MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6974edb07b5978530b50fa313bcc24717521231ddb6d284c6a43016eca62def0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6974edb07b5978530b50fa313bcc24717521231ddb6d284c6a43016eca62def0
SHA3-384 hash: fb616584115ed9b15ee16f038685afccd9508c47e6324b46942a239333ab8e793ccd88a5de75ae7fbf53dbc3264b0820
SHA1 hash: 1c849c99e4a5972d61772abc11f7d28a219b98cb
MD5 hash: 3f93a2c97c899ac6b2a2b2cf7270a12b
humanhash: floor-delta-red-saturn
File name:USD SWIFT.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:897'536 bytes
First seen:2025-03-18 07:15:04 UTC
Last seen:2025-03-19 16:46:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:QhPQN01qehC9jU7ZLWaThtEkQvlm3J3QrCqF0AskXuVKwJghV71pb0XI:yrpnD6CG0AsksPuxpb5
Threatray 52 similar samples on MalwareBazaar
TLSH T12D15E06CFE25AF7ACB8C0F738117114482EB9457E672F26B5DD90CE209A8B0C854FA57
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
6
# of downloads :
361
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
USD SWIFT.zip
Verdict:
Suspicious activity
Analysis date:
2025-03-18 06:58:45 UTC
Tags:
arch-exec
Link:
https://app.any.run/tasks/0c5e0e36-7842-479a-9889-64ad190fa397

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d933c53962f1a6f4729039
Tags:
virus micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Labled as:
HackTool[Obfuscator]/MSIL.DeepSea
Link:
https://www.hybrid-analysis.com/sample/6974edb07b5978530b50fa313bcc24717521231ddb6d284c6a43016eca62def0
Result
Verdict:
MALICIOUS
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51f81ba7-ee10-4954-be1b-13f4feed7fa0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1641340
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1641340 Sample: USD SWIFT.exe Startdate: 18/03/2025 Architecture: WINDOWS Score: 100 31 www.seekmeme.xyz 2->31 33 www.persembunyian.xyz 2->33 35 3 other IPs or domains 2->35 41 Suricata IDS alerts for network traffic 2->41 43 Antivirus detection for URL or domain 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 49 6 other signatures 2->49 10 USD SWIFT.exe 3 2->10         started        signatures3 47 Performs DNS queries to domains with low reputation 33->47 process4 file5 29 C:\Users\user\AppData\...\USD SWIFT.exe.log, ASCII 10->29 dropped 61 Injects a PE file into a foreign processes 10->61 14 USD SWIFT.exe 10->14         started        signatures6 process7 signatures8 63 Maps a DLL or memory area into another process 14->63 17 uPhbYYH0J5vofJTd85.exe 14->17 injected process9 signatures10 39 Found direct / indirect Syscall (likely to bypass EDR) 17->39 20 dxdiag.exe 13 17->20         started        process11 signatures12 51 Tries to steal Mail credentials (via file / registry access) 20->51 53 Tries to harvest and steal browser information (history, passwords, etc) 20->53 55 Modifies the context of a thread in another process (thread injection) 20->55 57 3 other signatures 20->57 23 uPhbYYH0J5vofJTd85.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 www.myfort.xyz 13.248.169.48, 62201, 62202, 62204 AMAZON-02US United States 23->37 59 Found direct / indirect Syscall (likely to bypass EDR) 23->59 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6974edb07b5978530b50fa313bcc24717521231ddb6d284c6a43016eca62def0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6974edb07b5978530b50fa313bcc24717521231ddb6d284c6a43016eca62def0/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2025-03-18 03:11:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nf2o3md3lf4fgc2q7iytxtbeof2sciy53nwsqtdkimaw5stc33ya._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
03723f94dee063bbbcd8fe02e71ad5459805f10429b39956c5d7e05ab3068b7e
Formbook
26448f1e910a4e7de44f7fd93fe2cc5850d915d120fe9a6a4c9a3c2f63bc83f3
Formbook
6974edb07b5978530b50fa313bcc24717521231ddb6d284c6a43016eca62def0
Formbook
799e2a0426beeafc490746851d8992cd169ed89c3d4244459f531a9f4fa72375
Formbook
cd4b98de3dacf06e429593bfc098f96fd9d03fa9c6a95e1ab5a7f4a93b04d29a
Formbook
e995625ce21ffd58435c425d4350f614f8126d4fc9e48459eef83b70cc58da53
Formbook
error
Formbook
+ 42 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250318-h3cj4swyew/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/57892c33-0d4d-4660-b3f5-8d63360f9ac3
Unpacked files
SH256 hash:
6974edb07b5978530b50fa313bcc24717521231ddb6d284c6a43016eca62def0
MD5 hash:
3f93a2c97c899ac6b2a2b2cf7270a12b
SHA1 hash:
1c849c99e4a5972d61772abc11f7d28a219b98cb
Link:
https://www.unpac.me/results/1110254e-aa73-4304-8958-64a22a078ed6/
SH256 hash:
dea27a77f7b3e963fab32081cdd647c6c1853d3290d084974cc9afc03330dbb3
MD5 hash:
4f9e0049c87b26eb7c222048df829a1c
SHA1 hash:
1671ef7a3d1b0afc6db140e1de421272f7b8866a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/1110254e-aa73-4304-8958-64a22a078ed6/
SH256 hash:
094a2002272a6a5c1a719550f4ce12f25f397689796f090ad26991cf60698c46
MD5 hash:
a92790e0ffd6d83c3e036197e9eb7092
SHA1 hash:
192c8ab285101b240de22931e4fc96907f134c99
Link:
https://www.unpac.me/results/1110254e-aa73-4304-8958-64a22a078ed6/
SH256 hash:
51ea9157b7cae4cdee16d6007e949dfdf833de7715f4b0bfbdd91b9cd1b5a82a
MD5 hash:
87b522966f156f38d9ff9fb09fe89ce2
SHA1 hash:
e0cf3a26b03e8affa99961cf95e9d5342cc5f98c
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/1110254e-aa73-4304-8958-64a22a078ed6/
Parent samples :
d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d
05af5a6bdfe6f518c6c7fdef1694e3afb477963be7770a13936a2a93c3de5dcb
1a5d14c701d5d786f3940993cb3be259d29dae73e5af588d2acf439b40facd0e
a7baa685836623594b54a531ad460907c2302974f1f39377501a6eafb1cefc98
fb171513b327007051a9d8f18b06c92bbf33577034060dc0a725a57eba5c03a0
b90b6f766b3e75cbd0cb02ac6f732e81071d3d2409b101d7986878458de2f9c5
6974edb07b5978530b50fa313bcc24717521231ddb6d284c6a43016eca62def0
a641f727fa4566ec19a3a04edcbe7e177aad8fb5f2381907e6c38adfa01f8a7a
2e0c4371996fd665e0845f95679dc888e64bbb4fb8074c98710c107113df8d2e
6664c3557391a898683d1733a38718e110e5a4b51d855fba21c14caa40788db4
16bd0dcc57418cd1689dc890eca5e224eba7ab58c42920ba8209489a5dd35fe4
95586fa277668206c164bcc7af2d92602bf6a993b9f7fda951bbd9fd3342e3eb
SH256 hash:
335405ad58ff9c856159ff59e3e5fc03a5506523c38ffdee9e18ecc1ba29f33b
MD5 hash:
eb6bfc58a060eab2753172fb2a6f68e3
SHA1 hash:
0964974420f706a8816e0e73332db3fae3cfaafd
Link:
https://www.unpac.me/results/1110254e-aa73-4304-8958-64a22a078ed6/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6974edb07b59/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6974edb07b5978530b50fa313bcc24717521231ddb6d284c6a43016eca62def0

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments