MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 420755b65fa49bff0785ce8a56600f1e813f7821fef09f156cfebfb46f8f1096. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 420755b65fa49bff0785ce8a56600f1e813f7821fef09f156cfebfb46f8f1096
SHA3-384 hash: 37eeac1b1d6ba0f9c3a02bc946dc4b8a039f4a94b3cb1374c7acbecf82c2af6ed0f4cdeca0ef1777df167e32fd1b636c
SHA1 hash: 40822a1914225d5ee4c648e4a1014794af802e38
MD5 hash: 674b265386b0436e06409005786328eb
humanhash: echo-triple-india-zulu
File name:Swiftcopy.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:750'080 bytes
First seen:2023-05-29 09:54:03 UTC
Last seen:2023-06-07 09:27:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:NVHkmFx2iqNhujGjUlzoN0sGIXrmUK7hXtKSpuHVhQ5jVhIAEpaJQO/SE7/xDlEi:vEmFxULNX527x1A1O3WaJR7/dB
TLSH T10BF4125052A7CB2BD93F47FD60616B3003FC5B8A7662E7474DD3B0E89AA6F590E0490B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swiftcopy.exe
Verdict:
No threats detected
Analysis date:
2023-05-29 09:55:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/772fd8f7-2cd4-4e99-b520-a9b2813863c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/393028/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.26689.172.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6474767774c10a559383a588/reports/3771d05b-53f9-438d-85fa-8f267b531fe8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/420755b65fa49bff0785ce8a56600f1e813f7821fef09f156cfebfb46f8f1096
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92ca8d06-a059-44f5-880b-81ee2346d42f
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1244379
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 877389 Sample: Swiftcopy.exe Startdate: 29/05/2023 Architecture: WINDOWS Score: 56 15 Multi AV Scanner detection for submitted file 2->15 17 .NET source code contains potential unpacker 2->17 19 Machine Learning detection for sample 2->19 6 Swiftcopy.exe 3 2->6         started        process3 file4 13 C:\Users\user\AppData\...\Swiftcopy.exe.log, ASCII 6->13 dropped 9 MSBuild.exe 6->9         started        11 MSBuild.exe 6->11         started        process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/420755b65fa49bff0785ce8a56600f1e813f7821fef09f156cfebfb46f8f1096/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-29 01:18:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
13 of 23 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iidvlns7usn76b4fz2ffmyapd2at66bb73yj6flm7273i34pccla._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230529-lw94ksbb66/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
b5582e73e588fc959cae146c63acd70c9051dd96f3ff5113f643766f848f8e94
MD5 hash:
c9b3905a3a1f68967d555842586865f5
SHA1 hash:
c9b61046eb966be617cef654ebd6cf7a6b585bf5
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/df15b66a-15b8-4ef6-8975-e0ae32327f6b/
Parent samples :
6c5b4378745340c16dea4416b667471193eb51246b48c0a2e69b7c22ec94c3c0
420755b65fa49bff0785ce8a56600f1e813f7821fef09f156cfebfb46f8f1096
325af2369691a45f5421d141a8b4e7d5a1a1bc28bce159ccc421daabaec846fe
2ba0e2aa5120cd3969463699261f1ffc71763fa001212564375d578e7301523f
SH256 hash:
57b7c6678d14d1f241d11540546d0f726b19fe65e71168b325e8b7146daf3dc5
MD5 hash:
104b4b88600bdd650c4e3f8903d9d292
SHA1 hash:
d50033a865b5e43e8e2b69a06fec4761375f2c95
Link:
https://www.unpac.me/results/df15b66a-15b8-4ef6-8975-e0ae32327f6b/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/df15b66a-15b8-4ef6-8975-e0ae32327f6b/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
d593fa1534f3ea4b94289cb9a121ad199c0d10da2be4c971fe0030d464048d50
MD5 hash:
3d5642f1c29d2db56f461dcea64615d1
SHA1 hash:
58105ca2f7d1777e1d4329e4aad56cf31d68a8b5
Link:
https://www.unpac.me/results/df15b66a-15b8-4ef6-8975-e0ae32327f6b/
SH256 hash:
0b861d0e19d173621dba77fc3954b6325b3e89e0856817eb9ac1b0e4b4b6f9a0
MD5 hash:
34e9924238cc9c184aed0f7e0dd905ab
SHA1 hash:
42e0e3852a327ae2d232858ba41fca9cadd628db
Link:
https://www.unpac.me/results/df15b66a-15b8-4ef6-8975-e0ae32327f6b/
SH256 hash:
58c1ce1b1291f69f12745fc6b46332de324298d5ff79a1c049f92b4691dfb5fb
MD5 hash:
798dc3ad514614b160b7407977200deb
SHA1 hash:
27e9e54e9c1051422a25467ecef8547f4e544fcf
Link:
https://www.unpac.me/results/df15b66a-15b8-4ef6-8975-e0ae32327f6b/
SH256 hash:
420755b65fa49bff0785ce8a56600f1e813f7821fef09f156cfebfb46f8f1096
MD5 hash:
674b265386b0436e06409005786328eb
SHA1 hash:
40822a1914225d5ee4c648e4a1014794af802e38
Link:
https://www.unpac.me/results/df15b66a-15b8-4ef6-8975-e0ae32327f6b/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/420755b65fa4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/420755b65fa49bff0785ce8a56600f1e813f7821fef09f156cfebfb46f8f1096

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 420755b65fa49bff0785ce8a56600f1e813f7821fef09f156cfebfb46f8f1096

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/393028/

Comments