MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2042d162f33fa6527abd2dc4e593a6f89215f903b6a4afe9b57da3f6da7c6d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2042d162f33fa6527abd2dc4e593a6f89215f903b6a4afe9b57da3f6da7c6d4
SHA3-384 hash: 47bee7cc491a7dcd981f81b54194866513d09fc3e0b0dd57516ee173889976b7ff1854bfe77bca8ee28021c1e8fd482a
SHA1 hash: 1ffbab3b4dd1e7ad91248bf97662c153e7a98a84
MD5 hash: 80d4e5cc570a2d4ba2b2f238a8837db7
humanhash: foxtrot-saturn-mango-washington
File name:SWIFT00983928932.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'481'728 bytes
First seen:2025-03-05 13:19:12 UTC
Last seen:2025-03-05 14:38:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:lsB3WD/hMiOkmtHwOemxd45eNv6j9HRlGFehdTuzMBzPXpjLTgqvAxM2APpy5TDO:lsB3WD/hMiOkmpwqxuU56xhdTvBzXpPL
Threatray 2'177 similar samples on MalwareBazaar
TLSH T18E65E007FF8B89F2E2815772C59B491073E4D58A77ABDA0E3C8A23E648437BADD40157
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
455
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
SWIFT00983928932.exe
Verdict:
Malicious activity
Analysis date:
2025-03-05 13:23:53 UTC
Tags:
formbook stealer xloader
Link:
https://app.any.run/tasks/f6ae4979-ea32-4244-b8ca-12777a8fc757

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3259.2813.22419.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c85123c668b65489bf2e65
Tags:
autorun virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun by creating a file
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
net_reactor obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67c84f57e95d0f9029e4534c/reports/e095ab03-69c9-4a45-8832-89711801c0e5/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/f2042d162f33fa6527abd2dc4e593a6f89215f903b6a4afe9b57da3f6da7c6d4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2794781-c016-4976-97e8-a2e500a302af
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1630083
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: Rundll32 Execution Without CommandLine Parameters
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1630083 Sample: SWIFT00983928932.exe Startdate: 05/03/2025 Architecture: WINDOWS Score: 100 44 www.cakjitu01.xyz 2->44 46 www.806477628.xyz 2->46 48 15 other IPs or domains 2->48 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 64 12 other signatures 2->64 11 SWIFT00983928932.exe 5 2->11         started        signatures3 62 Performs DNS queries to domains with low reputation 46->62 process4 file5 38 C:\Users\user\AppData\Roaming\skype.exe, PE32 11->38 dropped 40 C:\Users\user\...\skype.exe:Zone.Identifier, ASCII 11->40 dropped 42 C:\Users\user\AppData\Roaming\...\skype.vbs, ASCII 11->42 dropped 84 Drops VBS files to the startup folder 11->84 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->86 88 Tries to detect virtualization through RDTSC time measurements 11->88 90 Switches to a custom stack to bypass stack traces 11->90 15 SWIFT00983928932.exe 11->15         started        signatures6 process7 signatures8 92 Modifies the context of a thread in another process (thread injection) 15->92 94 Maps a DLL or memory area into another process 15->94 96 Sample uses process hollowing technique 15->96 98 2 other signatures 15->98 18 explorer.exe 78 8 15->18 injected process9 dnsIp10 50 www.seo-companies22.online 64.190.62.22, 49738, 80 NBS11696US United States 18->50 52 www.hiretemp.net 208.91.197.13, 50007, 80 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 18->52 54 2 other IPs or domains 18->54 66 System process connects to network (likely due to code injection or exploit) 18->66 68 Uses netsh to modify the Windows network and firewall settings 18->68 22 wscript.exe 1 18->22         started        25 netsh.exe 18->25         started        27 skype.exe 18->27         started        29 rundll32.exe 18->29         started        signatures11 process12 signatures13 70 Windows Scripting host queries suspicious COM object (likely to drop second stage) 22->70 31 skype.exe 2 22->31         started        72 Modifies the context of a thread in another process (thread injection) 25->72 74 Maps a DLL or memory area into another process 25->74 76 Tries to detect virtualization through RDTSC time measurements 25->76 78 Switches to a custom stack to bypass stack traces 25->78 34 cmd.exe 1 25->34         started        80 Sample uses process hollowing technique 27->80 82 Found direct / indirect Syscall (likely to bypass EDR) 27->82 process14 signatures15 100 Antivirus detection for dropped file 31->100 102 Multi AV Scanner detection for dropped file 31->102 104 Tries to detect virtualization through RDTSC time measurements 31->104 106 Switches to a custom stack to bypass stack traces 31->106 36 conhost.exe 34->36         started        process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f2042d162f33fa6527abd2dc4e593a6f89215f903b6a4afe9b57da3f6da7c6d4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2042d162f33fa6527abd2dc4e593a6f89215f903b6a4afe9b57da3f6da7c6d4/
Threat name:
ByteCode-MSIL.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-03-05 06:52:03 UTC
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6icc2frpgp5gkj5l2loe4wj2n6escx4qhnvev7u3k7nd63nhy3ka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
70ac7d4fc73d8eec8b9f9137a4d6aff5c9d41138aa05caaeedccdab088fceba6
Formbook
75b2472b562f8ae20e5ebc2f6c32a8a3eb1883b25c920000db1597ada8961076
Formbook
85aa723b2a05b4346b75215ba7bb8ba3f1fbbd32a487e647e53c6522c234d3e4
Formbook
be1c6edf87f2476fd21d082b2a22f4b84b2d4544313e8d04b1c0d823fc5d52a5
Formbook
e6c0136177ada65d722bacab76eaa4e65b7f6dff237198cc05f3f2a29055ed1e
Formbook
error
Formbook
f2042d162f33fa6527abd2dc4e593a6f89215f903b6a4afe9b57da3f6da7c6d4
Formbook
+ 2'167 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:3nop discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/250305-qk3ycay1fw/
Behaviour
Gathers network information
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Drops startup file
Formbook payload
Formbook
Formbook family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0f56e3d1-4731-4a80-954a-15987e22705b
Unpacked files
SH256 hash:
f2042d162f33fa6527abd2dc4e593a6f89215f903b6a4afe9b57da3f6da7c6d4
MD5 hash:
80d4e5cc570a2d4ba2b2f238a8837db7
SHA1 hash:
1ffbab3b4dd1e7ad91248bf97662c153e7a98a84
Link:
https://www.unpac.me/results/721bd95b-1feb-48b4-b141-c3324e2299e9/
SH256 hash:
a143668e04af7a96d1c2aff4768704f3f3305ea25ed6770d81ae7820b6a9720a
MD5 hash:
1728965c0232e037127776d93984b805
SHA1 hash:
c772b1808f1648f8adeab5af216a072dd5e95c08
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/721bd95b-1feb-48b4-b141-c3324e2299e9/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/721bd95b-1feb-48b4-b141-c3324e2299e9/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/721bd95b-1feb-48b4-b141-c3324e2299e9/
SH256 hash:
f6391966ccdd6dc6e5562a50c595c8cd6eb7bd25eacfba209daec7c49ecd142b
MD5 hash:
1e44b8e341422f4c095e525f6d50ad58
SHA1 hash:
c325e7c142139b294a3e8c6ce42ea61dc18d4889
Link:
https://www.unpac.me/results/721bd95b-1feb-48b4-b141-c3324e2299e9/
SH256 hash:
74622d50375099d2ce3d8fbd857bd6163ae1083b3b4ab243b9e9c0681f0b6d2c
MD5 hash:
9dd3d8c66e9517f1395e528e9caacba1
SHA1 hash:
1d7cffd8ce762d6bd77719ca1b0d272b7d47d49c
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/721bd95b-1feb-48b4-b141-c3324e2299e9/
Parent samples :
51d5fbecdf7459fc37ab296b97245a020f31cfd4ac1073f3fb2947a3710a8523
9bf5d73a9924bd9e616336e200767e575569869d7d0ab959de9c7ebb37914dfc
2040a0fdd0eddf11176cddce8489b0906e9bb6ed39b2c825f883e26a3309db57
4336ddb80f3875340305306f98bd57efcb38a2182153d71308957167a295c070
36b2c227683d3aea101fb59edb33edb1ba28ec0753a32a5ce42b1959d6716965
d0cff61258d18def7ad7129368ecaccf5d2389eb1fd79b6cbb411c65c5783e0d
003e445ec7e3a973ac6b61b8375e4db13e9ac69a2fb48f3c647571c473eb22c2
9d81ffafe26b6cf9e8c5fb0ff739c279d07c6d96b7f1f3927741e7cb6746b452
be8ae15279781ab2ac7f6985d5d611d6533fdeb2be8d783eebccc28e38ab256d
bb69c9e4dc8bbcb1e7c4d7fe8bcc86c87cdb4af34212b992a5ac82ca8e92782d
b1d422db723db6c2f7293a2c09397b46677407aaea878d24c63b0911edd0c6d0
7df9ceec9c6ece56d60b5264804b0c9360c4f87bc595d9987c5d87990511ba34
f2042d162f33fa6527abd2dc4e593a6f89215f903b6a4afe9b57da3f6da7c6d4
20e542ae3966472a40baa9e22ee751b54547961e6b5b43d23040342625685193
d6ffa7c046b2e2d6268f0e516170f77c2f1aad8fbfa1feba5be0f4fe7963aced
94cabb62a68074520220fe485bf718bb4ff66b76ff39037542845d2f143e35ce
ea4fe51e13f6ab1785535b32345f69ef110e21981bf7dbb09ce02c0bdec1e43c
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f2042d162f33/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2042d162f33fa6527abd2dc4e593a6f89215f903b6a4afe9b57da3f6da7c6d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f2042d162f33fa6527abd2dc4e593a6f89215f903b6a4afe9b57da3f6da7c6d4

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments