MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b92711eed01d1ce4bcd40dcc15f622f8efed42409b644d82ba75164f01b8259. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b92711eed01d1ce4bcd40dcc15f622f8efed42409b644d82ba75164f01b8259
SHA3-384 hash: e5665c3e668183b9e199f03f1f0bc4f287213f697a327b2df7f935d3afd52be03c83bb7cccc090e7e26a6866a0db5a2e
SHA1 hash: f4d62820c3f3c9c74992980b86dd5ccdfa5340a6
MD5 hash: 0853b005b09ac14d8e5d4b127def1a66
humanhash: ink-sixteen-oklahoma-michigan
File name:Swift Copy.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:523'158 bytes
First seen:2023-01-16 20:17:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:yYyle/MX0i5yj3+d73S1NmabplJzrxuUQhGkS:yYy4UXByj3W73cLlHSGJ
Threatray 4'675 similar samples on MalwareBazaar
TLSH T1E3B412C4FE11C962C9B28A750A37D035EB95BD2A88B05217BAC27F1F7275191B83E713
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 86c4ccd9d0c8d4f0 (1 x Formbook)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Swift Copy.scr
Verdict:
Malicious activity
Analysis date:
2023-01-16 20:19:07 UTC
Tags:
trojan formbook stealer opendir
Link:
https://app.any.run/tasks/ed6d077c-6b9a-48c1-9c9c-a6f3f683b3cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/353542/
Detection(s):
SecuriteInfo.com.Win32.InjectorX-gen.21152.24038.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
DNS request
Sending an HTTP GET request
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/60751/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63c5b0fcafdaca54d4388ba6/reports/b4a632c9-09d4-47ec-9588-4c6fea9b0459/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c3b48e3-a9ec-4861-9ee0-c91835e14067
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1152623
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 785355 Sample: Swift Copy.scr.exe Startdate: 16/01/2023 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 2 other signatures 2->39 9 Swift Copy.scr.exe 19 2->9         started        process3 file4 25 C:\Users\user\AppData\Local\Temp\nekon.exe, PE32 9->25 dropped 12 nekon.exe 9->12         started        process5 signatures6 53 Multi AV Scanner detection for dropped file 12->53 55 Detected unpacking (changes PE section rights) 12->55 57 Maps a DLL or memory area into another process 12->57 59 Contains functionality to detect sleep reduction / modifications 12->59 15 nekon.exe 12->15         started        process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 3 1 15->18 injected process9 dnsIp10 27 he.adsfzcvx.com 154.210.211.109, 49703, 49704, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->27 29 celdci.org 51.77.12.181, 49707, 49708, 80 OVHFR France 18->29 31 13 other IPs or domains 18->31 41 System process connects to network (likely due to code injection or exploit) 18->41 43 Uses ipconfig to lookup or modify the Windows network settings 18->43 22 ipconfig.exe 13 18->22         started        signatures11 process12 signatures13 45 Tries to steal Mail credentials (via file / registry access) 22->45 47 Tries to harvest and steal browser information (history, passwords, etc) 22->47 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b92711eed01d1ce4bcd40dcc15f622f8efed42409b644d82ba75164f01b8259/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-01-16 10:18:24 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nojhchxnahi44s6nidomcx3cf6hp5vbebg3ejwblu5iwj4a3qjmq._file
Verdict:
unknown
Similar samples:
1235559275e785007232e4aee35bd0609d1e52da4900ac8526ff54b592d63c6b
Formbook
2434acaaf7aab02db41a3a09896a912379b081f170663123b9f2223b1de47a46
Formbook
65197e06d709ab4d34cf5b01ee912043bfbf31d919740c59b72ca5ff7740630c
Formbook
78f8221d10ca5af256eefa0376f55e4688e00005317ab0bfb59f5406f9ed16ae
Formbook
8c4cc2077f0eab36be58bb86b34035f1b9c133902630526f609ff0c194f4f236
Formbook
a80d7a2da8c373a9087cc7bb556bfe243019fa6c78714888ffb17e5ba0499648
Formbook
dd1ed5209c967dd24b1a861d3eb959a0d52a3ed54a9e0e39685ec5269760f91a
Formbook
e60da850d4cf946edd8afe4a6f93953565b55b0f3323357e5136b17b8aaf8c5d
Formbook
fa37842557cf180ef8848ad5956d18c46608e4c396dff7d5d378b0d48a78ca9b
Formbook
+ 4'665 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230116-y29q8ach47/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f0ac9c4a-da10-45da-8f80-ac40b6372ae8
Unpacked files
SH256 hash:
5c14e66594f11b8ed23aaac4078e96b7212dc8b2bb398e191ed39235e9e731ae
MD5 hash:
883e7cff50a00fa171c008f42c7a2b71
SHA1 hash:
4767f6091ecea2f6019a529204275d9a2acca5d1
Detections:
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/c062ae90-bd86-418c-bc88-61a1a40cdaa4/
SH256 hash:
113d5412b96cb667e711adc5872981d6baa4f61810e823fd4e3d2298885b9be8
MD5 hash:
4047189a0281e6624a68a0f76d9bed84
SHA1 hash:
825b763056ef1856c96294725217779f64a27a10
Link:
https://www.unpac.me/results/c062ae90-bd86-418c-bc88-61a1a40cdaa4/
SH256 hash:
69a4d1f9b74813d0ca3fded2059985d04f1780c83330d319a5a0e580ffb2076a
MD5 hash:
89e3438454584896769e0b0aabf9b14e
SHA1 hash:
67ae932ae8fb0b475d53b968706e3896b56d939d
Link:
https://www.unpac.me/results/c062ae90-bd86-418c-bc88-61a1a40cdaa4/
SH256 hash:
6b92711eed01d1ce4bcd40dcc15f622f8efed42409b644d82ba75164f01b8259
MD5 hash:
0853b005b09ac14d8e5d4b127def1a66
SHA1 hash:
f4d62820c3f3c9c74992980b86dd5ccdfa5340a6
Link:
https://www.unpac.me/results/c062ae90-bd86-418c-bc88-61a1a40cdaa4/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b92711eed01/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b92711eed01d1ce4bcd40dcc15f622f8efed42409b644d82ba75164f01b8259

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6b92711eed01d1ce4bcd40dcc15f622f8efed42409b644d82ba75164f01b8259

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/353542/

Comments