MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f0e1d1ec3cedb0f7855a4d8a7b2fb3905c58c999604162fc669ca4aa361dd70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f0e1d1ec3cedb0f7855a4d8a7b2fb3905c58c999604162fc669ca4aa361dd70
SHA3-384 hash: 715fa5ef5705d0c53f60fe89cfe2bc51aa5bc96ec4e05dbd240113c744d4ce8dc90b9050bb837e3eb4952fad22936af1
SHA1 hash: 69d3e65e9b1476de013ec11cde3e740b9bc634a4
MD5 hash: e49f2228be478c0adfd27fc6d103e733
humanhash: papa-massachusetts-low-equal
File name:wire swift copy.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'308'160 bytes
First seen:2022-03-23 12:09:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:QYsgGUZryrfcDErc6tC3+cZ8vyPElYYfXNTTxcW7c7mjh7KsCzkDJSKfkm1aC0hw:QNgGUZ80oztk8WytTxtMmj8sCGMK
Threatray 14'330 similar samples on MalwareBazaar
TLSH T1DC5594AD325072DFC867C972CAA81C64FB9074BB530BD607A05313A99E4E897EF540F6
Reporter cocaman
Tags:exe FormBook SWIFT

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
7f0e1d1ec3cedb0f7855a4d8a7b2fb3905c58c999604162fc669ca4aa361dd70.exe
Verdict:
Malicious activity
Analysis date:
2022-03-23 14:11:36 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/8b5cc060-be43-4b35-ae0b-2588a59ab75c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/256428/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623b0eae0cd58dbd92df1d57/reports/04e3286a-c8c9-4753-a7e8-d837dde79d1d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/963390
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f0e1d1ec3cedb0f7855a4d8a7b2fb3905c58c999604162fc669ca4aa361dd70/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-23 10:37:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p4hb2hwdz3nq66cvutmkpmx3hec4ldezsycbml6gnhfevi3b3vya._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3c010d88a118ba3cc666e05c6f8f82159ac38e5486b5ed60c65d870287b8cff6
Formbook
4d11816de1a6429b0fa2f9754f7e51e45a6afb350ddd5b806974b629e8fc6fc3
Formbook
67db5982545c91192a7c4fcaa3cbe5324de3e69faa1af275b05926d80eda889d
Formbook
6c4946e53ef709831150bf2cc272bc4a0094a5d3d917c02994898178afe210bc
Formbook
6d1ae3278059d592ae7c4426df9456553b8abfbc3bd90ce0f8d1792e94ae95c2
Formbook
8392408d685d10ddf024a7e4f47976e03a00fd787bd4ee0932766c4b9b278bc0
Formbook
ace8d85c2f02bd3d531cd8d609d23c6d35588ecce52f40a8d129b39a6b1d7723
Formbook
b5f2c53261cde3d73cdf723733cd27caed78e63aa1e878c52e461156838d35af
Formbook
c61a915c345d7574f2730043bc34dbed169ccc9041205546bab4e60d5c0f21e1
Formbook
dc398f97c7c248ee6e669cb910b617224c1da4eb8338a37fc4ed812784f83a24
Formbook
+ 14'320 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:oto8 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220323-pb8lssabbk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
003d192bc862dace52ba7e1c2783ba446d1322759d230da9d0c1e44e0fc612aa
MD5 hash:
bac382e946c6a8dca0993bef02bb696e
SHA1 hash:
9816b71995827bbc1daae1f8493a78897efb1b2d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bbfe9bb0-a400-483c-b1c5-8fc066da4d17/
SH256 hash:
50fd97c5bcb90169a11990d92d05dc5adc4bb1197e186ad24cd993efc5724708
MD5 hash:
d87d6aade7c9fd246f87c072492029f8
SHA1 hash:
aeed4eaee944ffdcfa69e526db486e6e073171b9
Link:
https://www.unpac.me/results/bbfe9bb0-a400-483c-b1c5-8fc066da4d17/
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/bbfe9bb0-a400-483c-b1c5-8fc066da4d17/
SH256 hash:
7f0e1d1ec3cedb0f7855a4d8a7b2fb3905c58c999604162fc669ca4aa361dd70
MD5 hash:
e49f2228be478c0adfd27fc6d103e733
SHA1 hash:
69d3e65e9b1476de013ec11cde3e740b9bc634a4
Link:
https://www.unpac.me/results/bbfe9bb0-a400-483c-b1c5-8fc066da4d17/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7f0e1d1ec3ce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/7f0e1d1ec3cedb0f7855a4d8a7b2fb3905c58c999604162fc669ca4aa361dd70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 91ced8ae239b6f99a6b15217769d96e5ebf2b2575dd9b9a3e1abd4269133a7cb

Formbook

Executable exe 7f0e1d1ec3cedb0f7855a4d8a7b2fb3905c58c999604162fc669ca4aa361dd70

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 91ced8ae239b6f99a6b15217769d96e5ebf2b2575dd9b9a3e1abd4269133a7cb
Cape
Cape
https://www.capesandbox.com/analysis/256428/

Comments