MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69e2e974e72cad787eefb413d7a2cec8bf4f71365ac46093556a8362e9ada553. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69e2e974e72cad787eefb413d7a2cec8bf4f71365ac46093556a8362e9ada553
SHA3-384 hash: afb230223947872be4b9e649accd7015466bfbbb24bc9b62634d538199b9542ba53b83d6da2a1eca87a23b68b9e9a955
SHA1 hash: 4b842c05a612dc77bf6562aa75007f639458dd3e
MD5 hash: a232a361059478b456ffd614067feabf
humanhash: arizona-finch-ten-juliet
File name:Swift Advice RefGLV501756103.jpg.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:454'656 bytes
First seen:2022-03-08 16:07:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:R9KwdFF67NGyFWqKi1SOpR78tLVhwFE0dTGTCJPqgcSEPxNPoWQj7uy4x:R/F67gkSOhfot56C0DUDPHwWQjKF
Threatray 131 similar samples on MalwareBazaar
TLSH T133A4E08AEB1BC512CB26BB7FD272D6422A05FE71F45E5747A2E3B8F429171C938500B4
File icon (PE):PE icon
dhash icon 69d4b26868b2cc71 (23 x Formbook, 6 x SnakeKeylogger, 2 x AgentTesla)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248333/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Launching cmd.exe command interpreter
Reading critical registry keys
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62279a610cd58dbd926882ad/reports/4af62a49-06c0-4ac9-9985-ecc523b1abbe/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7977eb53-5ee6-492b-aa2d-49e9300eab92
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952737
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Queues an APC in another process (thread injection)
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 585214 Sample: Swift Advice RefGLV50175610... Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 39 store-images.s-microsoft.com 2->39 43 Multi AV Scanner detection for domain / URL 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 11 other signatures 2->49 10 Swift Advice RefGLV501756103.jpg.exe 1 5 2->10         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\huss.exe, PE32 10->33 dropped 35 C:\Users\user\...\huss.exe:Zone.Identifier, ASCII 10->35 dropped 37 Swift Advice RefGLV501756103.jpg.exe.log, ASCII 10->37 dropped 13 Swift Advice RefGLV501756103.jpg.exe 10->13         started        process6 signatures7 57 Modifies the context of a thread in another process (thread injection) 13->57 59 Maps a DLL or memory area into another process 13->59 61 Queues an APC in another process (thread injection) 13->61 16 explorer.exe 13->16 injected 18 svchost.exe 13->18         started        process8 signatures9 21 huss.exe 3 16->21         started        24 huss.exe 2 16->24         started        26 autofmt.exe 16->26         started        28 msdt.exe 16->28         started        41 Tries to detect virtualization through RDTSC time measurements 18->41 process10 signatures11 51 Multi AV Scanner detection for dropped file 21->51 53 Machine Learning detection for dropped file 21->53 55 Tries to detect virtualization through RDTSC time measurements 21->55 30 huss.exe 21->30         started        process12 signatures13 63 Modifies the context of a thread in another process (thread injection) 30->63 65 Maps a DLL or memory area into another process 30->65
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69e2e974e72cad787eefb413d7a2cec8bf4f71365ac46093556a8362e9ada553/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-08 16:06:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
25 of 27 (92.59%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nhros5hhfswxq7xpwqj5piwozc7u64jwllcgbe2vnkbwf2nnuvjq._file
Verdict:
malicious
Similar samples:
104fae3c4dcf6339429a9242d76cec45644e5b2e072fdfa0d5f477c7ec7ebcfb
Formbook
222ec0d11854ff17251acc457268745b9a0cc3e94c6e6534aa4a8476e713a231
Formbook
265e6def27b120544ef66b11840f117bb09b2a4c5fe2fff4850b56fa330599e5
Formbook
2e71e3bcb39c87ae43d0019b5d62084b8eb2bb0ebe09c05d7cf2ad026082e527
Formbook
48769d84a893bbe5baa8958171287721fb444634cf40a98028c2110c92f5491d
Formbook
6c5d65e162cb2bff561f42d4dcf1ad21a448cd19affc949b983eb4a08120af04
Formbook
70b7329553824ba9b15c2aa19172782ed7a731dba67dc34597e1a25775ddea26
Formbook
b52799c04b901a5376be08a7f5a225eb15b9eb0b3f60f4dbdc8c9a4ae074952e
Formbook
+ 121 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:f1s1 persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220308-tk815sggh2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Formbook Payload
Formbook
Unpacked files
SH256 hash:
16606596ba9df355f0d9f1178126ed614916c9599c33eba61a1b8a9d0edfce91
MD5 hash:
1bd145675ce56bae56f8cd79e2f640a5
SHA1 hash:
54bea357225bcc85c61c25863c8e2ff667a1094c
Link:
https://www.unpac.me/results/ec17c9c5-94bc-4d2b-8396-9500c61c809e/
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/ec17c9c5-94bc-4d2b-8396-9500c61c809e/
SH256 hash:
874edfe2badfeb0324824d9e91328b7fb0e30f92dffc508ac7ec6cae45044c96
MD5 hash:
aa4a9e73fb8f03161b46171295cdd411
SHA1 hash:
34905e428b64be6482cf8454b17c6629f31e02ef
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ec17c9c5-94bc-4d2b-8396-9500c61c809e/
Parent samples :
0a4ebd7a3922a03ec0c6db580671714e2318e997af1f6613ede7471d4d81f0ab
2af06422e62704ac3eb70a7ce1b5fa08d5a2f0f0bb71b604298aedc24e256f56
46aa9899840a62d1dd93c5ff6e2ed489d401290b4e5ff1d7b6560ca9cf856519
951abf2f4116821009369b593b8b56f353bb6176e7574b44fcb448eaea6515db
69e2e974e72cad787eefb413d7a2cec8bf4f71365ac46093556a8362e9ada553
SH256 hash:
69e2e974e72cad787eefb413d7a2cec8bf4f71365ac46093556a8362e9ada553
MD5 hash:
a232a361059478b456ffd614067feabf
SHA1 hash:
4b842c05a612dc77bf6562aa75007f639458dd3e
Link:
https://www.unpac.me/results/ec17c9c5-94bc-4d2b-8396-9500c61c809e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/69e2e974e72cad787eefb413d7a2cec8bf4f71365ac46093556a8362e9ada553

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Reverse_DOS_header
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects an reversed DOS header
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/248333/

Comments