MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfe365fae8e14aae158de051972efe75103b705f7d8cf84061f857d79bb1993b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfe365fae8e14aae158de051972efe75103b705f7d8cf84061f857d79bb1993b
SHA3-384 hash: 3907ff543e92aae3da37a1e01c1d3222906879f3006feb85186f3154557fcff1d591b6d435fe2cbaac6ed5b60681cdc0
SHA1 hash: d19769d9fb9970253f55decb8227b9d367eb78ba
MD5 hash: 9d7290bbe5611ee57a7604cbea3518f0
humanhash: cup-bulldog-fourteen-monkey
File name:00882320002344-SwiftAdvice_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:193'024 bytes
First seen:2021-01-19 13:03:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 43f1b4fb55ffa0f3576d845e7070130e (5 x Loki, 5 x Formbook, 4 x AgentTesla)
ssdeep 3072:OJ6PrCpB4Cyh7Anqj2NsXuVqEi2Yk6RkM8Pz4BVObuTRrQY4CbhyvlpRG54Agr1v:K2rCpB4inqj2NLLfYJd8P8VBaCbhykEB
Threatray 4'030 similar samples on MalwareBazaar
TLSH 231401EA46D9CF31C0E2C0F11D21A4FA9E6721D09B2920E7CBD67C39943DD86E17495E
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: 45-135-135-84.cprapid.com
Sending IP: 45.135.135.84
From: tradequalityunit@hdfcbank.com
Subject: Transaction advices for your company . 19-Jan-2021 2021011811559
Attachment: 00882320002344-SwiftAdvice_pdf.xz (contains "00882320002344-SwiftAdvice_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
00882320002344-SwiftAdvice_pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-19 13:20:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eacff613-2dd3-44a6-a386-080e79890a4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112890/
Detection(s):
Win.Malware.Filerepmetagen-9822566-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/585092
Signature
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfe365fae8e14aae158de051972efe75103b705f7d8cf84061f857d79bb1993b/
Threat name:
Win32.Trojan.Malrep
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 10:11:56 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x7rwl6xi4ffk4fmn4bizolx6ouidw4c7pwgpqqdb7bl5pg5rte5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
180444e71cfbd639cea07e4cdc28099a444839f5ad3eb024b87dc9664fdfd5ec
Formbook
38f3aadc65df16aed9f5bbaa5f42598d3fd9b29811429fcddd679a40b092fca0
Formbook
6526a7eed94f5bff8a1c8b3d9d0aca202b72102edb7beec08644ff9ba06e00e2
Formbook
767c6a99428699b36e98c7b3444ccf34b4823f5666f42f69fbefbf2d19ab8af9
Formbook
82327e5e44156cddbd2dd77556fc746dad24eeaedc11733c82729c7d0c10a1e7
Formbook
8dcbbb73c0afe52777190faea7b3c0c5bf89407a20d1e24784e7afe7f163ba1a
Formbook
a55e49e3dffd386fbe1b8cfdafb4bcca81264b48e1fa2f9d68a7b8b12ec2bc7e
Formbook
c15f6faab41ea44719d795995c15024db0719fa5c9a731110587ec4e1e041fc2
Formbook
e2d83de235b73fa4366db562daf7a16884eb632bc00ac8d12d371bdc7a2d1c2f
Formbook
fe7c717b3f64d3c721f760c5d62cf09b7bfcdb8fcbf163e7958907a3d7b2dfad
Formbook
+ 4'020 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210119-jne4ssrw3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.floridaretaildevelopment.com/uoyd/
Unpacked files
SH256 hash:
04bbcc47174402826417a380efb80ff2d0677e4c68982fb39650b5cb044182b2
MD5 hash:
50669a718194ae5ec2fd0ba8f46c7f27
SHA1 hash:
8e58bde2d794a8ca6fad34ac7ad13d6c799065f8
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/3935ae3f-7f0c-4cae-a0dd-5018acbbd831/
SH256 hash:
bfe365fae8e14aae158de051972efe75103b705f7d8cf84061f857d79bb1993b
MD5 hash:
9d7290bbe5611ee57a7604cbea3518f0
SHA1 hash:
d19769d9fb9970253f55decb8227b9d367eb78ba
Link:
https://www.unpac.me/results/3935ae3f-7f0c-4cae-a0dd-5018acbbd831/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/bfe365fae8e14aae158de051972efe75103b705f7d8cf84061f857d79bb1993b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

xz f73c800b56405657aec0fad7586a8633fd4cf56797f38b5227271cd75b29b803

Formbook

Executable exe bfe365fae8e14aae158de051972efe75103b705f7d8cf84061f857d79bb1993b

(this sample)

  
Dropped by
MD5 5f2ae3b66817f0484f37c5874e758ab8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112890/
  
Dropped by
SHA256 f73c800b56405657aec0fad7586a8633fd4cf56797f38b5227271cd75b29b803

Comments