8737e8690661bb18b

MD5 hash:

b63f00f4bbecd14217d4d9de887ff832

SHA1 hash:

3848bd9a52433f94bb77b41e77620323b3faa0e0

Link:

https://www.unpac.me/results/287c16d8-9934-4d1c-b86e-d145f947f8fd/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3af2c0904f37/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3af2c0904f3729e0408f6479f4222d5fbcf695f2b5cd32e8737e8690661bb18b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 3af2c0904f3729e0408f6479f4222d5fbcf695f2b5cd32e8737e8690661bb18b

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/366542/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample