MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f180fe3f695de063f953d0c48408aceabbca729b3faa7316926c69650a5f8a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f180fe3f695de063f953d0c48408aceabbca729b3faa7316926c69650a5f8a4
SHA3-384 hash: 16b16f377e17dc15ef9e89aa53adb0b1597f2107e7dcf81e1843a7c450bc268d376bdf913e1172ddfe597f24acdd1369
SHA1 hash: 741532ba5150b1cf259ab02d3c88406a3ff25556
MD5 hash: 8d5bb155ec1fbeae176b38e35eafcc7f
humanhash: kentucky-sweet-fish-queen
File name:Swift Copy.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:343'040 bytes
First seen:2020-05-27 12:03:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5fd94ccd1dec1c5baf6be7519f2d9282 (8 x Formbook)
ssdeep 6144:EkJSjYIlddF6soi2HaSZfl0uhdS6OTadvXDzdkD:3JYtlsk2HjZfl08dPm8vzzdkD
Threatray 5'233 similar samples on MalwareBazaar
TLSH A874BF23BA69063CD63F60B07DE7CD968ED649D3A06F8CAAD68CD401C56D7C049A7273
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: mata.com
Sending IP: 173.82.208.176
From: motsoa@georgetexidor.com
Subject: Swift Copy
Attachment: Swift Copy.7z (contains "Swift Copy.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

SecuriteInfo.com.Variant.Zusy.304233.30050.1588.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 12:34:52 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
29 of 48 (60.42%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
emotet
Create hunting rule
Similar samples:
0abe72d915f50b2a21fc3cafc52152db81bef2a16be4ccde68e64942bf927af1
Formbook
347aa505ad319b4d8ee54aabe34dfc2af12b4747af23c6b635821ba9aedd0e32
Formbook
4c1fe4c0f5d8d1277036802c83df3e083b31318dfc2c194ce93b7169d7ba6e3d
Formbook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
Formbook
79aeb20e06ed62c3986034328cd3a6a5e08eb617cba4af679112640f786497da
Formbook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
Formbook
b482878e8c9aceaaec6d36517cfa3041b1f896fcac47168c300e043059a486e1
Formbook
b57c9384280389b262d09cb4fa5b5465aadd4aaba2afb6d48c5d6e7c3f8d923e
Formbook
c5049b79f66303da5f8f91e527b7f182a765c54c075f134b1779fc5802ad6b1b
Formbook
e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4
Formbook
+ 5'223 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-4k6b5lfnv2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.regulars6.com/8mous/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z 5115f90655630bafc0704e0d4560cd5919210ab7c36e01a7c37b96b84b1ece92

Formbook

Executable exe 3f180fe3f695de063f953d0c48408aceabbca729b3faa7316926c69650a5f8a4

(this sample)

  
Dropped by
MD5 5f556c7677938ba882f59c38c1c712a2
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5115f90655630bafc0704e0d4560cd5919210ab7c36e01a7c37b96b84b1ece92

Comments