MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5452d5591e734d9e447e2daac94374327b1f81fd48c111b139f0bda6ffad2fc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5452d5591e734d9e447e2daac94374327b1f81fd48c111b139f0bda6ffad2fc5
SHA3-384 hash: 31ecdfcdbb01bdf9c8b1e0b0c50866d1c7f0fc29da721d40846543733a2813f05444294324cbd7d04113c244e3374042
SHA1 hash: 38e2b316bac97abe7a889de7e009791b478ac581
MD5 hash: 3c7ebe1e242ff26c729ace86a057f728
humanhash: don-kilo-delaware-jig
File name:SWIFT COPY.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:715'264 bytes
First seen:2023-09-29 11:32:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:7cLAckjb4TZ/N01+tDZsMjJt5tTNR0FbeYQdGwb3y79tlw+GfB:MkH4TZqgtqMjnPTNR0F6pzo3nG
Threatray 34 similar samples on MalwareBazaar
TLSH T17DE401425B5526C1E6BF5275AAB6117003F76A52CC38CE2D08CC21DC1BFBB91BA50FA7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 229878f8b4f031c4 (24 x AgentTesla, 5 x Loki, 4 x Formbook)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451940/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6516b5f10870810f018927db/reports/201a6442-5f24-42d1-b0db-62d06f052ab6/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5452d5591e734d9e447e2daac94374327b1f81fd48c111b139f0bda6ffad2fc5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9d18a4bf-b727-4098-81c0-ebd8edfee4cc
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1316546
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1316546 Sample: SWIFT_COPY.exe Startdate: 29/09/2023 Architecture: WINDOWS Score: 96 26 Malicious sample detected (through community Yara rule) 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected FormBook 2->30 32 4 other signatures 2->32 9 SWIFT_COPY.exe 3 2->9         started        process3 signatures4 34 Injects a PE file into a foreign processes 9->34 12 SWIFT_COPY.exe 9->12         started        process5 signatures6 36 Maps a DLL or memory area into another process 12->36 38 Queues an APC in another process (thread injection) 12->38 15 KlPlffpfHBQshd.exe 12->15 injected process7 process8 17 chkdsk.exe 15->17         started        signatures9 24 Maps a DLL or memory area into another process 17->24 20 explorer.exe 1 17->20 injected 22 KlPlffpfHBQshd.exe 17->22 injected process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5452d5591e734d9e447e2daac94374327b1f81fd48c111b139f0bda6ffad2fc5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-09-29 08:33:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
8 of 36 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=krjnkwi6ongz4rd6fwvmsq3ugj5r7ap5jdardmjz6c62n75nf7cq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
05360352816fd2dfd09c05a57131f86c59fd38f7153c5261973216cf596ad077
Formbook
0c5191bdd545d9c2abb7809fa5a342adcf3e766bc4c4e320f5799b4430bbb203
Formbook
3b79e392617523720c040a2e0b39f0ff47593a420ecc9edcb9cd8b9e1d7baca6
Formbook
6ed8801868c8baadf89c50bff443e9c29002e0db951ee456ffba50bca1812d6d
Formbook
8326158d0aea2a3ee6a49cc3f88e1c3779eb479790a8b0451133a09c1ca0a777
Formbook
95216d71fff102892599ac2c3e12742cc687eb8ab3eecb475366f69a38297511
Formbook
9fe145f64a6f2ed8283b9bfb1e97a3c93087d8495a53af984d619760c7d859a5
Formbook
b70719f9588ede8d438d20b549b4fd430c9363eea7dd42e8a15be7d2a520257a
Formbook
becae35d75141130a7aedcba04c2161c38b3664e82dbdca5ba6a595db6c36789
Formbook
de99e6f0be1e9a5d12fa7d4fe82b34cfb6ba6b85cee18e4acec0d7f97593bcbf
Formbook
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230929-nnwmbsbe28/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
877ca164380d13464cc7e395bc07a2f6b90bb9b1fe00368eff94f53d24937182
MD5 hash:
b4d0b2753970a5e1cfdd6c988e94e612
SHA1 hash:
f62595bb9236abddfe003ec7e2abf7db0a3f5a3e
Link:
https://www.unpac.me/results/e6036bad-9d22-493c-807a-3a3a73a52e8d/
SH256 hash:
08372fb70ef35b9be3971632f048e1d3f6a476e2249ac7975850f1228a08719f
MD5 hash:
4f8efcbc6acbb9d8e642b4132ec6d9fb
SHA1 hash:
aea948f4f18ca129bca6a9d8596870364a34fa57
Link:
https://www.unpac.me/results/e6036bad-9d22-493c-807a-3a3a73a52e8d/
SH256 hash:
2a9f93f9c3de4230564abb934fe43999bde4a90bdac09c6cd046fd9549c64fc0
MD5 hash:
b97016aef3f1cd5fa1e7d1e793cacced
SHA1 hash:
85bf8e6abda26d1f56570639b648565a5aef98d2
Link:
https://www.unpac.me/results/e6036bad-9d22-493c-807a-3a3a73a52e8d/
SH256 hash:
bc6e1487bee00a8fd2b639ee4e60867d7e409bd3cb6be1451f5ddbce26340766
MD5 hash:
fe233bfa89c7e26811c45fec198f7937
SHA1 hash:
6f0af0f155b841786f43b01e0c1c033aa277cdbd
Link:
https://www.unpac.me/results/e6036bad-9d22-493c-807a-3a3a73a52e8d/
SH256 hash:
df4ae14aba1386482151a3b8cc58ef081c58306da7f4cc0c35e0718242cf043c
MD5 hash:
8383b9306b9b5929b0aed1f24991d929
SHA1 hash:
6acebb9f139a62de981a3ec15ce35f61f5c3132e
Link:
https://www.unpac.me/results/e6036bad-9d22-493c-807a-3a3a73a52e8d/
SH256 hash:
7d451f7052e87d9c1e305565002f200d5e2e43fe04a773ad1d72f1f220fcff88
MD5 hash:
b23c837864ed6c0c0986b0de17ac063a
SHA1 hash:
44cd1740ff99efe039b0b9f23caa8158b46a9ed6
Link:
https://www.unpac.me/results/e6036bad-9d22-493c-807a-3a3a73a52e8d/
SH256 hash:
5452d5591e734d9e447e2daac94374327b1f81fd48c111b139f0bda6ffad2fc5
MD5 hash:
3c7ebe1e242ff26c729ace86a057f728
SHA1 hash:
38e2b316bac97abe7a889de7e009791b478ac581
Link:
https://www.unpac.me/results/e6036bad-9d22-493c-807a-3a3a73a52e8d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/5452d5591e734d9e447e2daac94374327b1f81fd48c111b139f0bda6ffad2fc5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5452d5591e734d9e447e2daac94374327b1f81fd48c111b139f0bda6ffad2fc5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/451940/

Comments