MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc353de8e426e5a5934ca6cc0a3c164a6ac10599fc6341db12a9f7e7d3eb5f02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc353de8e426e5a5934ca6cc0a3c164a6ac10599fc6341db12a9f7e7d3eb5f02
SHA3-384 hash: 436a7442c80b17cab61e46e4c62ea9dc3505c572823ffd0d26509e02d818b53fe8380d718993a2e5686fe5f9cdde858c
SHA1 hash: 63724d11860eb401b090ed3d136ee303b5a90ebd
MD5 hash: 4db9b09ad19fb2759956321f9b19f4a5
humanhash: sad-three-delta-solar
File name:SWIFT COPY.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:632'320 bytes
First seen:2023-05-02 07:43:40 UTC
Last seen:2023-05-09 07:52:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:3zmClH52d04CP9fo0EF6CZ/CmgWv6Dsr4Jg3nLqg6KjiZTeG:jmuGKVo0EFnFBr4y3n9viZTX
Threatray 2'704 similar samples on MalwareBazaar
TLSH T157D4DF1221A9CF5AFD3A9BF25474FF8057F1B573A4E1D1221EE624C9DA69F000E0CA5B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
248
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SWIFT COPY.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-02 07:48:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a87245e7-8c4a-4789-8e56-104a09f5f61b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/385987/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6450bf5c3d47a64d306b92da/reports/3bb11f8e-dd65-4c99-b74a-5ed07e4bc2d8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dc353de8e426e5a5934ca6cc0a3c164a6ac10599fc6341db12a9f7e7d3eb5f02
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/98e8d4fc-6d79-4f8a-9f68-e15f0192aa5a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1224410
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc353de8e426e5a5934ca6cc0a3c164a6ac10599fc6341db12a9f7e7d3eb5f02/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-05-02 05:33:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3q2t32hee3s2le2mu3gaupawjjvmcbmz7rrudwysvh36pu7ll4ba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1c5cc71cd847d8a2679ec629b631b4d7e1082e7126022ab26ff015298d93a61e
Formbook
1ecc2a4139ce825a85a02bef3426dbcb6a37cc2577dd665fe7c41a73fdd58370
Formbook
234d425a3c85a27252fa477d05a387a30a6e248f1ea17b2e7fcaac13cb9c8db3
Formbook
54ce28992dff46801741011c4bc6f2f893dd21cb5cabe7d59214e584279a7fda
Formbook
aa3e87c3886fe443df71b65dc484b40811a253f1ac642a70c59653912a8a467f
Formbook
ba852b38002916eb89dd9ada1f1ff78c308b433732b1600813789f5707ab6d62
Formbook
cc6eac2e2359b08c5e5c37cafac26d252ca8f22992168fbf5c70a5471ed86ad6
Formbook
cf6a0127f90f8d0155b5b822830bbe5f0b1966e74f805b4c1814af34df750748
Formbook
dd344c32dd59a635e9ebfec3a33f2242178c82498769b995d7fb1c47a34882c8
Formbook
fe30de8c39a135c0bda337c2624c20db55670737fffd79cb09145b42401782cf
Formbook
+ 2'694 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230502-jkweyaab33/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
656aada2ab9390504d7cf46b92d0393d234c3e85812f7f9973f50f17d752b189
MD5 hash:
20b79fb655ddb0e5e04635dced149c57
SHA1 hash:
9629333ca38b574db631577a0c541ae70c3f1f28
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/2d678461-417d-435f-8d70-60022e427b46/
Parent samples :
dc353de8e426e5a5934ca6cc0a3c164a6ac10599fc6341db12a9f7e7d3eb5f02
959d4d4b20048f42806546895bd45308d03049b3ba626fd4ec71ce77a0eb27ac
b07bf739cd3a803bcf0d57fcbf8d5a628005457db39fd045324e08bd92e6537a
cce0243baf6140b9d0bc6360f85b7d2eb7d769d7d6dd25a5991ab9cc12465b58
SH256 hash:
52fd88bb4e09230c87eb8c536ce9efb118a3ffe14bba30d16f879b96fe41c819
MD5 hash:
9b76023056ff0066e8eb2b99c325ae59
SHA1 hash:
1f8ac416222ad6f4842559346d18e594a0e445da
Link:
https://www.unpac.me/results/2d678461-417d-435f-8d70-60022e427b46/
SH256 hash:
0f33c8cfff67c99e97c7b438c7716a8aea05eec86ef5f4167a142cd6e26e3348
MD5 hash:
a82e7ade1e31800c74ca6e79b4c77e3c
SHA1 hash:
e385bad904f1ded2a421c5821c84929cf2678b6b
Link:
https://www.unpac.me/results/2d678461-417d-435f-8d70-60022e427b46/
SH256 hash:
c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0
MD5 hash:
da56041df789c24cb2a36a364431f766
SHA1 hash:
876e6c579d1092a76ce90c500c43af0cf11724a4
Link:
https://www.unpac.me/results/2d678461-417d-435f-8d70-60022e427b46/
SH256 hash:
3527168167a5f3d4329a9477ffc098b909094ac0e9838cfc2de47d9a98e664ec
MD5 hash:
6c3d85406970ec76449f42cb8ad1603f
SHA1 hash:
5e51e41dbbbb876fad62d1eb1bc50a8589d5b4b2
Link:
https://www.unpac.me/results/2d678461-417d-435f-8d70-60022e427b46/
SH256 hash:
c1dff59bb460a50b8d7ec396ca5ab9ac689911b1c0d45c864e71dca45062c713
MD5 hash:
a105f3dfa8be4668dcf675d997c2d3be
SHA1 hash:
183f0d5c68e725d7868adf8f85ea8f56ae476f7c
Link:
https://www.unpac.me/results/2d678461-417d-435f-8d70-60022e427b46/
SH256 hash:
dc353de8e426e5a5934ca6cc0a3c164a6ac10599fc6341db12a9f7e7d3eb5f02
MD5 hash:
4db9b09ad19fb2759956321f9b19f4a5
SHA1 hash:
63724d11860eb401b090ed3d136ee303b5a90ebd
Link:
https://www.unpac.me/results/2d678461-417d-435f-8d70-60022e427b46/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc353de8e426/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe dc353de8e426e5a5934ca6cc0a3c164a6ac10599fc6341db12a9f7e7d3eb5f02

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/385987/

Comments