MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52abf7bfa451ea28652ba5043a6b997af38a38fac15444930c69d75f7a5e6cbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52abf7bfa451ea28652ba5043a6b997af38a38fac15444930c69d75f7a5e6cbb
SHA3-384 hash: ec23a6f6941266216933cf4ce447c92bb055643834945ddf5298d8b3f21abb0cd2d3d712a874feb13157cb80b0f2ff91
SHA1 hash: fbd274c70fc33987b2faa951165fc4dd83e34571
MD5 hash: 226835410d10ea77c9a0aad501c2ba06
humanhash: massachusetts-high-wolfram-california
File name:Quote#099992114842_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:817'507 bytes
First seen:2022-04-27 08:17:09 UTC
Last seen:2022-05-03 14:37:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (60 x Worm.Mofksys, 21 x SnakeKeylogger, 13 x MassLogger)
ssdeep 12288:GENN+T5xYrllrU7QY6zHNAjZdix8DhIe2IzwWVnhj6zid4v8uwslUnG0kBz:K5xolYQY6zHNuiAIen8WLe2c8uwciG1
TLSH T1E405B023B900611AD47785B1243AB6626A216F1A1B91DC4BB3D0FFB670B9D03F1B671F
TrID 58.8% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
22.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
3.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 39f9f030333d7a98 (1 x Formbook)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/267152/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Malware.Swisyn-9942393-0
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Malware.Swisyn-6803865-0
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Setting a single autorun event
Launching the process to create tasks for the scheduler
Enabling autorun
Enabling a "Do not show hidden files" option
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe explorer.exe greyware keylogger overlay packed shell32.dll update.exe
Link:
https://www.filescan.io/uploads/6268fc24c3df631b32be72f7/reports/b5268c76-384e-4be4-b92a-2497464a7619/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39531a15-2f30-4154-b3ad-971aa53e36d5
Result
Threat name:
CryptOne FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/983898
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: File Created with System Process Name
Sigma detected: Interactive AT Job
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 616395 Sample: Quote#099992114842_pdf.exe Startdate: 27/04/2022 Architecture: WINDOWS Score: 100 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus detection for dropped file 2->94 96 Antivirus / Scanner detection for submitted sample 2->96 98 13 other signatures 2->98 11 Quote#099992114842_pdf.exe 1 4 2->11         started        15 explorer.exe 2->15         started        17 svchost.exe 2->17         started        19 6 other processes 2->19 process3 dnsIp4 78 C:\Users\user\...\quote#099992114842_pdf.exe, PE32 11->78 dropped 80 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 11->80 dropped 128 Installs a global keyboard hook 11->128 22 icsys.icn.exe 3 11->22         started        26 quote#099992114842_pdf.exe 18 11->26         started        130 Changes security center settings (notifications, updates, antivirus, firewall) 17->130 84 127.0.0.1 unknown unknown 19->84 file5 signatures6 process7 file8 70 C:\Windows\System\explorer.exe, PE32 22->70 dropped 110 Antivirus detection for dropped file 22->110 112 Machine Learning detection for dropped file 22->112 114 Drops PE files with benign system names 22->114 116 Installs a global keyboard hook 22->116 28 explorer.exe 1 20 22->28         started        72 C:\Users\user\AppData\Local\...\myjvcxp.exe, PE32 26->72 dropped 33 myjvcxp.exe 26->33         started        signatures9 process10 dnsIp11 86 vccmd01.zxq.net 51.81.194.202, 443, 49717, 49718 OVHFR United States 28->86 88 googlecode.l.googleusercontent.com 142.251.31.82, 49712, 49713, 49714 GOOGLEUS United States 28->88 90 6 other IPs or domains 28->90 82 C:\Windows\System\spoolsv.exe, PE32 28->82 dropped 132 Antivirus detection for dropped file 28->132 134 System process connects to network (likely due to code injection or exploit) 28->134 136 Creates an undocumented autostart registry key 28->136 138 3 other signatures 28->138 35 spoolsv.exe 2 28->35         started        39 myjvcxp.exe 2 33->39         started        file12 signatures13 process14 file15 68 C:\Windows\System\svchost.exe, PE32 35->68 dropped 100 Antivirus detection for dropped file 35->100 102 Machine Learning detection for dropped file 35->102 104 Drops executables to the windows directory (C:\Windows) and starts them 35->104 106 Drops PE files with benign system names 35->106 41 svchost.exe 5 4 35->41         started        108 Installs a global keyboard hook 39->108 45 explorer.exe 39->45         started        signatures16 process17 file18 74 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 41->74 dropped 76 C:\Users\user\AppData\Local\stsys.exe, PE32 41->76 dropped 118 Antivirus detection for dropped file 41->118 120 Detected CryptOne packer 41->120 122 Machine Learning detection for dropped file 41->122 126 2 other signatures 41->126 47 spoolsv.exe 1 41->47         started        50 at.exe 1 41->50         started        52 at.exe 41->52         started        54 17 other processes 41->54 124 Installs a global keyboard hook 45->124 signatures19 process20 signatures21 140 Installs a global keyboard hook 47->140 56 conhost.exe 50->56         started        58 conhost.exe 52->58         started        60 conhost.exe 54->60         started        62 conhost.exe 54->62         started        64 conhost.exe 54->64         started        66 13 other processes 54->66 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52abf7bfa451ea28652ba5043a6b997af38a38fac15444930c69d75f7a5e6cbb/
Threat name:
Win32.Trojan.Swisyn
Create hunting rule
Status:
Malicious
First seen:
2022-04-26 00:37:37 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kkv7pp5ekhvcqzjluucdu24zplzyuoh2yfkejeymnhlv66s6ns5q._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/220427-j7arrahfa2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
352dfb5b7de96827a21cc378c1a6c69810910d7a8d5ba447626a9e60ce9d93f5
MD5 hash:
c7e11ed9adda1b9cd61b3bb4a8112afd
SHA1 hash:
1b9b4e31a1deee78eaf9d24904ad75e874f6ea1b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/85e8efe1-086f-4c1f-af2f-a1cc2a727a79/
Parent samples :
7f8435d43386aa3aee57de7fe1889c8e7762271428c279827b3293e3af5af282
a480cdba9dc551429026fd2c99081fdca4ef0e73c0167b410fcbb7158eeb629c
52abf7bfa451ea28652ba5043a6b997af38a38fac15444930c69d75f7a5e6cbb
SH256 hash:
bd99a27b7d0fc33772d709a9e0dda28bcadc1cf9d315a910fc727ce7677a0c1e
MD5 hash:
cbf2b672d79722626c96b999cef42f37
SHA1 hash:
0ed5f0f682527dea9239d4d39402a5e6a0e51d31
Link:
https://www.unpac.me/results/85e8efe1-086f-4c1f-af2f-a1cc2a727a79/
SH256 hash:
968157557eed52e26adc973f071f6ef00d68b92eb3b90cc62a26fe450a3ceb4d
MD5 hash:
810cfc18c6bb0c80a8f03af0b6eb921c
SHA1 hash:
7a5b50f0917f864c1f87bd9eb189df367ab4bd9f
Link:
https://www.unpac.me/results/85e8efe1-086f-4c1f-af2f-a1cc2a727a79/
SH256 hash:
ea9fdc809311eabacc896af13b5db5a72c5562d2f25547b8e6e9855a1735f129
MD5 hash:
1b80b80dcabd905115c22d732463df2e
SHA1 hash:
4cfa9f90aee74756e31f9ea988db3dcd4d0c1031
Link:
https://www.unpac.me/results/85e8efe1-086f-4c1f-af2f-a1cc2a727a79/
SH256 hash:
52abf7bfa451ea28652ba5043a6b997af38a38fac15444930c69d75f7a5e6cbb
MD5 hash:
226835410d10ea77c9a0aad501c2ba06
SHA1 hash:
fbd274c70fc33987b2faa951165fc4dd83e34571
Link:
https://www.unpac.me/results/85e8efe1-086f-4c1f-af2f-a1cc2a727a79/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/52abf7bfa451/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52abf7bfa451ea28652ba5043a6b997af38a38fac15444930c69d75f7a5e6cbb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 52abf7bfa451ea28652ba5043a6b997af38a38fac15444930c69d75f7a5e6cbb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/267152/

Comments