MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 755563f333f32b67a9920bc004ca720c9ad07a7d04d0f29fbbc0e7c634973ef6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 755563f333f32b67a9920bc004ca720c9ad07a7d04d0f29fbbc0e7c634973ef6
SHA3-384 hash: e8140d2cef908a2290b5ae1d8fc365c4e8cb7df4eff7ff1244533f46d01a4b1bad54c2c578b39a2b2f5d978f1e3120a4
SHA1 hash: 348964ad28acd9156b99a98c15206536bc821d7b
MD5 hash: 696f755b096c1b9d24e621aacc8ddab1
humanhash: eighteen-equal-white-delaware
File name:comprobante de pago SWIFT.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:847'360 bytes
First seen:2022-03-29 09:37:29 UTC
Last seen:2022-03-29 10:41:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dbf1300428baed4574f07bfbbe98b092 (4 x Formbook, 1 x RemcosRAT)
ssdeep 12288:k8XoVKkPa3yFwp0ShMnn0sAIpxxfBy2oYWVwyUAPdCL9/ZHi:zYIkCyFwXhM0jIpx+h7UAPdCLHH
Threatray 14'779 similar samples on MalwareBazaar
TLSH T1E5057DAEA3918977C13327788D5B97F4AC1A7F402F2498472AE83E4F7E386503535297
File icon (PE):PE icon
dhash icon f0c0db6c6a7af0fc (24 x Formbook, 6 x QuasarRAT, 5 x RemcosRAT)
Reporter pr0xylife
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/259103/
Detection(s):
SecuriteInfo.com.Trojan7000000f1.17828.17877.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching the process to change network settings
Launching cmd.exe command interpreter
Sending an HTTP GET request
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11980/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger
Link:
https://www.filescan.io/uploads/6242d37b9253b276b79a2bdd/reports/30409901-332b-4344-8f32-6bfa93b6a665/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39d35bd7-e589-4beb-a469-fc1279bb1e12
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/966577
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Application Executed Non-Executable Extension
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 599065 Sample: comprobante de pago SWIFT.exe Startdate: 29/03/2022 Architecture: WINDOWS Score: 100 46 www.the-pumps.com 2->46 48 www.relyoncarlos.com 2->48 50 2 other IPs or domains 2->50 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 10 other signatures 2->78 11 Wjkidnb.exe 15 2->11         started        15 comprobante de pago SWIFT.exe 1 17 2->15         started        18 Wjkidnb.exe 15 2->18         started        signatures3 process4 dnsIp5 52 zaydaw.dm.files.1drv.com 11->52 60 2 other IPs or domains 11->60 88 Writes to foreign memory regions 11->88 90 Allocates memory in foreign processes 11->90 92 Creates a thread in another existing process (thread injection) 11->92 20 logagent.exe 11->20         started        54 l-0003.dc-msedge.net 13.107.43.12, 443, 49768, 49770 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->54 56 zaydaw.dm.files.1drv.com 15->56 62 2 other IPs or domains 15->62 42 C:\Users\Public\Wjkidnb.exe, PE32 15->42 dropped 44 C:\Users\Public\Wjkidnb.exe:Zone.Identifier, ASCII 15->44 dropped 94 Injects a PE file into a foreign processes 15->94 23 logagent.exe 15->23         started        58 zaydaw.dm.files.1drv.com 18->58 64 2 other IPs or domains 18->64 25 logagent.exe 18->25         started        file6 signatures7 process8 signatures9 80 Modifies the context of a thread in another process (thread injection) 20->80 82 Maps a DLL or memory area into another process 20->82 84 Sample uses process hollowing technique 20->84 86 2 other signatures 20->86 27 explorer.exe 20->27 injected process10 dnsIp11 66 www.ksssz.com 168.76.29.188, 49887, 80 ULTRANETSERVICOSEMINTERNETLTDABR South Africa 27->66 68 mkpackersandmovers.com 208.91.198.225, 49811, 80 PUBLIC-DOMAIN-REGISTRYUS United States 27->68 70 21 other IPs or domains 27->70 96 System process connects to network (likely due to code injection or exploit) 27->96 98 Performs DNS queries to domains with low reputation 27->98 31 wlanext.exe 27->31         started        34 rundll32.exe 27->34         started        36 cmd.exe 27->36         started        signatures12 process13 signatures14 100 Modifies the context of a thread in another process (thread injection) 31->100 102 Maps a DLL or memory area into another process 31->102 104 Tries to detect virtualization through RDTSC time measurements 31->104 38 cmd.exe 1 31->38         started        process15 process16 40 conhost.exe 38->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/755563f333f32b67a9920bc004ca720c9ad07a7d04d0f29fbbc0e7c634973ef6/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-03-29 09:38:10 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ovkwh4zt6mvwpkmsbpaajstsbsnna6t5atipfh53ydt4mnexh33a._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
formbook
Create hunting rule
Similar samples:
03c24fbe7c863e8337b0c944f96847b5166297283727edccca056c4f6f688d4e
Formbook
199cc04b9d617b58a11715354df9a83c93416a3906a352aeb21181d65021fdfd
Formbook
564d91f37b294e7a10fe79495dc9da5ae6733b20f2d7c732ff0c692110b0e01a
Formbook
755563f333f32b67a9920bc004ca720c9ad07a7d04d0f29fbbc0e7c634973ef6
Formbook
9d42b1b9280301d54b45752d046405be7e1a632de78723aa46cb20c1cc43c801
Formbook
a65520867c851b43c93d5e7c390bb4fedef94a648c70631bc02f396e4dbff522
Formbook
b161e9594ef8849e7a1c09a801b5d248cfff6b08c65ed6459dda75b25fdeafee
Formbook
b3bc74c1f3673da08a95775af5f39dd116a249d8a7e597fcd8bb56e07ae3bcd2
Formbook
efdd97e52e2d4a47a66abeb6073c2be21ce056da12256a2f74a5e9c6a8fe1916
Formbook
f72d7e445702bbf6b762ebb19d521452b9c76953d93b4d691e0e3e508790256e
Formbook
+ 14'769 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:gqvv loader persistence rat suricata
Link:
https://tria.ge/reports/220329-ll2dpahagk/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
b654cd6862adbeb460d7333bccc59c3d6db87ce9929ae08da2732e03ecf0932c
MD5 hash:
aa64d8724ec75b4fb49a7b4ee5cf0a74
SHA1 hash:
ef1787b90d6ec7256b7dc70ff59c5d08c52e9c88
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/7f704808-b521-4d04-a2cd-6755de6b18cb/
Parent samples :
c46fc3d3cd02ebc1ec0d5dad74c220467b1966df6644b2e11b00a88f4b149ad8
755563f333f32b67a9920bc004ca720c9ad07a7d04d0f29fbbc0e7c634973ef6
SH256 hash:
755563f333f32b67a9920bc004ca720c9ad07a7d04d0f29fbbc0e7c634973ef6
MD5 hash:
696f755b096c1b9d24e621aacc8ddab1
SHA1 hash:
348964ad28acd9156b99a98c15206536bc821d7b
Link:
https://www.unpac.me/results/7f704808-b521-4d04-a2cd-6755de6b18cb/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/755563f333f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/755563f333f32b67a9920bc004ca720c9ad07a7d04d0f29fbbc0e7c634973ef6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/259103/

Comments