MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ea4b5e412d2be79038ea367836d33c48b10b9ed9d26215c8e2c98e751418d9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ea4b5e412d2be79038ea367836d33c48b10b9ed9d26215c8e2c98e751418d9c
SHA3-384 hash: 63bf4979adb56a87140eb7dce1711927a803c0e689781352775bb584dba9c38a86252afa8d5d1934671f6139324a20c5
SHA1 hash: d5f47b5a8bc6c86919adad35e31cf530b116a3b2
MD5 hash: 39d228383d302a5e450859b1ca4eb052
humanhash: yankee-friend-arkansas-tennis
File name:Snrkelen2.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:161'296 bytes
First seen:2022-02-07 06:29:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 3072:I1NjcVVnLpPuDAoxc+isclU/fGb7Q0SRCnsp4haqDOVhhcKUyA2F5:sNeZKAoviH17Q0gCnsp4hyVHo+j
Threatray 1'517 similar samples on MalwareBazaar
TLSH T161F3D091A7E4CD63ECA61630C8378AF62AB5AD1CD971424B37647E1CBD33183849E74E
File icon (PE):PE icon
dhash icon 009aa6b686aab200 (1 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook signed

Code Signing Certificate

Organisation:NOONISH
Issuer:NOONISH
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-06T18:57:30Z
Valid to:2023-02-06T18:57:30Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 453a3d4f685778d82ab3307acaea6ceb5c514d01f104a72541b480164c0ee324
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0ea4b5e412d2be79038ea367836d33c48b10b9ed9d26215c8e2c98e751418d9c.exe
Verdict:
Malicious activity
Analysis date:
2022-02-07 06:35:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dd5f13f6-b908-4169-8845-0f59c9e29b5d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/234015/
Detection(s):
SecuriteInfo.com.Trojan.Win32.GuLoader.ac.28995.1862.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6188/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe guloader overlay packed python shell32.dll
Link:
https://www.filescan.io/uploads/6200bc7031f00fad9db31fa1/reports/1241967f-cb4c-4172-9006-c9d2acffd237/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/59d41028-d414-42f0-9815-d80ffc4641b0
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/934916
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 567394 Sample: Snrkelen2.exe Startdate: 07/02/2022 Architecture: WINDOWS Score: 100 34 www.yesicaccolqque.com 2->34 36 www.wensupsychology.com 2->36 38 19 other IPs or domains 2->38 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Found malware configuration 2->60 62 9 other signatures 2->62 10 Snrkelen2.exe 22 2->10         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\Temp\subst.exe, PE32+ 10->28 dropped 30 C:\Users\user\AppData\Local\Temp\query.exe, PE32+ 10->30 dropped 32 C:\Users\user\AppData\Local\...\System.dll, PE32 10->32 dropped 64 Tries to detect Any.run 10->64 66 Hides threads from debuggers 10->66 14 Snrkelen2.exe 6 10->14         started        signatures6 process7 dnsIp8 46 konutmarket.com 178.18.206.58, 443, 49829 VARGONENTR Turkey 14->46 68 Modifies the context of a thread in another process (thread injection) 14->68 70 Tries to detect Any.run 14->70 72 Maps a DLL or memory area into another process 14->72 74 3 other signatures 14->74 18 cmd.exe 14->18         started        21 explorer.exe 14->21 injected signatures9 process10 dnsIp11 48 Self deletion via cmd delete 18->48 50 Modifies the context of a thread in another process (thread injection) 18->50 52 Maps a DLL or memory area into another process 18->52 24 cmd.exe 1 18->24         started        40 siteoficial-comprassegura.com 216.172.172.203, 49836, 80 UNIFIEDLAYER-AS-1US United States 21->40 42 www.invest2burundi.com 91.195.240.94, 49833, 80 SEDO-ASDE Germany 21->42 44 6 other IPs or domains 21->44 54 System process connects to network (likely due to code injection or exploit) 21->54 signatures12 process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ea4b5e412d2be79038ea367836d33c48b10b9ed9d26215c8e2c98e751418d9c/
Threat name:
Win32.Downloader.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-02-06 22:35:36 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
16 of 28 (57.14%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b2sllzas2k7hsa4ountyg3jtysfrbopntutccxeofsmooukbrwoa._file
Verdict:
unknown
Similar samples:
00caa54a646237cf00f305613cdd9e0e8dd8e4dcd9706bbdfc71e22f6e673683
Formbook
39cd27e2d57db8bfedfc31413679e5c4cb27274a45c0acb98c0ad81905729ca5
Formbook
4959de8067a62478d5192edb0c7822484ea3f75c643100b4c73b0165eadd8911
Formbook
7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347
Formbook
c5072b4120ac9daa3dc0e000cce9e6d6e3a1ca01fed779e0b43d877a744409cd
Formbook
c5c0fbca778f53dc085d84ad3f038e4a20bce7add5f07012594194bc3bca522a
Formbook
fee1019ba9c5d5229717f864c5dc8e1b49150b0c4db83f4a2c9b36d51eb03025
Formbook
+ 1'507 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220207-g9ht2agff3/
Behaviour
Enumerates physical storage devices
Loads dropped DLL
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/c0382150-eb99-4f2c-b1fc-7f33bb344251/
SH256 hash:
0ea4b5e412d2be79038ea367836d33c48b10b9ed9d26215c8e2c98e751418d9c
MD5 hash:
39d228383d302a5e450859b1ca4eb052
SHA1 hash:
d5f47b5a8bc6c86919adad35e31cf530b116a3b2
Link:
https://www.unpac.me/results/c0382150-eb99-4f2c-b1fc-7f33bb344251/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 0ea4b5e412d2be79038ea367836d33c48b10b9ed9d26215c8e2c98e751418d9c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/234015/

Comments