MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba2bf5801650d3b1efe26350bdca102f606dc7622ad4908c414789ef5c0f24b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba2bf5801650d3b1efe26350bdca102f606dc7622ad4908c414789ef5c0f24b3
SHA3-384 hash: 02ccdcc3c799feab84c253e7c80935ae6a8875be1fb8b951600a028064111d381f0d8fd915786df1682315bdea25748f
SHA1 hash: 1f2ae9417601ffea6c57643a7b56e78b50c8cb2d
MD5 hash: 1e83fcc22cccdab1b97887b371f4b8d4
humanhash: saturn-lamp-florida-one
File name:SWIFT COPY.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:502'784 bytes
First seen:2020-10-07 10:37:34 UTC
Last seen:2020-10-07 18:42:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:a8mQxbxKRcW/+sbJT4nwWQjqsV0KdYetrjstIoT5GWeuWiKASr:a8mqbx1C+6inwWQjLr2moToWaiW
Threatray 2'342 similar samples on MalwareBazaar
TLSH C1B417053B09EAB0F1AE543484C6D1F50701FE9D5A8A512E7FD1FE1FA9B7608006EFA6
Reporter cocaman
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
3
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68884/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Possible injection to a system process
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun
Deleting of the original file
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483988
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294438 Sample: SWIFT COPY.exe Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for dropped file 2->61 63 8 other signatures 2->63 10 SWIFT COPY.exe 7 2->10         started        process3 file4 47 C:\Users\user\AppData\Local\...\name.exe.lnk, MS 10->47 dropped 49 C:\Users\user\AppData\...\SWIFT COPY.exe.log, ASCII 10->49 dropped 51 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 10->51 dropped 75 Injects a PE file into a foreign processes 10->75 14 SWIFT COPY.exe 10->14         started        17 cmd.exe 1 10->17         started        19 cmd.exe 3 10->19         started        22 cmd.exe 1 10->22         started        signatures5 process6 file7 77 Modifies the context of a thread in another process (thread injection) 14->77 79 Maps a DLL or memory area into another process 14->79 81 Sample uses process hollowing technique 14->81 83 Queues an APC in another process (thread injection) 14->83 24 explorer.exe 14->24 injected 28 reg.exe 1 1 17->28         started        30 conhost.exe 17->30         started        43 C:\Users\user\AppData\Local\Temp\...\name.exe, PE32 19->43 dropped 32 conhost.exe 19->32         started        45 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 22->45 dropped 34 conhost.exe 22->34         started        signatures8 process9 dnsIp10 53 www.landschaftstechnik.com 185.53.177.10, 49741, 80 TEAMINTERNET-ASDE Germany 24->53 55 www.pandemiclearningpodsfairfax.com 13.224.102.114, 49742, 80 AMAZON-02US United States 24->55 71 System process connects to network (likely due to code injection or exploit) 24->71 36 wscript.exe 24->36         started        73 Creates an undocumented autostart registry key 28->73 signatures11 process12 signatures13 65 Modifies the context of a thread in another process (thread injection) 36->65 67 Maps a DLL or memory area into another process 36->67 69 Tries to detect virtualization through RDTSC time measurements 36->69 39 cmd.exe 1 36->39         started        process14 process15 41 conhost.exe 39->41         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ba2bf5801650d3b1efe26350bdca102f606dc7622ad4908c414789ef5c0f24b3/
Threat name:
ByteCode-MSIL.Infostealer.CoinStealer
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 07:40:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
58
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xiv7laawkdj3d37cmnil3sqqf5qg3r3cflkjbdcbi6e66xapeszq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0f8acbcde0c3f0f60b101a72f778b7d29a9a799f607e4ec00aa28dc734d0fbfa
NanoCore
19f43d1f8fd11eccbdb2d9ce05a16983fe394cbd92943bc57943e4bbbb686687
NanoCore
3f86f49f3c2e3583c70385971bdba545c85d8f2d66f8923bf446dde88be3afc0
NanoCore
4334ef4236c8a8b7c1c3463875315f16b35ba1d4dfac8c67f8c0cb81f950d850
NanoCore
4c1fe4c0f5d8d1277036802c83df3e083b31318dfc2c194ce93b7169d7ba6e3d
NanoCore
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
NanoCore
da111408d9dccb99b2c429d535ca55f6e970d911da4c24553e75d02fe9c00489
NanoCore
e273d82c782a01c388cc619e6832bfb43301f4308884751b9393262302fc84c0
NanoCore
e99c6ae5a08e119d151f0c28b6b164d98ca6fd24d1d91b6f57bdf40f3d688c91
NanoCore
ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a
NanoCore
+ 2'332 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201007-l68dwyw1kn/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.purebodyrecovery.com/rhk/
Unpacked files
SH256 hash:
ba2bf5801650d3b1efe26350bdca102f606dc7622ad4908c414789ef5c0f24b3
MD5 hash:
1e83fcc22cccdab1b97887b371f4b8d4
SHA1 hash:
1f2ae9417601ffea6c57643a7b56e78b50c8cb2d
Link:
https://www.unpac.me/results/d0fadc3b-f885-460f-b1c5-b557b4e42ea5/
SH256 hash:
00fbae02cdcd2438dbc3a8758e8e5dcc8bb86b26162c6b23c1edae3f0ccc918f
MD5 hash:
3c5e36539ea6b6ea02774b082f151ac6
SHA1 hash:
b0ed5a1f3bb540f8c5a08ec5909ec5f1fa59fcf5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d0fadc3b-f885-460f-b1c5-b557b4e42ea5/
Parent samples :
c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104
ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a
ba2bf5801650d3b1efe26350bdca102f606dc7622ad4908c414789ef5c0f24b3
48fb5ca3a7323643cd3cab475e1e7615bf619ef568c2673f7e61e128d263a114
cb9826fb54d83c293531c905827920511bd9d7b259da01ac1e593d9d10aec334
8ce26cc2fb22fe3d89d7f4bd9ea925f0719ff9208b4e37b1f71b9d4e810bcc0c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba2bf5801650d3b1efe26350bdca102f606dc7622ad4908c414789ef5c0f24b3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 35320005a920bfb8f679d7d6cc869e7bd07e54e424c708cd84b7b28bd3fadb19

NanoCore

Executable exe ba2bf5801650d3b1efe26350bdca102f606dc7622ad4908c414789ef5c0f24b3

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 35320005a920bfb8f679d7d6cc869e7bd07e54e424c708cd84b7b28bd3fadb19
Cape
Cape
https://www.capesandbox.com/analysis/68884/

Comments