MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5968626c3fa98eb7975b8c5fc4c5d55bb0bf7bd537143dc3619b1c9d5c15343. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5968626c3fa98eb7975b8c5fc4c5d55bb0bf7bd537143dc3619b1c9d5c15343
SHA3-384 hash: d5d35787dae05567e3db7f59ca2c7e73b991c80e27f415168ee18c3460ecf35c70749f908a1bcb7b51f1c49d2286f842
SHA1 hash: 1f51a6efb1cc01dd985304c056850a7d9dc360d1
MD5 hash: b461a359b3cd91d04427620e1ae7a3bb
humanhash: tango-sixteen-five-georgia
File name:SWIFT20221028-876543234567897.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:57'152 bytes
First seen:2022-10-28 04:18:03 UTC
Last seen:2022-10-29 03:22:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:6p6f8s5j4QohDxk9XgF1Rb35BZYoFpkY15r9cVhgk7OEvlUAecs/cz+WiRPPrk+5:csFohDA0TZdpkYadfvlUFcOpWixPd
Threatray 2'394 similar samples on MalwareBazaar
TLSH T1CD437E897BD87D8FC94ECB7A85A1780946BCD0712703D343A8D17A6D085B3DE4D13A93
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 30b2c4c8c8c4b030 (53 x Formbook, 41 x RemcosRAT, 20 x AgentTesla)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/325322/
Detection(s):
SecuriteInfo.com.UntrustedCertificate.Aichost.UNOFFICIAL
Create hunting rule

Win.Dropper.LokiBot-9969312-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Creating a file
Searching for synchronization primitives
Reading critical registry keys
Sending an HTTP GET request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed packed
Link:
https://www.filescan.io/uploads/635ba620736e9d884f0d70b4/reports/a34de3b8-c09a-4072-ad77-3fd9dad313ed/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76a597ca-91a1-4bca-949f-dad0780a98f1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1100055
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 732716 Sample: SWIFT20221028-876543234567897.exe Startdate: 28/10/2022 Architecture: WINDOWS Score: 100 34 www.ramarketing.info 2->34 40 Snort IDS alert for network traffic 2->40 42 Multi AV Scanner detection for domain / URL 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 7 other signatures 2->46 9 SWIFT20221028-876543234567897.exe 15 3 2->9         started        signatures3 process4 dnsIp5 36 uiu-auzq5.tk 162.144.81.198, 443, 49693, 49694 UNIFIEDLAYER-AS-1US United States 9->36 26 C:\...\SWIFT20221028-876543234567897.exe.log, CSV 9->26 dropped 56 Writes to foreign memory regions 9->56 58 Allocates memory in foreign processes 9->58 60 Injects a PE file into a foreign processes 9->60 62 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->62 14 aspnet_compiler.exe 9->14         started        file6 signatures7 process8 signatures9 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 17 explorer.exe 14->17 injected process10 dnsIp11 28 zj.zhanghonghong.com 39.109.127.85, 49712, 49713, 49715 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 17->28 30 www.ellieadamsphotography.com 208.91.197.27, 49708, 49710, 49711 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 17->30 32 7 other IPs or domains 17->32 38 System process connects to network (likely due to code injection or exploit) 17->38 21 cmmon32.exe 13 17->21         started        24 autochk.exe 17->24         started        signatures12 process13 signatures14 48 Tries to steal Mail credentials (via file / registry access) 21->48 50 Tries to harvest and steal browser information (history, passwords, etc) 21->50 52 Modifies the context of a thread in another process (thread injection) 21->52 54 Maps a DLL or memory area into another process 21->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5968626c3fa98eb7975b8c5fc4c5d55bb0bf7bd537143dc3619b1c9d5c15343/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-27 23:18:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
24 of 40 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uwlimjwd7kmow6lvxdc7ytc5kw5qx555knyuhxbwdgy4tvobknbq._file
Verdict:
malicious
Similar samples:
1eb3574e7faa18d12759034dcc5a26ac90d79badef17cf1a744854d9a9e41cb0
Formbook
2c1e4de15b0a08e77555d4b16f2bb56fae378081a9411138d323b6b52a7e891b
Formbook
35d8fbdb864d9104dd1a9f05fe522b27bb6d278ea993a7863b298b66df06636b
Formbook
361dc084efc29ddc0a837710fc28a872389e3a61413e5c82fcbefc1906c7b29f
Formbook
3848823a1b58d846e410636a0f7fe39ab04c984fe8353489e4d83f694195e26e
Formbook
4905fecf9b5d2057f495dcd21e81e03db0114af804fe59931cd901fbfbde5c9a
Formbook
575d3a4edbf03fc3bead2e44d9f8a65047ff8f7e90d9130eca7a6825bc92fb56
Formbook
a75fa828c957b6b8a85cc40bf4a0a64fb6afef7ef1fe31dc0e842baf399031be
Formbook
b2dadf77d0f5917ce225ee0b177e4d5deb626a81ce33815f176d915ea21ba159
Formbook
cfcae7aaa384f20d0b16577e2ac81010403db19bec0fe546ec6fc0a7cf2d3d09
Formbook
+ 2'384 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:wzun rat spyware stealer trojan
Link:
https://tria.ge/reports/221028-exhmdseec3/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook
Unpacked files
SH256 hash:
9bce09b01bdc0fab49be74946a35bc0bace4613a77f5d3bc3f89f9f5c344ac99
MD5 hash:
232bef9b311d54a1e588640b06672259
SHA1 hash:
673063f991e1db9c0a2c5b0359c881b4faf9f3e4
Link:
https://www.unpac.me/results/f8d9b85e-fd81-4d29-a649-fa76b37109a7/
SH256 hash:
a5968626c3fa98eb7975b8c5fc4c5d55bb0bf7bd537143dc3619b1c9d5c15343
MD5 hash:
b461a359b3cd91d04427620e1ae7a3bb
SHA1 hash:
1f51a6efb1cc01dd985304c056850a7d9dc360d1
Link:
https://www.unpac.me/results/f8d9b85e-fd81-4d29-a649-fa76b37109a7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a5968626c3fa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a5968626c3fa98eb7975b8c5fc4c5d55bb0bf7bd537143dc3619b1c9d5c15343

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a5968626c3fa98eb7975b8c5fc4c5d55bb0bf7bd537143dc3619b1c9d5c15343

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/325322/

Comments