MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c274f37d52a6ef7300164ed5c964426b853c7cd3938310a10211439a4b5413ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c274f37d52a6ef7300164ed5c964426b853c7cd3938310a10211439a4b5413ba
SHA3-384 hash: c9a826b73b50d76bdddbee99e5a8395036ebcac19d724dbc4ee5e3780ec4be17835180a9991a1a7a2011e64082ff1563
SHA1 hash: 8fcfc099505b7d825f8176af5d2a0dedfd7f39f2
MD5 hash: bb5ab5b4895da7f1eddbaf67d7fe6067
humanhash: friend-arkansas-quiet-london
File name:Ziraat Bankasi Swift Mesaji.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:248'844 bytes
First seen:2022-01-14 11:07:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 3072:oNyah0mJo5+uoVPvlKLhdo9auOECcQV6a5iI3cHPWexwwqt2DbXfwIFLahXs4VSi:ow1Ivod29iECcQ0IsvWexwdUwZs4kgNr
Threatray 12'684 similar samples on MalwareBazaar
TLSH T1343412BA65E6C0ABE1D24272B633538BD3B3F7013BD4118BD78C2FBA56601871D165D2
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook geo TUR ZiraatBank

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ziraat Bankasi Swift Mesaji.exe
Verdict:
Malicious activity
Analysis date:
2022-01-14 11:14:03 UTC
Tags:
installer trojan formbook stealer
Link:
https://app.any.run/tasks/e8580ff2-a60a-47a6-ac15-1a1776ff0a1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219300/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
DNS request
Searching for synchronization primitives
Reading critical registry keys
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe expand.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61e159981883c5ba4ecb637c/reports/57f2584c-234a-49c4-9bac-bc9cbdc3a9c8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e03bfd16-c971-48e1-afb5-371e88b6dec8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920684
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553162 Sample: Ziraat Bankasi Swift Mesaji.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 33 www.ys688.xyz 2->33 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 5 other signatures 2->49 11 Ziraat Bankasi Swift Mesaji.exe 19 2->11         started        15 explorer.exe 1 2->15         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\kiicqtduhx.dll, PE32 11->31 dropped 59 Injects a PE file into a foreign processes 11->59 17 Ziraat Bankasi Swift Mesaji.exe 11->17         started        signatures6 process7 signatures8 35 Modifies the context of a thread in another process (thread injection) 17->35 37 Maps a DLL or memory area into another process 17->37 39 Sample uses process hollowing technique 17->39 41 Queues an APC in another process (thread injection) 17->41 20 explorer.exe 17->20 injected process9 process10 22 colorcpl.exe 20->22         started        signatures11 51 Self deletion via cmd delete 22->51 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        27 explorer.exe 2 153 22->27         started        process12 process13 29 conhost.exe 25->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c274f37d52a6ef7300164ed5c964426b853c7cd3938310a10211439a4b5413ba/
Threat name:
Win32.Trojan.Risis
Create hunting rule
Status:
Malicious
First seen:
2022-01-14 11:08:11 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
14 of 43 (32.56%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yj2pg7ksu3xxgaawj3k4szccnocty7gtsobrbiiccfbzus2uco5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2ff7c84701eaf8b5865bb2716e8a8d0f0ae71ddf725b0330e6b88229585e2ad1
Formbook
6e025a1d72e2abfb9c0fb6c945d3fcdbe2124c5d68d8f5fb09b8389bc30f799e
Formbook
7930bf3f1be9acdf429e2433aa7d0c36985d9a97e580571fee1ffe8cbc0d8f5a
Formbook
79f8f1036804607a78bbd45309a1fe0a20e29651c154439fc1d2ea2ea0d45078
Formbook
99e25501d1c736865e766fe4e347cda8817f4005be1d7b0c336451b89be71ed2
Formbook
9b9e383f7635be680129b113ad1e827c61e2e2cf1ce7ccccd2f09b9a0a546494
Formbook
a5445168b24e211aa5df098ed4be983c8d57f935610638e466bdc6c98065effb
Formbook
d153e8b542963a9c9ae3fa96421f2ec2c5779759d0a086f3545b7e9c91074476
Formbook
d16da4e6a63f26601dd3c961f31708db79be1aead7cf3834fafa47095b1a45a6
Formbook
e0b4a1d31c1f8f4a2850508bba55f9dc97f55f33519c333fbba71a9f931d0793
Formbook
+ 12'674 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:a0p6 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220114-m8j9csgaeq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
364845e0cbf2e75ecb60c53ea9131c2222ba53ab3963920330f717c67247670e
MD5 hash:
d9a8f2238da42467fe85945951d59f33
SHA1 hash:
e84c624c54d793ffa5333c48d020cea658084b7c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/caf886de-5643-4924-b72b-ee1e9da97526/
Parent samples :
c274f37d52a6ef7300164ed5c964426b853c7cd3938310a10211439a4b5413ba
ee3102fee650284b04e3ac5646e83dc54ccaec30e9c484bc8159a1d4d7713299
0e3dc9a9c08c1dadb1cb920c7d32b7f9fee978460a15f8459a4cc12c98c6e7cd
c6cbe14f336bc97cc4bf2db682cc36efc1b371f6cc45509ee347c29348903676
baef60b7ed8a0286e276a7b7d76c7a9d52a8a77c2688b0d2b2cc1d886954b1a0
SH256 hash:
de9bf1eaff348707d8ed3f4ddf31b696edaaf6a2e1b228785198258ec8cd6706
MD5 hash:
a85b7c70d00f1a15be15108bb6f5601e
SHA1 hash:
e3bd606be8d0c6dbf87bc4f92cac260f5353c507
Link:
https://www.unpac.me/results/caf886de-5643-4924-b72b-ee1e9da97526/
SH256 hash:
c274f37d52a6ef7300164ed5c964426b853c7cd3938310a10211439a4b5413ba
MD5 hash:
bb5ab5b4895da7f1eddbaf67d7fe6067
SHA1 hash:
8fcfc099505b7d825f8176af5d2a0dedfd7f39f2
Link:
https://www.unpac.me/results/caf886de-5643-4924-b72b-ee1e9da97526/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/c274f37d52a6ef7300164ed5c964426b853c7cd3938310a10211439a4b5413ba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219300/

Comments