MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0a24af1d7eaf3c0066b417f3f631327af37f5e1e3ee8f79019bade1f700ef69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0a24af1d7eaf3c0066b417f3f631327af37f5e1e3ee8f79019bade1f700ef69
SHA3-384 hash: cb456564b9de4198fe09ce329dec1ea07d862b8193c0af065124c72251f7928d957ddd3bd04642d21aeab230dfdb766d
SHA1 hash: 69c8876f36e55aa5f763840a7af2faec34ca9795
MD5 hash: 28be14d0f408e1263594adca02ab3289
humanhash: quiet-eight-lemon-oregon
File name:SWIFT transferir copia_98087.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'219'072 bytes
First seen:2021-02-24 07:06:16 UTC
Last seen:2021-02-24 09:04:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:rtSq9sj56YkWxQ4r3WFRJaSA/KpS9g3S2hdqEJTt07OkMqk:YEWFCFRJ4/KpS9KNhdL0yd
Threatray 3'913 similar samples on MalwareBazaar
TLSH 544538011629BE24F4BD933799A88450EFE9BC10D711C92EF4E47CAE6E70BD2664F607
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: web333.fangio.net
Sending IP: 190.106.131.237
From: Banco Santander <remittance@tecnosorgosa.com.ar>
Subject: MT103 Copia de transferencia de payment
Attachment: SWIFT transferir copia_98087.iso (contains "SWIFT transferir copia_98087.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SWIFT transferir copia_98087.exe
Verdict:
Malicious activity
Analysis date:
2021-02-24 06:15:48 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/b11bd853-5225-433c-b828-e95a207eed00

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118875/
Detection(s):
SecuriteInfo.com.Trojan.Inject.19364.14594.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/616228
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 357120 Sample: SWIFT transferir copia_98087.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 36 www.ducatsupply.com 2->36 38 ducatsupply.com 2->38 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 7 other signatures 2->48 11 SWIFT transferir copia_98087.exe 3 2->11         started        signatures3 process4 file5 28 C:\...\SWIFT transferir copia_98087.exe.log, ASCII 11->28 dropped 14 SWIFT transferir copia_98087.exe 11->14         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.irisettelment.com 103.224.182.242, 49766, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 17->30 32 co2-zero.global 37.97.254.27, 49770, 80 TRANSIP-ASAmsterdamtheNetherlandsNL Netherlands 17->32 34 15 other IPs or domains 17->34 40 System process connects to network (likely due to code injection or exploit) 17->40 21 cmmon32.exe 17->21         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0a24af1d7eaf3c0066b417f3f631327af37f5e1e3ee8f79019bade1f700ef69/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-24 05:03:51 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ucrev4ox5lz4abtlif7t6yyte6xtp5pb4pxi66ibtow6d5ya55uq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
031e72b45d66c3365bfe3c7ace3c4c2a79facffa8daa7b483c77350a791c0133
Formbook
0a2e7c9ad53b5355f4f723912d07f9dae7d1e2d72ac62758cdc44196f124945e
Formbook
1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663
Formbook
2bec4da3283f4d9329b155c12e5ee6f5f8943bb43d9e66c1767b877b89a19063
Formbook
2ff45850f2e31480bb0020b00786bc290a3979c3db934975e6d15155ba59b453
Formbook
a3327c95da3017b7f9f87eeeef8ccba7373e363facad5024432b7aba20a9b832
Formbook
a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
Formbook
b0787f51caf44390126cfb1e827d548139021e30bca2cf2e299917ea5788a8bf
Formbook
e5ff1fccc213b922956415d980bbbf9318b17834761d629b23448ab14868812e
Formbook
fd43374c3bef6b11ed3bd01e3830cb6c62cab1bdb3ffcf0f3c29de7151513b0a
Formbook
+ 3'903 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210224-6e7h6j7zpe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.basiclablife.com/8zdn/
Unpacked files
SH256 hash:
68b716109ff4e18e21bd0acacb3796f7930771d19f6a766d7d3aa0bbde4ce7e0
MD5 hash:
a3d1d373062f59282307d4b9966d702b
SHA1 hash:
60c9c330e6ff63d3e0b3b0b700ac37bde5997ced
Link:
https://www.unpac.me/results/0065d9c5-248a-4681-a398-48ac683c8dbd/
SH256 hash:
a0a24af1d7eaf3c0066b417f3f631327af37f5e1e3ee8f79019bade1f700ef69
MD5 hash:
28be14d0f408e1263594adca02ab3289
SHA1 hash:
69c8876f36e55aa5f763840a7af2faec34ca9795
Link:
https://www.unpac.me/results/0065d9c5-248a-4681-a398-48ac683c8dbd/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 6c383a2650fcb6ab1d03185cce59f460192b101f442c18a716d0a560448c8a9a

Formbook

Executable exe a0a24af1d7eaf3c0066b417f3f631327af37f5e1e3ee8f79019bade1f700ef69

(this sample)

  
Dropped by
MD5 bd84dca2ee24f917709c07bb25a084d0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6c383a2650fcb6ab1d03185cce59f460192b101f442c18a716d0a560448c8a9a
Cape
Cape
https://www.capesandbox.com/analysis/118875/

Comments