MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c2acfd65d5b420d46e7aa930ab0b4fa1f1446d1ea7b872429ff02f11b8b1987. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c2acfd65d5b420d46e7aa930ab0b4fa1f1446d1ea7b872429ff02f11b8b1987
SHA3-384 hash: 61c6397590707690e510b1ed856422fdc88e717c62262adafd4c5bc6191a22062d7ebddb073cbf07b1f5e2df89385592
SHA1 hash: 38b532491e7299e8807ad08c94355fb31fa8d0fd
MD5 hash: 5cc6135535d230622f46ea5961fe4beb
humanhash: black-juliet-pennsylvania-comet
File name:Ziraat Bankasi Swift Mesaji.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:248'605 bytes
First seen:2022-04-08 09:35:39 UTC
Last seen:2022-04-08 11:11:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:HNeZmR1k7apCbI1nKOPculvU1YQhKXEhKSL4T81O5WGhy:HNlRvn1QPg/181O5u
Threatray 14'750 similar samples on MalwareBazaar
TLSH T1EE341249F690C9F7E5E257319838F73535EA790229640B0F2360EF8C7D22A81DD2E721
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook geo TUR ZiraatBank

Intelligence

File Origin
# of uploads :
2
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Ziraat Bankasi Swift Mesaji.exe
Verdict:
Malicious activity
Analysis date:
2022-04-08 21:40:19 UTC
Tags:
formbook trojan stealer opendir
Link:
https://app.any.run/tasks/0354466f-d0fa-4b92-b091-a5806cb51ccc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262033/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.1.21037.16537.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Reading critical registry keys
Setting browser functions hooks
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13134/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62500208bbd90911a2968dd2/reports/d8b89b8d-4de9-46d3-acd1-72cd9657f781/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c24106df-ea4e-49fd-8bd9-c01f0edf08ae
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/973223
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 605722 Sample: Ziraat Bankasi Swift Mesaji.exe Startdate: 08/04/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 4 other signatures 2->51 11 Ziraat Bankasi Swift Mesaji.exe 18 2->11         started        process3 file4 31 C:\Users\user\AppData\...\jfyfshgghb.exe, PE32 11->31 dropped 14 jfyfshgghb.exe 11->14         started        process5 signatures6 61 Tries to detect virtualization through RDTSC time measurements 14->61 17 jfyfshgghb.exe 14->17         started        process7 signatures8 37 Modifies the context of a thread in another process (thread injection) 17->37 39 Maps a DLL or memory area into another process 17->39 41 Sample uses process hollowing technique 17->41 43 Queues an APC in another process (thread injection) 17->43 20 explorer.exe 17->20 injected process9 dnsIp10 33 www.avisexpert.online 51.91.236.193, 49742, 80 OVHFR France 20->33 35 www.tigranmelikyan.com 188.114.97.7, 49749, 80 CLOUDFLARENETUS European Union 20->35 53 System process connects to network (likely due to code injection or exploit) 20->53 24 control.exe 20->24         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 24->55 57 Maps a DLL or memory area into another process 24->57 59 Tries to detect virtualization through RDTSC time measurements 24->59 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6c2acfd65d5b420d46e7aa930ab0b4fa1f1446d1ea7b872429ff02f11b8b1987/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-08 09:36:06 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 42 (54.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nqvm7vs5lnba2rxhvkjqvmfu7iprirwr5j5yojbj74bpcg4ldgdq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1363922a984440ab7ffb7f1f4872704bc6a96008412d399728b20cc8cb1e4abb
Formbook
1c2f6b38af555e63c11d8dd6bebf23031802d079556720108ba51d5d87418fdc
Formbook
2388aba5e29792fc92af726882eb073d8d896640df9926d0dcd7565e2ee41cce
Formbook
2ed8aeaf73ee1a3caf7eb0be7814868c4100efbe1b021e2d964db3b638dc7f3c
Formbook
51ca9a86ecb638b2805cd27a752159a05d4a3317c11ea43fb0f0cca78601c8dc
Formbook
613151db2677d34450d7a67d1a78a167f3d5dade8afc2cc4e8309336857bb766
Formbook
945f67ae677681e14db036f753f47333556fea6f3837bef7399e440e6bc167d5
Formbook
d7d5842b7eed6386f41f307b5de1e9b4350fbd21c26eccfa1345ff3a349d9f52
Formbook
ec575e5cdf3da323c27e65f3042586173ca50ba0682b733a61f0b47f80c3004e
Formbook
+ 14'740 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:as31 rat spyware stealer trojan
Link:
https://tria.ge/reports/220408-lkw3ksbeh4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Unpacked files
SH256 hash:
73d2c8a67ddb9058954f848629dac22aa4ea924d053d605c15b9be0f29c27b26
MD5 hash:
6d1a334cab8da33b031a2b3890461a64
SHA1 hash:
535e782651f3371ec5112e615d2518bc5f50cf09
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5b08dd9b-8c53-4085-93b0-294fb2fad837/
Parent samples :
c6c0c397d2ebb9d9188e91750d7c04c17f59d70025fab943a03c82229549dd53
d1ca39fd3a44e5d54b0d5f6b578af0d1f48e78296cb15f5acede16368039e5fb
6c2acfd65d5b420d46e7aa930ab0b4fa1f1446d1ea7b872429ff02f11b8b1987
613151db2677d34450d7a67d1a78a167f3d5dade8afc2cc4e8309336857bb766
9bd32d94621a5a74385f189f23e647fc1431db38032d0433613f0bf08b51362a
f9ec408f51f4e31dbe8977db554dcda8e58e0f89eda485b361026b379f69eb6d
0f91e080cdc1fbe9586f0da5ac31afe72b931cf71d3b907495687316dfb82a3d
e6fff69c658eefdd7ba7deba86d09717b77aece9c9ca1a6e980f58ad3e2de86d
e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792
1bfc4e45067f4f1fc583289ac5f8ab3bba6403443f51d18c8546adf58de68501
aef1512bffbba03e4655ebcf9a164229f259aeb1224a716d05d1be67a55b528f
e1434d76244d2be8b84eb06a76100eed90c75406228c14c0d0b65218bb84800f
SH256 hash:
757918636b36c8bb4b47497fbddbf3d06c13dd664d7cb1090d23bd5c75bfb551
MD5 hash:
aab286527f400eb6a67048d311bcd409
SHA1 hash:
bc1d61747bb7d2d7b977b203fa22b4fb521640ed
Link:
https://www.unpac.me/results/5b08dd9b-8c53-4085-93b0-294fb2fad837/
SH256 hash:
6c2acfd65d5b420d46e7aa930ab0b4fa1f1446d1ea7b872429ff02f11b8b1987
MD5 hash:
5cc6135535d230622f46ea5961fe4beb
SHA1 hash:
38b532491e7299e8807ad08c94355fb31fa8d0fd
Link:
https://www.unpac.me/results/5b08dd9b-8c53-4085-93b0-294fb2fad837/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c2acfd65d5b420d46e7aa930ab0b4fa1f1446d1ea7b872429ff02f11b8b1987

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6c2acfd65d5b420d46e7aa930ab0b4fa1f1446d1ea7b872429ff02f11b8b1987

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/262033/

Comments