MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 755519325ba730c3e0ec5cae1d3657e1e42c1327195550c6893dab51179161c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 755519325ba730c3e0ec5cae1d3657e1e42c1327195550c6893dab51179161c9
SHA3-384 hash: c928da75862a212ca3564efb9ad17b18b8e4f0d633dac5be41b9a04d02bdf8edcc7cabd4d3fd6f1a6ad6253cd85fc78a
SHA1 hash: ac98519a45a769c541dcd7eed7d5163172c6e847
MD5 hash: 682759113d4c1b896b15575c921f1f60
humanhash: alpha-india-chicken-hydrogen
File name:Swift copy payment.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:364'384 bytes
First seen:2022-02-16 02:35:57 UTC
Last seen:2022-02-21 09:06:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:UwxU76BJztekrMCPJJiYrL0V863/N8UM6eiNTtujOIVoT:JU74e6rL0V8EWmhNTtujDe
Threatray 13'342 similar samples on MalwareBazaar
TLSH T157741255A7CA4493ED170BB1247EEE68C6F2FF4069D325530794BF170E33291AD2A263
File icon (PE):PE icon
dhash icon e0e2aba3a5b8b8a8 (38 x AgentTesla, 18 x SnakeKeylogger, 14 x Formbook)
Reporter malwarelabnet
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241774/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/620c6317875593a3ccd400c5/reports/f24c34fd-3d86-4810-abb5-4a6a9674a19c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/461c9f11-d266-452e-aa37-147a3753c8f9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/940533
Signature
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 573010 Sample: Swift copy payment.exe Startdate: 16/02/2022 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 7 other signatures 2->53 11 Swift copy payment.exe 19 2->11         started        process3 file4 31 C:\Users\user\AppData\...\yypeqghdxw.exe, PE32 11->31 dropped 14 yypeqghdxw.exe 11->14         started        process5 signatures6 63 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->63 65 Tries to detect virtualization through RDTSC time measurements 14->65 67 Injects a PE file into a foreign processes 14->67 17 yypeqghdxw.exe 14->17         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Sample uses process hollowing technique 17->43 45 Queues an APC in another process (thread injection) 17->45 20 explorer.exe 17->20 injected process9 dnsIp10 33 www.appsforbusiness.pro 72.14.185.43, 49847, 80 LINODE-APLinodeLLCUS United States 20->33 35 www.52byhx.com 147.255.129.52, 49843, 80 LEASEWEB-USA-LAX-11US United States 20->35 37 8 other IPs or domains 20->37 55 System process connects to network (likely due to code injection or exploit) 20->55 24 wscript.exe 20->24         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 24->57 59 Maps a DLL or memory area into another process 24->59 61 Tries to detect virtualization through RDTSC time measurements 24->61 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/755519325ba730c3e0ec5cae1d3657e1e42c1327195550c6893dab51179161c9/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 02:07:39 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ovkrsms3u4ymhyhmlsxb2nsx4hscyezhdfkvbrujhwvvcf4rmheq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
16956685e8f153db05d1eda237f9fde5ae23cecc8de57f891be024af9af05626
Formbook
22099fbafc3dda95912c51aa0c313826f21e2fe84ef51453c649f66ab29c6916
Formbook
7cbd8cc35b03d65491ad01b6a44b84dc047e6663189554201c24dbfbeb81473c
Formbook
820b1216485962fa3501dc8bd02a76bdb821fd7b6ffab858c4ebe135c4246090
Formbook
aa067750ad705a1b6176cb6f3f91466c9d5c2ee4457c2466b995bef70c04b240
Formbook
af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce
Formbook
d2cc3484cdabe8305bf9afd35530ca1118ca2c308408dc7140c3a94b392b60bb
Formbook
fcccde6b56dbe8650273f1d67957a1adc1dd0e783d43d6543da7a44696731292
Formbook
+ 13'332 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:6dmq loader rat suricata
Link:
https://tria.ge/reports/220216-c3k9cscdhr/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
4fd8c67e8e7327c3d4c87fc6b3798e2460487ab0ccb95f15215cb194ff0073e2
MD5 hash:
377eb9bca561856eb1ff0840742c52f1
SHA1 hash:
8a1f1787ee2165b57f44deedf4f35d9f195e1d34
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/543a67a1-8d5b-4ad7-9b03-621f7ad2ab5d/
Parent samples :
755519325ba730c3e0ec5cae1d3657e1e42c1327195550c6893dab51179161c9
b5ca813a9176c8f6eb9394308c56858d9e27300f9c5a75c82eceae96b8defd83
8ef4a2f7e0e66b8b84b3b8a18ad3dee9d559717f27ea2362a361405bdf68c9b7
16119a34513a37c16bc130507da88bfb5f90384bab73dc6f8559628416bb583f
e74093d3c119896418879356da45b993f61533689db4a48e6b7501bfda40be78
SH256 hash:
d0c724e5eb80bfffccc1730c0a6519ecb3cd0048448fda8a54827c27bb4be9cb
MD5 hash:
a5bcc83dd6a0ea8606dca38e37f70b97
SHA1 hash:
f9b86ebd5c2ebd627d2c39335e7663b1b99070ac
Link:
https://www.unpac.me/results/543a67a1-8d5b-4ad7-9b03-621f7ad2ab5d/
SH256 hash:
755519325ba730c3e0ec5cae1d3657e1e42c1327195550c6893dab51179161c9
MD5 hash:
682759113d4c1b896b15575c921f1f60
SHA1 hash:
ac98519a45a769c541dcd7eed7d5163172c6e847
Link:
https://www.unpac.me/results/543a67a1-8d5b-4ad7-9b03-621f7ad2ab5d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/755519325ba730c3e0ec5cae1d3657e1e42c1327195550c6893dab51179161c9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241774/

Comments