MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65932f74489c422256f85b6603b1fd198b96af164d5453c11f40ee9aea5d9e2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65932f74489c422256f85b6603b1fd198b96af164d5453c11f40ee9aea5d9e2f
SHA3-384 hash: 7eeb868a7c0658d04e5fc3c4d7facb4af15a7c27dfc04eece6fe9302a3e0d4aad9b9ff9c59094c8cf248db59a837c411
SHA1 hash: bed8d15e52ea8ad712941ddc862140c130e25b53
MD5 hash: 25f84f144da05e71894dbed202203e57
humanhash: bluebird-sierra-dakota-crazy
File name:SWIFT USD 354,883.00.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'535'104 bytes
First seen:2020-12-26 06:25:51 UTC
Last seen:2020-12-26 07:32:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:0J6UXsXX0uRElIpFb9Bc2z3jcLc/GOuTzjuo1kUNQGIfKuQfkKF4azh1GXPg4MO3:0A5
Threatray 6'100 similar samples on MalwareBazaar
TLSH 58654E0249816CCBD7B2D490A34EC2D6B38795DCE7EA5FD4AE10E21532CC4B7EB69D81
Reporter cocaman
Tags:exe FormBook

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:Dec 25 04:40:58 2020 GMT
Valid to:Dec 25 04:40:58 2021 GMT
Serial number: 84817E07288A5025B9435570E7FEC1D3
Thumbprint Algorithm:SHA256
Thumbprint: 0B7F0890E4306988B1BA347384AB4BEA7C1CE4173A91DF3285D98BB3301AE0A0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
537
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SWIFT USD 354,883.00.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-26 06:27:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b2c44232-7d39-4633-838b-3a8f9a9b4243

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/109469/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.56520.17196.8318.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/570132
Signature
.NET source code contains very large strings
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 334125 Sample: SWIFT USD 354,883.00.exe Startdate: 26/12/2020 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 5 other signatures 2->43 10 SWIFT USD 354,883.00.exe 3 2->10         started        process3 file4 27 C:\Users\...\SWIFT USD 354,883.00.exe.log, ASCII 10->27 dropped 13 SWIFT USD 354,883.00.exe 10->13         started        process5 signatures6 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 16 explorer.exe 13->16 injected process7 dnsIp8 29 www.bunbook.com 156.234.156.249, 49751, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 16->29 31 7vitrines.com 108.179.193.138, 49774, 80 UNIFIEDLAYER-AS-1US United States 16->31 33 24 other IPs or domains 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 20 systray.exe 16->20         started        signatures9 process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65932f74489c422256f85b6603b1fd198b96af164d5453c11f40ee9aea5d9e2f/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-12-25 06:17:19 UTC
File Type:
PE (.Net Exe)
AV detection:
29 of 48 (60.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mwjs65citrbcevxylntahmp5dgfznlywjvkfhqi7idxjv2s5tyxq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ba1cd5068eb222e21bf0f4799f531c5dc07849d4920d3410a78b4aef0559ac8
Formbook
24ab4616829b8c7bce068426184e9ff9ac006208ab47160890cb92a08f0bc885
Formbook
306dc076ebd63fe8d969a99984470c480737e86eba1fb55ebe1ef49a8b987565
Formbook
34cb445ac6f9c3dc60d465baa8ffbbca5abaf84fce4ff7075628e6cd1d41c559
Formbook
81fd7b4c68d09347415a53e0fcf3a7fc3d3277be9fdc9a67e550078a53f4b96d
Formbook
ade2f980cf7854d961f35a312e9b21b5372ae091765c2fe9c860602107e7eedd
Formbook
cfb7d8e6f49f1f067aff2762657006d278b719fce64fbe89864baab8ae908120
Formbook
d0d44ccb48b649e89a18773ccea8337047e57247d29dbedc1abab31f265e7e45
Formbook
d168997744867bbce4da90506b2182f4d015899bcddfd3924f234e739b9e7866
Formbook
ef29187e2964b2254485750fc8f781ad288688167527c2a975072ae6e77dcef0
Formbook
+ 6'090 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201226-6smdrbbz86/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.ameeraglow.com/6bu2/
Unpacked files
SH256 hash:
c313e3fd02df0a763d6cf42e8797d15d279b963aee7df889268085c2a8bbd272
MD5 hash:
828242e68d455b0e0ebf88411165ae72
SHA1 hash:
c2f1cc587e24fbf3bc1ce32578830f693785ca0c
Link:
https://www.unpac.me/results/54c45db8-a38f-4343-8610-5744b1829adf/
SH256 hash:
1a3e5f5580a03ba67c0bfcb7078d14a25c35adb6cfaa4fbc1aab5a856342f66b
MD5 hash:
c1429cf0a7148dc171fc9c036fefa418
SHA1 hash:
1631ff904b215f2a2220e7ecbbd3db18708aa9f6
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/54c45db8-a38f-4343-8610-5744b1829adf/
Parent samples :
24ab4616829b8c7bce068426184e9ff9ac006208ab47160890cb92a08f0bc885
65932f74489c422256f85b6603b1fd198b96af164d5453c11f40ee9aea5d9e2f
SH256 hash:
65932f74489c422256f85b6603b1fd198b96af164d5453c11f40ee9aea5d9e2f
MD5 hash:
25f84f144da05e71894dbed202203e57
SHA1 hash:
bed8d15e52ea8ad712941ddc862140c130e25b53
Link:
https://www.unpac.me/results/54c45db8-a38f-4343-8610-5744b1829adf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Noon
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/65932f74489c422256f85b6603b1fd198b96af164d5453c11f40ee9aea5d9e2f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip e9653a518a660f088185df48ef783058bb6902c295d6dbdef795b2da7267e7aa

Formbook

Executable exe 65932f74489c422256f85b6603b1fd198b96af164d5453c11f40ee9aea5d9e2f

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 e9653a518a660f088185df48ef783058bb6902c295d6dbdef795b2da7267e7aa
Cape
Cape
https://www.capesandbox.com/analysis/109469/

Comments