MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faeb2d3de5505ab361cd3b2ad5bcd604c34f2d23f79fc349204486f4183697bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: faeb2d3de5505ab361cd3b2ad5bcd604c34f2d23f79fc349204486f4183697bd
SHA3-384 hash: c98f3f8dcfef418611d3f6aa5bcfaada802e93024ec110b20d864b7b6fb369fe49c482bc0420ad91d6c01a913bd1f113
SHA1 hash: ea2aff5c32f2cf3cf8760236db0a199664c24860
MD5 hash: 11794882ffaca0c36c7480473ed6fd5e
humanhash: high-apart-hydrogen-batman
File name:HSBC Bank Swift Copy.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:712'704 bytes
First seen:2021-11-22 11:31:05 UTC
Last seen:2021-11-22 13:59:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:y8OF+HRZjhsrzSPzqMldXWTrlq6NONd7haeN:f7qGGTrhNOseN
Threatray 11'558 similar samples on MalwareBazaar
TLSH T1D3E44B3032957396CC765BB80C6461C42737B6493D08D75DACC922DEAD62F2B8B237A7
Reporter abuse_ch
Tags:exe FormBook HSBC

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HSBC Bank Swift Copy.exe
Verdict:
Malicious activity
Analysis date:
2021-11-22 11:59:10 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/af86d415-00aa-4477-9153-829cce08c96d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.3410.2924.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/619b7fb694a88037d2fe39fa/reports/5a84153c-c92d-4fe2-84ee-43b1079f516c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d15efeb6-4bdd-4821-808c-9ec24b3783e1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/893753
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 526230 Sample: HSBC Bank Swift Copy.exe Startdate: 22/11/2021 Architecture: WINDOWS Score: 100 43 www.ashleasellshomes.com 2->43 45 www.goodcallhvac.com 2->45 47 ashleasellshomes.com 2->47 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 11 other signatures 2->61 11 HSBC Bank Swift Copy.exe 7 2->11         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\AWrVsCpjBN.exe, PE32 11->37 dropped 39 C:\Users\user\AppData\Local\...\tmpBCC3.tmp, XML 11->39 dropped 41 C:\Users\...\HSBC Bank Swift Copy.exe.log, ASCII 11->41 dropped 65 Adds a directory exclusion to Windows Defender 11->65 15 HSBC Bank Swift Copy.exe 11->15         started        18 powershell.exe 25 11->18         started        20 schtasks.exe 1 11->20         started        signatures6 process7 signatures8 75 Modifies the context of a thread in another process (thread injection) 15->75 77 Maps a DLL or memory area into another process 15->77 79 Sample uses process hollowing technique 15->79 81 Queues an APC in another process (thread injection) 15->81 22 explorer.exe 15->22 injected 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        process9 dnsIp10 49 www.ycyxztjd.com 192.74.249.230, 49808, 80 PEGTECHINCUS United States 22->49 51 vinayagafinefoods.com 162.0.232.192, 49802, 80 NAMECHEAP-NETUS Canada 22->51 53 7 other IPs or domains 22->53 63 System process connects to network (likely due to code injection or exploit) 22->63 30 cmd.exe 22->30         started        signatures11 process12 signatures13 67 Self deletion via cmd delete 30->67 69 Modifies the context of a thread in another process (thread injection) 30->69 71 Maps a DLL or memory area into another process 30->71 73 Tries to detect virtualization through RDTSC time measurements 30->73 33 cmd.exe 1 30->33         started        process14 process15 35 conhost.exe 33->35         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/faeb2d3de5505ab361cd3b2ad5bcd604c34f2d23f79fc349204486f4183697bd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-22 02:43:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
32
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7lvs2ppfkbnlgyonhmvnlpgwatbu6ljd66p4gsjaisdpigbws66q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
166fc5432ac8ce1024a26b55bdff22553e972bce7eb0a15b8d7347482e2c93f4
Formbook
21350c749a15b06efda33cae533086eab02ef83685d539556407633676de94bb
Formbook
272531d27bc174147bf75477ebef18762f3c583b86ee9e0509d3719b6ec0fbad
Formbook
84236953e6059c7733ecd777604a225ee85dc96740a46aac1379d13b3d57630d
Formbook
88c841869430e07bb9b80e52d61d4f013c6bd8753b06807b411a428f09669c33
Formbook
b207cf6e0fe84692f4311e2768d913bae8005da5f7ed4cf1cee2459a6f62faa9
Formbook
bcf5c110d3a8602e8c4fb238c36cc1ffb0044b3b8c3c697a404364b7cc24e096
Formbook
c8352baa0192f9bdbf7b0d47d76f9b592ba602ea001fdc21e281899eb3209a6c
Formbook
fa73563a8ccbea57411fb4b9a5c713c1be3771e7c765a0b8e1100d0f4584c634
Formbook
+ 11'548 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:c46r loader rat suricata
Link:
https://tria.ge/reports/211122-nmr8hsfdam/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.ashleasellshomes.com/c46r/
Unpacked files
SH256 hash:
8344bb71cb013fb4c5de210fcea5e333d013c378e4331c462a53b65342b91ee4
MD5 hash:
bf407aa4da19380b0cc6ccb1b40259ef
SHA1 hash:
ce6192cce6d8347bd46923716262f382eb2448e9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e0eae64c-08aa-45c0-9e9b-da64b6ff722b/
Parent samples :
faeb2d3de5505ab361cd3b2ad5bcd604c34f2d23f79fc349204486f4183697bd
3546415efa309d5e90ca0be71d031ac458c6ca4c61ccfa221a07473d0baca386
6c77bf1abcd2822284197e71fe278ff2ff98fd98075e373500b29521f91e515f
SH256 hash:
8f046a884b71343a33a953c45196caa5070a7a407471f8f204944f681bcaabd1
MD5 hash:
288a868b5b703277a23347386987f5dc
SHA1 hash:
66016b0d9a648fad5cc9301504a9542f577a79ea
Link:
https://www.unpac.me/results/e0eae64c-08aa-45c0-9e9b-da64b6ff722b/
SH256 hash:
f30ca642597c059f9dbcc6cfea27687245fbcaf5456be0b7a4528d946f3a0a05
MD5 hash:
0f6349011cf5446131faf0cadbace87b
SHA1 hash:
0cd48b5cb5a0ca095043c333c9002ba5273e92e8
Link:
https://www.unpac.me/results/e0eae64c-08aa-45c0-9e9b-da64b6ff722b/
SH256 hash:
faeb2d3de5505ab361cd3b2ad5bcd604c34f2d23f79fc349204486f4183697bd
MD5 hash:
11794882ffaca0c36c7480473ed6fd5e
SHA1 hash:
ea2aff5c32f2cf3cf8760236db0a199664c24860
Link:
https://www.unpac.me/results/e0eae64c-08aa-45c0-9e9b-da64b6ff722b/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/faeb2d3de550/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/faeb2d3de5505ab361cd3b2ad5bcd604c34f2d23f79fc349204486f4183697bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe faeb2d3de5505ab361cd3b2ad5bcd604c34f2d23f79fc349204486f4183697bd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/208123/

Comments