MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afa3fdb1128e9f1c66459130cd28486858ed1e04ef553f7e51f06fc70a9cda0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afa3fdb1128e9f1c66459130cd28486858ed1e04ef553f7e51f06fc70a9cda0f
SHA3-384 hash: 7ee9029217d7b89f40b6640b7aa69a680b579d315fe1058bccceb4beed6d17a96077180e5de3089439a99e4ab24b5c45
SHA1 hash: 5d77030f4c546372fc081fe5eb0d7dd40abb2132
MD5 hash: e3ffde725018b4c4cc8d51a655a09526
humanhash: hotel-five-glucose-florida
File name:SWIFT PAYMENT & ADVICE.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:509'166 bytes
First seen:2023-11-03 07:53:58 UTC
Last seen:2023-11-03 09:19:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:lPiFuz6TzgqegDe2Q7wU84mjgxeD2S6eo2p5UlJXYoit7:lPiFuz6Txe2imf2Heo2pmPg7
Threatray 2 similar samples on MalwareBazaar
TLSH T1E0B4F0C1D58001E5ECA96F3165338C38A6777E7E9EB06A8E4A9DB5702F73187002BD5B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9999505523211729 (2 x Formbook, 2 x RemcosRAT, 1 x GuLoader)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
281
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457961/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.10759.11614.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/6544a726b38131f117ad32e2/reports/9b9c3a86-8b39-475a-a8fc-e9942e69f232/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/afa3fdb1128e9f1c66459130cd28486858ed1e04ef553f7e51f06fc70a9cda0f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/657a0fda-11f7-48bd-9564-161655a8352b
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1336484
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1336484 Sample: SWIFT_PAYMENT_&_ADVICE.exe Startdate: 03/11/2023 Architecture: WINDOWS Score: 100 34 www.winsup.xyz 2->34 36 www.unisocks.live 2->36 38 11 other IPs or domains 2->38 48 Multi AV Scanner detection for domain / URL 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 7 other signatures 2->54 11 SWIFT_PAYMENT_&_ADVICE.exe 17 2->11         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\Temp\tstje.exe, PE32 11->32 dropped 14 tstje.exe 1 11->14         started        process6 signatures7 64 Multi AV Scanner detection for dropped file 14->64 66 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->66 68 Maps a DLL or memory area into another process 14->68 17 tstje.exe 14->17         started        20 conhost.exe 14->20         started        process8 signatures9 46 Maps a DLL or memory area into another process 17->46 22 pXSzpRQrUeZhbNrRhOVfmZnEFHu.exe 17->22 injected process10 process11 24 cipher.exe 13 22->24         started        signatures12 56 Tries to steal Mail credentials (via file / registry access) 24->56 58 Tries to harvest and steal browser information (history, passwords, etc) 24->58 60 Writes to foreign memory regions 24->60 62 3 other signatures 24->62 27 pXSzpRQrUeZhbNrRhOVfmZnEFHu.exe 24->27 injected 30 firefox.exe 24->30         started        process13 dnsIp14 40 www.winsup.xyz 203.161.53.83, 80 VNPT-AS-VNVNPTCorpVN Malaysia 27->40 42 gyoseisyoshi-jimusyo.com 219.94.128.69, 49721, 49722, 49723 SAKURA-CSAKURAInternetIncJP Japan 27->42 44 7 other IPs or domains 27->44
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/afa3fdb1128e9f1c66459130cd28486858ed1e04ef553f7e51f06fc70a9cda0f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/afa3fdb1128e9f1c66459130cd28486858ed1e04ef553f7e51f06fc70a9cda0f/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-11-03 01:04:03 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v6r73misr2pryzsfseym2kcinbmo2hqe55kt67sr6bx4ocu43ihq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
aac65be361846da8dcffed72adc62c23fa81ffb6b140862fe3bd24dbb0b5bada
Formbook
afa3fdb1128e9f1c66459130cd28486858ed1e04ef553f7e51f06fc70a9cda0f
Formbook
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231103-jrka9agb79/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
c362dedc277de030c434a749a9259eb1f1bc65d8d9457a935dcc05c71479d9b0
MD5 hash:
123da2577c1478f6aa2c66ef84a09870
SHA1 hash:
9ec3886d4de07bb1dd1439462a8a8143537a750c
Link:
https://www.unpac.me/results/4c03710f-4cff-4fc8-8532-ad300a6bfae4/
SH256 hash:
4bfa6b098219e572cc84115b047870149d0b1e4c4bfec80e938c77e1904710c4
MD5 hash:
ae50470c4c3f696b3fa0b82dcc2adcde
SHA1 hash:
eec7f41d5743073998a9a4d336ca9f666cda0018
Link:
https://www.unpac.me/results/4c03710f-4cff-4fc8-8532-ad300a6bfae4/
SH256 hash:
924615f675a40b9f9eb5acefdf085a47f0d2afaf6fa832a64ba8cc89e1ab4117
MD5 hash:
f61c9bf5a757ae1643f7cec78237e49d
SHA1 hash:
52d6418bfffe1b9fede9662e2f812beb28769aa6
Link:
https://www.unpac.me/results/4c03710f-4cff-4fc8-8532-ad300a6bfae4/
SH256 hash:
afa3fdb1128e9f1c66459130cd28486858ed1e04ef553f7e51f06fc70a9cda0f
MD5 hash:
e3ffde725018b4c4cc8d51a655a09526
SHA1 hash:
5d77030f4c546372fc081fe5eb0d7dd40abb2132
Link:
https://www.unpac.me/results/4c03710f-4cff-4fc8-8532-ad300a6bfae4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/afa3fdb1128e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/afa3fdb1128e9f1c66459130cd28486858ed1e04ef553f7e51f06fc70a9cda0f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe afa3fdb1128e9f1c66459130cd28486858ed1e04ef553f7e51f06fc70a9cda0f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/457961/

Comments