MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24f42aec927ad7e24c314c54b2b70fdab2cb705b216bb2aec243ec6582bdeef4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24f42aec927ad7e24c314c54b2b70fdab2cb705b216bb2aec243ec6582bdeef4
SHA3-384 hash: 52f84d5838049c265d6c7d1e966e3eea35ef808b214639f22a1f596c241656573ecfea64499de51a2afe5612e8e3e234
SHA1 hash: 86e6ae1f465c0a6bad2520a2a48ebe2649017d0c
MD5 hash: 6be6b27d240f3cb7fe472d49bda1ee1e
humanhash: snake-quebec-alpha-crazy
File name:DWG-1579.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:805'042 bytes
First seen:2022-04-21 06:48:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:yYQZMutWqdKZICuCSqiv2rq02fCPmnqIdOpsYG9qr0r:yYQZMutWqdKZXuCS0WrnqI8psz9qr0r
Threatray 15'366 similar samples on MalwareBazaar
TLSH T137058EF035D6C4CEE1B652358170F73CD9C5FE80192A825A5DC63ADFB93B281EA191B2
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1ffe879b8f3c30a0 (2 x Formbook)
Reporter FORMALITYDE
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265325/
Detection(s):
SecuriteInfo.com.Artemis6BE6B27D240F.5883.1776.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6260fe5fffe27d5119208240/reports/ea94d97d-1391-4e54-9aa6-d1043746c18f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1dd97f8c-30ca-4625-bdcb-798525590066
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/980437
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspicious Creation with Colorcpl
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 612924 Sample: DWG-1579.exe Startdate: 21/04/2022 Architecture: WINDOWS Score: 100 61 www.zedhaque.com 2->61 63 www.yxmcha.com 2->63 65 46 other IPs or domains 2->65 89 Multi AV Scanner detection for domain / URL 2->89 91 Found malware configuration 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 8 other signatures 2->95 11 DWG-1579.exe 30 2->11         started        signatures3 process4 file5 49 C:\Users\user\...\vcruntime140_app.dll, PE32+ 11->49 dropped 51 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 11->51 dropped 53 C:\Users\user\AppData\Local\...\System.dll, PE32 11->53 dropped 55 7 other files (none is malicious) 11->55 dropped 113 Tries to detect Any.run 11->113 115 Hides threads from debuggers 11->115 15 DWG-1579.exe 6 11->15         started        signatures6 process7 dnsIp8 73 107.173.229.154, 49761, 49820, 49825 AS-COLOCROSSINGUS United States 15->73 75 Modifies the context of a thread in another process (thread injection) 15->75 77 Tries to detect Any.run 15->77 79 Maps a DLL or memory area into another process 15->79 81 3 other signatures 15->81 19 explorer.exe 3 6 15->19 injected signatures9 process10 dnsIp11 67 www.marinpalm.com 154.213.72.40, 49789, 49806, 49836 VPSQUANUS Seychelles 19->67 69 mrfnr.com 108.167.142.231, 49800, 80 UNIFIEDLAYER-AS-1US United States 19->69 71 23 other IPs or domains 19->71 47 C:\Users\user\AppData\...\o2kdcpxv6ol4xz.exe, PE32 19->47 dropped 97 System process connects to network (likely due to code injection or exploit) 19->97 99 Benign windows process drops PE files 19->99 24 colorcpl.exe 1 14 19->24         started        27 o2kdcpxv6ol4xz.exe 18 19->27         started        30 o2kdcpxv6ol4xz.exe 18 19->30         started        file12 signatures13 process14 file15 101 Tries to steal Mail credentials (via file / registry access) 24->101 103 Self deletion via cmd delete 24->103 105 Tries to harvest and steal browser information (history, passwords, etc) 24->105 111 4 other signatures 24->111 32 cmd.exe 2 24->32         started        35 cmd.exe 1 24->35         started        37 firefox.exe 24->37         started        57 C:\Users\user\AppData\Local\...\System.dll, PE32 27->57 dropped 107 Tries to detect Any.run 27->107 109 Hides threads from debuggers 27->109 39 o2kdcpxv6ol4xz.exe 6 27->39         started        59 C:\Users\user\AppData\Local\...\System.dll, PE32 30->59 dropped 41 o2kdcpxv6ol4xz.exe 6 30->41         started        signatures16 process17 signatures18 83 Tries to harvest and steal browser information (history, passwords, etc) 32->83 43 conhost.exe 32->43         started        45 conhost.exe 35->45         started        85 Tries to detect Any.run 41->85 87 Hides threads from debuggers 41->87 process19
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/24f42aec927ad7e24c314c54b2b70fdab2cb705b216bb2aec243ec6582bdeef4/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-04-20 22:17:00 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=et2cv3espll6etbrjrklfnyp3kzmw4c3efv3flwcipwglav5532a._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
formbook
Create hunting rule
Similar samples:
01c182ee03e32e4603c205ae79739a559e1d5eb094a27c6174c8555cad20133c
Formbook
409d082509f1965c92e8be062f7dccb0b9af2458e720460658729468d44fef28
Formbook
7a0cd1587a69eaf31f745c4f39b0bfbbfbf23f1d1b483b1448da6b90fdaf6caa
Formbook
92206b9fa1251b589ab6d14b4828cafe0ec9d9b44df469602b7d3d1ed16ae0e8
Formbook
945e623b814b647326ed96bc5be37010053fdc50f9dce11d96e408c22a8afd4a
Formbook
99889ef9126eddb7fee40e181c9832c734f8cef74736e2c577438300b468751c
Formbook
a104d6d98afd1eca774c2b8b12aee19bbc52216a358d9bf00ebfb503ef8e553d
Formbook
b16670d7ab7fc43029ef6033d5bf6b8a3ad78f09fefed66ec6351c7eac0a53f8
Formbook
bd7cddd657e0144076352a60664ca134c2ddee8ffe8da70793d5b97f17cf9318
Formbook
de33667dae23bef601f35b12ddf77d50031c4d4565662d296019df378950a22e
Formbook
+ 15'356 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:xloader campaign:f7sb downloader loader rat
Link:
https://tria.ge/reports/220421-hlctjsdea8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Deletes itself
Loads dropped DLL
Xloader Payload
Guloader,Cloudeye
Xloader
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/913fb1e7-64c7-47d6-bf8f-0d019a3d1b41/
SH256 hash:
24a1c06934ffb7e5e034e13378db45a132f50ff1c832ec3a5f0442f87e217f3e
MD5 hash:
447e0adedc36cd4d4d27747a0446b3c4
SHA1 hash:
2b719484dd8dc99a76055e26486d3556f4c15eb3
Link:
https://www.unpac.me/results/913fb1e7-64c7-47d6-bf8f-0d019a3d1b41/
SH256 hash:
24f42aec927ad7e24c314c54b2b70fdab2cb705b216bb2aec243ec6582bdeef4
MD5 hash:
6be6b27d240f3cb7fe472d49bda1ee1e
SHA1 hash:
86e6ae1f465c0a6bad2520a2a48ebe2649017d0c
Link:
https://www.unpac.me/results/913fb1e7-64c7-47d6-bf8f-0d019a3d1b41/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24f42aec927ad7e24c314c54b2b70fdab2cb705b216bb2aec243ec6582bdeef4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 24f42aec927ad7e24c314c54b2b70fdab2cb705b216bb2aec243ec6582bdeef4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/265325/

Comments