MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9de3aef5ea5f782a7da7345d6b7bc23bc0f2b33d9d7b4a6c35e65a5368b2223a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	9de3aef5ea5f782a7da7345d6b7bc23bc0f2b33d9d7b4a6c35e65a5368b2223a
SHA3-384 hash:	095f6460db3f506f0be9250af2602b73676c1cd8414a4d81ce66cf879847062aa36b85a94d03d080e949c88f85ad5f6d
SHA1 hash:	a92cdee438ebbfe2414e8b17a6c8c2ca548f1a6a
MD5 hash:	da9b9a6f52f37ce3e190e1dc22eb3c55
humanhash:	seven-harry-london-blue
File name:	Ziraat Bankasi Swift Mesaji.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	661'504 bytes
First seen:	2022-06-09 06:20:33 UTC
Last seen:	2022-06-09 06:54:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:aodfsJrJ6qFjgtfjCzGB9xFSHpzRlOSX+aDAuf4xBhTbo9q:KrIqFjeLCzC96JDzXtPibo
TLSH	T1AEE412247BEC0BA2C9BD0BFEA4A1004043B4E676551BF71E1E9571EB4A7BF808756723
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe FormBook geo TUR ZiraatBank

Intelligence

File Origin

# of uploads :

# of downloads :

278

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Ziraat Bankasi Swift Mesaji.exe

Verdict:

Malicious activity

Analysis date:

2022-06-10 01:14:24 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/0806eb5a-db48-498b-bc0d-d7382c9d9343

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/278053/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.23680.10850.20905.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62a1918f1fdbb8e83149d7d3/reports/95e1874a-266a-46ea-9cad-26f16bdc6993/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7c8f4491-e2bd-4ff7-a40c-38261578c08e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1009889

Signature

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd or bat file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9de3aef5ea5f782a7da7345d6b7bc23bc0f2b33d9d7b4a6c35e65a5368b2223a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-06-08 09:03:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=txr255pkl54cu7nhgroww66chpapfmz5tv5uu3bv4znfg2fsei5a._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:pr28 rat spyware stealer trojan

Link:

https://tria.ge/reports/220609-g4bhrsgagr/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Unpacked files

SH256 hash:

2c5afaae99613699557111c07089b7707e28c2b2bac4a1525a3e9bb5d2276b19

MD5 hash:

d377251ab46ce2c88d0c52a1bffbdd41

SHA1 hash:

53cf63470159f3047511269736532dbd7dfc8f31

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/273f2253-e87a-40da-ac47-8134f3896c33/

Parent samples :

298d3c150bbee5312da015cd6448e7dc47eddcda5a6ddd215072102b6ba9e9e3
9de3aef5ea5f782a7da7345d6b7bc23bc0f2b33d9d7b4a6c35e65a5368b2223a
b38804166eadbfa83edfbbb26115a35bc284af64a8e3429c3011a13965fdcbf2
32b7d0b30638db08927b43bb633cb29da62ab634c34de42ff582841191c31839
7f64aa4801b0cbae5fdda52ae4fe848ef03650a4dec91b4f4d5131a0def6b464
859aada0cf09832daace8902102e39989f7eac7e3152006ea017a9f27e22b162
70239322a00a334498eac4672e0fd100a6b33294eebffbbc673b7667f9583e78

SH256 hash:

499b020808e0bd8c5f98d2f1174b2a43ebfe0fc830f4de71c00eb9b9ca186cf7

MD5 hash:

70ca3296b666de606ea30d4795a92c90

SHA1 hash:

e34af2caaf3b853e910abcf6065f5dc4cc11a7fa

Link:

https://www.unpac.me/results/273f2253-e87a-40da-ac47-8134f3896c33/

SH256 hash:

a63332e63ebe7325838292a4397c11f54381eb581088002e3797d0241d384429

MD5 hash:

b32e68d4f8b2577535eb7bd3cb1a5f69

SHA1 hash:

7c22772cbecbc156de0a1eb72ddc30ed56fc123e

Link:

https://www.unpac.me/results/273f2253-e87a-40da-ac47-8134f3896c33/

SH256 hash:

fe78017f2153de0c5ca645c4255899ab044502fe5c77d5c04ced635d9fe981d9

MD5 hash:

ab47b292d4d39311539a0b97e6661f4f

SHA1 hash:

54cd9efbebe4f41b23e6f24fffac0da8f72d921b

Link:

https://www.unpac.me/results/273f2253-e87a-40da-ac47-8134f3896c33/

SH256 hash:

9de3aef5ea5f782a7da7345d6b7bc23bc0f2b33d9d7b4a6c35e65a5368b2223a

MD5 hash:

da9b9a6f52f37ce3e190e1dc22eb3c55

SHA1 hash:

a92cdee438ebbfe2414e8b17a6c8c2ca548f1a6a

Link:

https://www.unpac.me/results/273f2253-e87a-40da-ac47-8134f3896c33/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9de3aef5ea5f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/9de3aef5ea5f782a7da7345d6b7bc23bc0f2b33d9d7b4a6c35e65a5368b2223a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/278053/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample