MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a
SHA3-384 hash: 9449012c0a7536fd7b2d85aa2e20b295abeef38514c08f91d1c57face0477ff2e0d3b6f4807d7d2c6aac8bdcddab4f75
SHA1 hash: c4864e857f383ad6535009a04f5e3b4a7d74e1dc
MD5 hash: b66ea2403a923c0105ad0559e9f6e53b
humanhash: blue-pennsylvania-echo-twelve
File name:SWIFT TRANSFER.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:502'272 bytes
First seen:2020-10-06 18:24:27 UTC
Last seen:2020-10-07 05:02:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:dJ+DGUJeaJzbY6mLTA+Fbg3Bhkecvoo0oT9p9weRI6sXZ4LGWeuWiKASr:D3taJz01H5gceyouTSeRI5p4KWaiW
Threatray 2'351 similar samples on MalwareBazaar
TLSH 1AB427157B14EAB0F1AE557084C6D1F10302FDDD59A7826ABFD9FE1EB9B7600001EEA2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: telkomsa.net
Sending IP: 95.211.208.23
From: mahindranorthcoast@telkomsa.net
Subject: FW: SOA Review Done : Inter Bank Transfer(IBG) URGENT
Attachment: SWIFT TRANSFER.zip (contains "SWIFT TRANSFER.exe")

Intelligence

File Origin
# of uploads :
4
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68666/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Enabling autorun
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483217
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 294070 Sample: SWIFT TRANSFER.exe Startdate: 06/10/2020 Architecture: WINDOWS Score: 100 56 www.anhpham.net 2->56 58 sbsfe-p11r.geo.mf0.yahoodns.net 2->58 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for dropped file 2->70 72 8 other signatures 2->72 11 SWIFT TRANSFER.exe 7 2->11         started        signatures3 process4 file5 50 C:\Users\user\AppData\Local\...\name.exe.lnk, MS 11->50 dropped 52 C:\Users\user\...\SWIFT TRANSFER.exe.log, ASCII 11->52 dropped 54 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 11->54 dropped 84 Injects a PE file into a foreign processes 11->84 15 SWIFT TRANSFER.exe 11->15         started        18 cmd.exe 1 11->18         started        20 cmd.exe 3 11->20         started        23 cmd.exe 1 11->23         started        signatures6 process7 file8 86 Modifies the context of a thread in another process (thread injection) 15->86 88 Maps a DLL or memory area into another process 15->88 90 Sample uses process hollowing technique 15->90 92 Queues an APC in another process (thread injection) 15->92 25 explorer.exe 15->25 injected 29 reg.exe 1 1 18->29         started        31 conhost.exe 18->31         started        46 C:\Users\user\AppData\Local\Temp\...\name.exe, PE32 20->46 dropped 33 conhost.exe 20->33         started        48 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 23->48 dropped 35 conhost.exe 23->35         started        signatures9 process10 dnsIp11 60 sweet-elite.com 23.111.149.78, 49735, 80 HVC-ASUS United States 25->60 62 vistaar.world 34.102.136.180, 49736, 80 GOOGLEUS United States 25->62 64 4 other IPs or domains 25->64 80 System process connects to network (likely due to code injection or exploit) 25->80 37 rundll32.exe 25->37         started        40 autochk.exe 25->40         started        82 Creates an undocumented autostart registry key 29->82 signatures12 process13 signatures14 74 Modifies the context of a thread in another process (thread injection) 37->74 76 Maps a DLL or memory area into another process 37->76 78 Tries to detect virtualization through RDTSC time measurements 37->78 42 cmd.exe 1 37->42         started        process15 process16 44 conhost.exe 42->44         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 14:45:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
58
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5rhof6urn2p4fahqnlym5xwxqnljg4r6xpdmmc6w4ny3lvfnabva._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
10a9aab39489aa507d35bb18b357ca6c9f8642d8fa27fc1ad9c7de03c8e9415d
Formbook
5c0c2689256894521ac0012bc464ad7e0d93c25c60b9df3dfe26b35d85d1713a
Formbook
82f4ebd30b18743d8cc409de5931a978434755705af9bbfa3c6d8d0b34d30a6b
Formbook
89bf15eae14f60d6acc308cead31f09459947626b9839bbbddbf76f00821fe3b
Formbook
9107a8988792e1ec695a1d662a6b0f7668a6fbfb6352897c1f5bfe85addf2994
Formbook
bcaf7b4adc919fd5aaae24902b8135e2ad6d13249e9cb784b1532b52e40449b5
Formbook
c6232f818d7c848dee9a6a653df75e0174e38362ff2e5f6040c5e7418af5f219
Formbook
c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104
Formbook
d7d1d6057e7e731b75e1ba9579ccfe717334cc7b4f59324af1a0aa179db22e68
Formbook
da111408d9dccb99b2c429d535ca55f6e970d911da4c24553e75d02fe9c00489
Formbook
+ 2'341 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201006-2kfym1f1qn/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.purebodyrecovery.com/rhk/
Unpacked files
SH256 hash:
ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a
MD5 hash:
b66ea2403a923c0105ad0559e9f6e53b
SHA1 hash:
c4864e857f383ad6535009a04f5e3b4a7d74e1dc
Link:
https://www.unpac.me/results/008abdf9-0a84-4023-b628-fb9a7bd857b8/
SH256 hash:
00fbae02cdcd2438dbc3a8758e8e5dcc8bb86b26162c6b23c1edae3f0ccc918f
MD5 hash:
3c5e36539ea6b6ea02774b082f151ac6
SHA1 hash:
b0ed5a1f3bb540f8c5a08ec5909ec5f1fa59fcf5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/008abdf9-0a84-4023-b628-fb9a7bd857b8/
Parent samples :
c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104
ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a
ba2bf5801650d3b1efe26350bdca102f606dc7622ad4908c414789ef5c0f24b3
48fb5ca3a7323643cd3cab475e1e7615bf619ef568c2673f7e61e128d263a114
cb9826fb54d83c293531c905827920511bd9d7b259da01ac1e593d9d10aec334
8ce26cc2fb22fe3d89d7f4bd9ea925f0719ff9208b4e37b1f71b9d4e810bcc0c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip ba4a9efc049a0054b26686a37bbf44eb7aae8a9245eee697c8a4c70460a506b4

Formbook

Executable exe ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a

(this sample)

  
Dropped by
MD5 2b163c9d080b1e55cf46f9b175c4dede
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68666/
  
Dropped by
SHA256 ba4a9efc049a0054b26686a37bbf44eb7aae8a9245eee697c8a4c70460a506b4

Comments