MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c32118c2a3762e9f726d9ff46966beff26669fa952798183642e8c1de6efc927. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c32118c2a3762e9f726d9ff46966beff26669fa952798183642e8c1de6efc927
SHA3-384 hash: 8480aaf4a4898236414affe4bda811a4552dec99b08fc20e074afbffcc140d74c7918b6ca5e9bca9164a9a52abf0b19b
SHA1 hash: f72e3894e811a640e3cb711b5b2fb48bb2f819e5
MD5 hash: 0d570bf163d36de1eb179e1303efa48d
humanhash: helium-edward-hotel-eighteen
File name:SecuriteInfo.com.Win32.PWSX-gen.8428.27403
Download: download sample
Signature Formbook
Create hunting rule
File size:1'919'896 bytes
First seen:2023-12-13 23:17:37 UTC
Last seen:2023-12-18 17:35:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 24576:kptvbuGMVbT2DK2RjIsPf51MfAKzsrYqNsfvwEfm358elUQzlR0CgNHRMywJVo/c:IvOdyDK2REsfgQaoE+22CQU/hp4
Threatray 17 similar samples on MalwareBazaar
TLSH T1BD95F190ACDD655EEC237BF548B161A483EB10F95287EDB4DD9016BE2864ECB0DC1C3A
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe FormBook signed

Code Signing Certificate

Organisation:Microsoft Cooperation 2023
Issuer:Microsoft Cooperation 2023
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-13T20:19:10Z
Valid to:2024-12-13T20:19:10Z
Serial number: a14132c73abeb67725cc9df268c3024b
Thumbprint Algorithm:SHA256
Thumbprint: 8fcdb4fd333a5b91551b40684d1c9e0378937e41efb25a7b27b8e1fbadc07bb7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
4
# of downloads :
489
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467338/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a file
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/657a3bab3636548f374ea5d7/reports/96cc9b18-fb9b-4609-ac28-77e52977b508/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c32118c2a3762e9f726d9ff46966beff26669fa952798183642e8c1de6efc927
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Wapomi
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1b7008a7-be88-4780-ae35-8fa151b33f54
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1361794
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1361794 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 14/12/2023 Architecture: WINDOWS Score: 100 28 www.southskyvista.top 2->28 30 www.sfqqqq.com 2->30 32 16 other IPs or domains 2->32 48 Snort IDS alert for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 6 other signatures 2->54 10 SecuriteInfo.com.Win32.PWSX-gen.8428.27403.exe 3 2->10         started        signatures3 process4 signatures5 56 Writes to foreign memory regions 10->56 58 Allocates memory in foreign processes 10->58 60 Injects a PE file into a foreign processes 10->60 13 calc.exe 10->13         started        process6 signatures7 62 Maps a DLL or memory area into another process 13->62 16 YHdCtfJKzkzJiSRdCBQHGY.exe 13->16 injected process8 process9 18 find.exe 13 16->18         started        21 verifiergui.exe 16->21         started        signatures10 40 Tries to steal Mail credentials (via file / registry access) 18->40 42 Tries to harvest and steal browser information (history, passwords, etc) 18->42 44 Writes to foreign memory regions 18->44 46 3 other signatures 18->46 23 YHdCtfJKzkzJiSRdCBQHGY.exe 18->23 injected 26 firefox.exe 18->26         started        process11 dnsIp12 34 www.lifecoachen.com 23.235.160.38, 49782, 49783, 49784 XIAOZHIYUN1-AS-APICIDCNETWORKUS United States 23->34 36 www.ccamio.com 91.195.240.117, 49741, 49743, 49744 SEDO-ASDE Germany 23->36 38 10 other IPs or domains 23->38
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c32118c2a3762e9f726d9ff46966beff26669fa952798183642e8c1de6efc927
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c32118c2a3762e9f726d9ff46966beff26669fa952798183642e8c1de6efc927/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2023-12-13 23:18:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ymqrrqvdoyxj64tnt72gszv674tgnh5jkj4yda3ef2gb3zxpzetq._file
Verdict:
malicious
Similar samples:
296a2dbc2d3de1c05763952fb82b7cdd2d5f6deccad03c9617da144761993413
Formbook
2d22cc60481e1f25e5bf703cf6d8bd1d4c386036e595e6ada518eea110036332
Formbook
67d9651b26cb6dc1a1d6b9d072b3382555ddd0811d2beb0eab6cab27dfecd8f7
Formbook
7b7cf21dce2f8da6000fb98c2dc42624e6b5ed43cd3ac3c7ce51975c0720042f
Formbook
9e16c1446bb651d105fc3291e3cd797088d5b09440cb7e5000797de2e30a10ac
Formbook
cbd9fe54df365905b812f5fe8a1305fd98bd98f7fe92e426ef3c1d4c72d49f72
Formbook
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231213-299b7sbef4/
Behaviour
Modifies Internet Explorer settings
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
c32118c2a3762e9f726d9ff46966beff26669fa952798183642e8c1de6efc927
MD5 hash:
0d570bf163d36de1eb179e1303efa48d
SHA1 hash:
f72e3894e811a640e3cb711b5b2fb48bb2f819e5
Link:
https://www.unpac.me/results/c67f4bed-3276-4ac5-9345-c677fbfa14b4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c32118c2a376/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.78
Link:
https://yomi.yoroi.company/submissions/c32118c2a3762e9f726d9ff46966beff26669fa952798183642e8c1de6efc927

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/467338/

Comments