MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1943befafa73351b7dad586f7ff686f2c099a5ebbbdb63bc4f16d67024fb17f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1943befafa73351b7dad586f7ff686f2c099a5ebbbdb63bc4f16d67024fb17f
SHA3-384 hash: a9198aba6f8b05e334b0d14786fc2e5ea5a326c2c1c57694b6b1cae1864f8ad655e9a5bf6cf94e65b9b8fdc287ed949f
SHA1 hash: 9cc38d660480f9ebbb25779ebe8fbc88cf358c8c
MD5 hash: fbf14925b8537f4321806d6281916815
humanhash: tennessee-delaware-jig-romeo
File name:Swift Copy.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'973'248 bytes
First seen:2021-08-31 14:16:56 UTC
Last seen:2021-09-01 13:55:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 49152:gnsHyjtk2MYC5GDJtaW8C1Td9ygIKgHgFfs:gnsmtk2ay/Jjphs
Threatray 7'596 similar samples on MalwareBazaar
TLSH T1F795483F65B9A137C131C6B88BE78523F010AB5E3920691577D20B194736A7AB4F336E
dhash icon 70c4cee1e0c2a0e1 (2 x SnakeKeylogger, 2 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swift Copy.exe
Verdict:
Malicious activity
Analysis date:
2021-08-31 15:49:26 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/77388ac7-fcdd-4e66-89f7-da7ba501f51a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184234/
Detection(s):
PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Moving a recently created file
Searching for the window
DNS request
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Modifying an executable file
Deleting a recently created file
Sending a UDP request
Connection attempt
Sending an HTTP GET request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Infecting executable files
Unauthorized injection to a system process
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a0f0dfc-ceaf-41a6-a847-65aeb9116d53
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
expl.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842693
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 475131 Sample: Swift Copy.exe Startdate: 31/08/2021 Architecture: WINDOWS Score: 100 63 www.thepink.club 2->63 65 www.theonandpopoinponytail.net 2->65 67 9 other IPs or domains 2->67 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus detection for dropped file 2->83 85 Antivirus / Scanner detection for submitted sample 2->85 87 16 other signatures 2->87 13 Swift Copy.exe 1 6 2->13         started        16 EXCEL.EXE 2->16         started        signatures3 process4 dnsIp5 53 C:\Users\user\...\._cache_Swift Copy.exe, PE32 13->53 dropped 55 C:\ProgramData\Synaptics\Synaptics.exe, PE32 13->55 dropped 57 C:\ProgramData\Synaptics\RCXE1E5.tmp, PE32 13->57 dropped 59 C:\...\Synaptics.exe:Zone.Identifier, ASCII 13->59 dropped 19 ._cache_Swift Copy.exe 3 13->19         started        22 Synaptics.exe 331 13->22         started        61 192.168.2.1 unknown unknown 16->61 file6 process7 dnsIp8 47 C:\Users\user\...\._cache_Swift Copy.exe.log, ASCII 19->47 dropped 26 ._cache_Swift Copy.exe 19->26         started        75 docs.google.com 172.217.16.142, 443, 49724, 49725 GOOGLEUS United States 22->75 77 freedns.afraid.org 69.42.215.252, 49727, 80 AWKNET-LLCUS United States 22->77 79 2 other IPs or domains 22->79 49 C:\Users\user\Documents\~$cache1, PE32 22->49 dropped 101 Antivirus detection for dropped file 22->101 103 Multi AV Scanner detection for dropped file 22->103 105 Drops PE files to the document folder of the user 22->105 107 2 other signatures 22->107 29 WerFault.exe 22->29         started        file9 signatures10 process11 file12 51 C:\Users\...\._cache_._cache_Swift Copy.exe, PE32 26->51 dropped 31 ._cache_._cache_Swift Copy.exe 26->31         started        process13 signatures14 109 Modifies the context of a thread in another process (thread injection) 31->109 111 Maps a DLL or memory area into another process 31->111 113 Sample uses process hollowing technique 31->113 115 Queues an APC in another process (thread injection) 31->115 34 explorer.exe 31->34 injected process15 dnsIp16 69 pltraffic32.com 72.52.179.175, 49805, 49817, 49836 LIQUIDWEBUS United States 34->69 71 motlakfitnes.com 34.98.99.30, 49803, 49807, 49815 GOOGLEUS United States 34->71 73 14 other IPs or domains 34->73 89 System process connects to network (likely due to code injection or exploit) 34->89 91 Uses ipconfig to lookup or modify the Windows network settings 34->91 38 ipconfig.exe 34->38         started        41 Synaptics.exe 34->41         started        signatures17 process18 signatures19 93 Self deletion via cmd delete 38->93 95 Modifies the context of a thread in another process (thread injection) 38->95 97 Maps a DLL or memory area into another process 38->97 99 Tries to detect virtualization through RDTSC time measurements 38->99 43 cmd.exe 38->43         started        process20 process21 45 conhost.exe 43->45         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f1943befafa73351b7dad586f7ff686f2c099a5ebbbdb63bc4f16d67024fb17f/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2021-08-31 14:17:08 UTC
AV detection:
40 of 45 (88.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6gkdx35pu4zvdn622wdpp73in4watgs6xo63mo6e6fwwoaspwf7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0fbdb66d81f97c74640af563b58b4d93872ed48a0397754b5c51a5c76d32900c
Formbook
26274dd1baa5be91bd6bdb0db48895d89da2a78e6fac273257557de473adc841
Formbook
41b5691a9272ab9dcb87a5f3f106da073fc3d2c4aea1abd78ac7b3af4cbbffdd
Formbook
56f435a5987f429df40365c3fc9e17443e7a79a003d57d29b4b8f4396bf8c22b
Formbook
5fa54622d0d5f5abbeec7e634d6c2d868984e8cfb20b8502757c2df8fe94f7c7
Formbook
8c857d02af8759783d34e85f94b4f3a61a8ec6bf687b5d80668814025107466f
Formbook
a3cbb98747178f3da58a7d44bbd672c526d1721b20ece7d92f3b85667467aa2b
Formbook
b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed
Formbook
ff97bd0b382bcd07b0e71fd6249426a1d1246c52b07edd238eaa64136db737df
Formbook
+ 7'586 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:b0ar loader persistence rat suricata
Link:
https://tria.ge/reports/210831-eq31sbvqce/
Behaviour
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.poslity.com/b0ar/
Unpacked files
SH256 hash:
cef99bead698f3eda8b2121506ba7f5bd63883189e7080a8f3794d7b24311f38
MD5 hash:
a48b7ee5a78c1df288abe93abf2b34a8
SHA1 hash:
6196c8eeb4736dae72429e584fea1f8dd92c8f07
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/fa65621e-e328-4920-8945-f5e4e3e60192/
Parent samples :
f1943befafa73351b7dad586f7ff686f2c099a5ebbbdb63bc4f16d67024fb17f
64c961fa1b24bad0cedc4e69c95177414154a6f4ec05b4028169ff30b5a25234
41747df22b65966e54d0a78b87b8255fe0fbc5fe6f9bacbc4d523c38f006fea5
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/fa65621e-e328-4920-8945-f5e4e3e60192/
SH256 hash:
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
MD5 hash:
29db2e114b88ae1f6a00c9aa71690043
SHA1 hash:
ec82db71443556a5b320357b0b8b09e70ec1db9c
Link:
https://www.unpac.me/results/fa65621e-e328-4920-8945-f5e4e3e60192/
SH256 hash:
25f65ecdb3b9544de86041d02aa0c32881b3c1eb3449a0d2a9a6a654cafa02a8
MD5 hash:
be6f876ced29db436f5bee7736171c53
SHA1 hash:
46e4b1cec54068f7e937666879db65f6ed6b4bf5
Link:
https://www.unpac.me/results/fa65621e-e328-4920-8945-f5e4e3e60192/
SH256 hash:
1e6a0aa41c9a2dec6806f0753fc0e3cc3b87d118e7cf47d25d363689afccb80e
MD5 hash:
3f07af504b313b51d95330cc987f390c
SHA1 hash:
cfe1f426c2365cc42dc0377d184e0ccafd60e25f
Link:
https://www.unpac.me/results/fa65621e-e328-4920-8945-f5e4e3e60192/
SH256 hash:
f1943befafa73351b7dad586f7ff686f2c099a5ebbbdb63bc4f16d67024fb17f
MD5 hash:
fbf14925b8537f4321806d6281916815
SHA1 hash:
9cc38d660480f9ebbb25779ebe8fbc88cf358c8c
Link:
https://www.unpac.me/results/fa65621e-e328-4920-8945-f5e4e3e60192/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f1943befafa7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1943befafa73351b7dad586f7ff686f2c099a5ebbbdb63bc4f16d67024fb17f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f1943befafa73351b7dad586f7ff686f2c099a5ebbbdb63bc4f16d67024fb17f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/184234/

Comments