MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2121eddb8a7aef412069b5de7d10058c59f961c6a031ae6e5e3fd104663f076. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2121eddb8a7aef412069b5de7d10058c59f961c6a031ae6e5e3fd104663f076
SHA3-384 hash: eab3d4c0f161454442c81c0bd4ecfdd47238eda1dbe51e8167a2e190ed19e39cde3d38206f25d323c3eaeeab1da63d18
SHA1 hash: cb5a0d015579c86750ce89051a5d0d6879e97693
MD5 hash: 2455e266ff8efe130657baf53fb53424
humanhash: iowa-romeo-finch-fix
File name:z63SwiftDoc.exe
Download: download sample
File size:234'449 bytes
First seen:2023-09-27 14:22:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 40 x GuLoader, 25 x RemcosRAT)
ssdeep 6144:BnPdudwDsVvjWjOkyObSAvBbfHdVKDoCcYEJtGg2BO9cL:BnPdwV7oyO9dfuDoCD0tGgaL
Threatray 16 similar samples on MalwareBazaar
TLSH T1413412AA4FA4C8B7E5925B705E3887EB8ADEA81256F943035780A33D7D36083C51F791
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter FXOLabs
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
z63SwiftDoc.exe
Verdict:
Suspicious activity
Analysis date:
2023-09-27 14:25:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e7dc535c-94ff-42e7-a3e4-9ec131077de0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451613/
Detection(s):
SecuriteInfo.com.Trojan.Loader.1550.27106.14154.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Malicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65143ac8988a26b6d97158a0/reports/a2dba5f8-c4f4-4b73-b44f-298c401cf7ec/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f2121eddb8a7aef412069b5de7d10058c59f961c6a031ae6e5e3fd104663f076
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9fdc263c-95b0-4157-a0df-15a58c209c75
Result
Threat name:
NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1315317
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2121eddb8a7aef412069b5de7d10058c59f961c6a031ae6e5e3fd104663f076/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2023-09-27 00:24:17 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ijb5xnyu6xpieqgtno6puialdcz7fq4nibrvzxf4p6rartd6b3a._file
Verdict:
malicious
Similar samples:
0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8
1bb732330744dda9232ab0e291c9b5d5f8e76e9c649ed9e1e9f4327a0c7387dc
58357272406c20e677f34777d792bdecc67f8502616621858a609d9cd8e3bd7e
59e8d4adc87713d6243f1130289d36da2fbd84aca576a0bc1a99d1728f29c756
7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4
86c93b4c01ca5cf2a505360e36677d0f5e5c159ba32a84019c8ef0e1e28cd596
88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2
dc5eb730f1df702be89804ca234b60fec5fed7b6ed8d6c719f7006f40775f888
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230927-rp5heace85/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
961a3aa6a0c08b2ff29d032fbcf1977e15ab8d721c6f71cf35c8c851ddbf160f
MD5 hash:
df6b5286090f8b7dcab4cf67461ab721
SHA1 hash:
a9d0b008c11e55f636bfb8b115ca13c0155d489b
Link:
https://www.unpac.me/results/4b0d7ca1-bbc9-429a-b529-0aa213555539/
SH256 hash:
f2121eddb8a7aef412069b5de7d10058c59f961c6a031ae6e5e3fd104663f076
MD5 hash:
2455e266ff8efe130657baf53fb53424
SHA1 hash:
cb5a0d015579c86750ce89051a5d0d6879e97693
Link:
https://www.unpac.me/results/4b0d7ca1-bbc9-429a-b529-0aa213555539/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2121eddb8a7aef412069b5de7d10058c59f961c6a031ae6e5e3fd104663f076

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe f2121eddb8a7aef412069b5de7d10058c59f961c6a031ae6e5e3fd104663f076

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/451613/

Comments