MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a106b85d3351d21cefc1459fd220784db904e88033f371353d9b46cb7ed2b43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a106b85d3351d21cefc1459fd220784db904e88033f371353d9b46cb7ed2b43
SHA3-384 hash: 0de1ff7335ba94804b28247a4c5ce45cf215e91f5b44050bab83aea3397dceb0d8892ad826f59fcca4fdd2aa93117889
SHA1 hash: 2e6eda8a24f566742208180dbdcb90503f385741
MD5 hash: 0f7db9eba6aa2d3c727020c251d5161e
humanhash: hot-cat-muppet-hydrogen
File name:SWIFT COPY_USD20,000.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:664'064 bytes
First seen:2023-12-22 06:55:47 UTC
Last seen:2023-12-22 08:18:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:MKn1momWOHSsh+cYDN2uPLMk92JgSfxSDdBfMmBtcyjqYcZ0:7b/BsSdWJg4SDdBfhnOt0
TLSH T1C3E422947BAA9503FCAD47FA00322509D37A25136943E7DE4DC6249B0DF4F688725B2F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0060796969697000 (8 x AgentTesla, 6 x Formbook)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
273
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/468929/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6585330bf4b6e5e163545c79/reports/da0a139b-ff18-4e47-9364-bcddff575f12/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7a106b85d3351d21cefc1459fd220784db904e88033f371353d9b46cb7ed2b43
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/153f012b-3b76-46d2-b43a-b24470d18792
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365990
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1365990 Sample: SWIFT_COPY_USD20,000.exe Startdate: 22/12/2023 Architecture: WINDOWS Score: 100 28 www.luminaryforge.xyz 2->28 30 www.13hhgs.xyz 2->30 32 14 other IPs or domains 2->32 40 Multi AV Scanner detection for domain / URL 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 48 8 other signatures 2->48 10 SWIFT_COPY_USD20,000.exe 3 2->10         started        signatures3 46 Performs DNS queries to domains with low reputation 30->46 process4 signatures5 58 Injects a PE file into a foreign processes 10->58 13 SWIFT_COPY_USD20,000.exe 10->13         started        16 SWIFT_COPY_USD20,000.exe 10->16         started        process6 signatures7 60 Maps a DLL or memory area into another process 13->60 18 yVubydGSfZaMBDpSdZLnym.exe 13->18 injected process8 process9 20 NETSTAT.EXE 13 18->20         started        signatures10 50 Tries to steal Mail credentials (via file / registry access) 20->50 52 Tries to harvest and steal browser information (history, passwords, etc) 20->52 54 Writes to foreign memory regions 20->54 56 3 other signatures 20->56 23 yVubydGSfZaMBDpSdZLnym.exe 20->23 injected 26 firefox.exe 20->26         started        process11 dnsIp12 34 www.luminaryforge.xyz 199.192.23.169, 49746, 49747, 49748 NAMECHEAP-NETUS United States 23->34 36 www.lifecoachen.com 23.235.160.38, 49726, 49727, 49728 XIAOZHIYUN1-AS-APICIDCNETWORKUS United States 23->36 38 10 other IPs or domains 23->38
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7a106b85d3351d21cefc1459fd220784db904e88033f371353d9b46cb7ed2b43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a106b85d3351d21cefc1459fd220784db904e88033f371353d9b46cb7ed2b43/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-12-22 06:56:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
11 of 22 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=piigxbotguosdtx4crm72iqhqtnzatuiam7toe2t3g2gzn7nfnbq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231222-hqcpcadbf8/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
64a8d696a38890dbe2a9bb0e6822dfbda8ba3ae6b31364408e6d40718e3598bd
MD5 hash:
417868a0231354c141a396651e4c8b11
SHA1 hash:
c24d0e4d745f3ffed10e544a71d18f4319930c3b
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/b9325804-355b-4a75-889c-85ac45330720/
SH256 hash:
c1edd28fb2b8ed74d1e10e0562fa77262a0ed2a99bfadd0318f431325c854816
MD5 hash:
a7abd40500df15b25429bbfc4f5fb6c5
SHA1 hash:
d8ce8a1c7fadcd427264a9f0ba685cfe8ab5c326
Link:
https://www.unpac.me/results/b9325804-355b-4a75-889c-85ac45330720/
SH256 hash:
bb265a8187cc1151c765128f6b8340c01b6283e29a3bbc8a3086a6c0a822c604
MD5 hash:
cb694dfef9a731230d1534e865e8f9b1
SHA1 hash:
defec996a4dc314488b016d7727f6c22ef4917fd
Link:
https://www.unpac.me/results/b9325804-355b-4a75-889c-85ac45330720/
SH256 hash:
f17854dbe67db81f5f36b56d7960ebc6b4b26b22101de477b4d19d42e77260e8
MD5 hash:
952b6c5e205bf8ffb89546b6f7fd6a93
SHA1 hash:
acb1ea816f225fc3f643c22932e31e12144f22f4
Link:
https://www.unpac.me/results/b9325804-355b-4a75-889c-85ac45330720/
SH256 hash:
311f5dbaf31ed25df38365d5a7c6e937a73b204f10ce58b912348ea3fa6a5bec
MD5 hash:
c201fb67e02eea5316034f91495aefee
SHA1 hash:
1e38d083579d2cbd96487aa686012d3e199c509e
Link:
https://www.unpac.me/results/b9325804-355b-4a75-889c-85ac45330720/
SH256 hash:
56ee135e0c4ac401e0ab6e6d4c86dd27b9f5b4601d33d976b4f33b689b509b41
MD5 hash:
ede0f1b3740db94b7f6adb66f51c23b9
SHA1 hash:
db8f9fe852aba11f6ba90b8e7c96da31b20fb85d
Link:
https://www.unpac.me/results/b9325804-355b-4a75-889c-85ac45330720/
SH256 hash:
53f08a8dfab65e63e10b523ff3030ff546a563eb32697468388aeef91f0feace
MD5 hash:
37374240e6eb45f52691d6dfcfb41dc8
SHA1 hash:
2e221a853c8253263be15a608dafbc295490b870
Link:
https://www.unpac.me/results/b9325804-355b-4a75-889c-85ac45330720/
SH256 hash:
4cfd3dfb46fba2750e014da59401cd45ce98a6ee8d42f5896941157b69581f13
MD5 hash:
c199857d1a6e41dd27bb705b63d8d0d4
SHA1 hash:
1d53421419e3d42e5aa88344c592f4a3e753a2d8
Link:
https://www.unpac.me/results/b9325804-355b-4a75-889c-85ac45330720/
SH256 hash:
058a989d861668b28979e646c2f0db7db98789fc2c4ae7aeca28d56292c21764
MD5 hash:
f076c994cd868b0739f4b50075a0aa86
SHA1 hash:
1d3ed8858d6ef5033a12c5a6275cc54735ce607b
Link:
https://www.unpac.me/results/b9325804-355b-4a75-889c-85ac45330720/
SH256 hash:
0f45469b44541797e7394106a9f54358a14eb38710a474bfc4feb39dc3195d5c
MD5 hash:
4e4e898a2c27c3d67a21c4287987389f
SHA1 hash:
18a0e5f8f6cf8ecdc42b552ca291418461596d47
Link:
https://www.unpac.me/results/b9325804-355b-4a75-889c-85ac45330720/
SH256 hash:
b799b93ec6761f6213dc43c533838e3b03159afb269957ff3d5c7c8eba407eac
MD5 hash:
20ba6457d00481534e805fb5fd170397
SHA1 hash:
1028370c47ef313a6a070894f996209f07177cb1
Link:
https://www.unpac.me/results/b9325804-355b-4a75-889c-85ac45330720/
SH256 hash:
7a106b85d3351d21cefc1459fd220784db904e88033f371353d9b46cb7ed2b43
MD5 hash:
0f7db9eba6aa2d3c727020c251d5161e
SHA1 hash:
2e6eda8a24f566742208180dbdcb90503f385741
Link:
https://www.unpac.me/results/b9325804-355b-4a75-889c-85ac45330720/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a106b85d335/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/7a106b85d3351d21cefc1459fd220784db904e88033f371353d9b46cb7ed2b43

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7a106b85d3351d21cefc1459fd220784db904e88033f371353d9b46cb7ed2b43

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/468929/

Comments