MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3de0400df60c471dc75a466fbddc47900f817e2cc20e8af5da183df84c7a3fd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3de0400df60c471dc75a466fbddc47900f817e2cc20e8af5da183df84c7a3fd4
SHA3-384 hash: aa4ff64007ea2774cbe1b6def61ebf9216f63f9f2e3da97f39b1712bf9882686b0e061a0c1068d6fbd132933501e7637
SHA1 hash: 115da2d2a7443dac9dea8b29bdfb11aef95b44aa
MD5 hash: 9e2b0cc45ca247a7e335a42f80637541
humanhash: december-alanine-kansas-ten
File name:Company Profile.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:304'855 bytes
First seen:2022-05-30 07:55:22 UTC
Last seen:2022-05-30 08:45:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:2Ya6q2+Zu0nghui9jTwLrkCTSqFU5p2U9Cil+Rk:2YI2+ZXBnSQMaRk
Threatray 16'174 similar samples on MalwareBazaar
TLSH T16B548C103364D41BE3022AB08814F6CDAB74ED942F29D653BA68BE7F753BF461CA5361
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6472f1f0f8ee7a1e (1 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Company Profile.exe
Verdict:
Malicious activity
Analysis date:
2022-05-30 08:02:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7144cb43-adc5-4379-b5dd-9d0fba7e29db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/275403/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.50335235.30499.2416.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Sending a custom TCP request
Creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/20506/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6294786c0be8a16da4f0d77b/reports/7c20a15d-07e3-4e0e-8f69-a244ce640590/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d6439ca2-30ce-4349-8ecd-69ebc00f5ba5
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1003533
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd or bat file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 636024 Sample: Company Profile.exe Startdate: 30/05/2022 Architecture: WINDOWS Score: 100 60 www.zedhaque.com 2->60 62 www.wrestlingfancam.com 2->62 64 73 other IPs or domains 2->64 86 Snort IDS alert for network traffic 2->86 88 Multi AV Scanner detection for domain / URL 2->88 90 Found malware configuration 2->90 94 9 other signatures 2->94 11 Company Profile.exe 5 24 2->11         started        signatures3 92 Tries to resolve many domain names, but no domain seems valid 62->92 process4 file5 58 C:\Users\user\AppData\Local\...\System.dll, PE32 11->58 dropped 126 Tries to detect Any.run 11->126 15 Company Profile.exe 6 11->15         started        signatures6 process7 dnsIp8 72 2.56.59.109, 49734, 49779, 49791 GBTCLOUDUS Netherlands 15->72 74 Modifies the context of a thread in another process (thread injection) 15->74 76 Tries to detect Any.run 15->76 78 Maps a DLL or memory area into another process 15->78 80 2 other signatures 15->80 19 explorer.exe 5 6 15->19 injected 24 colorcpl.exe 1 12 15->24         started        signatures9 process10 dnsIp11 66 www.marinpalm.com 154.213.72.40, 49777, 49778, 49819 VPSQUANUS Seychelles 19->66 68 mrfnr.com 108.167.142.231, 49770, 49789, 49790 UNIFIEDLAYER-AS-1US United States 19->68 70 32 other IPs or domains 19->70 52 C:\Users\user\AppData\...\0ruh2dl6vtgr5h.exe, PE32 19->52 dropped 96 System process connects to network (likely due to code injection or exploit) 19->96 98 Benign windows process drops PE files 19->98 26 0ruh2dl6vtgr5h.exe 18 19->26         started        30 wlanext.exe 1 12 19->30         started        32 0ruh2dl6vtgr5h.exe 18 19->32         started        100 Creates an undocumented autostart registry key 24->100 102 Tries to steal Mail credentials (via file / registry access) 24->102 104 Self deletion via cmd or bat file 24->104 106 4 other signatures 24->106 34 cmd.exe 2 24->34         started        36 cmd.exe 1 24->36         started        38 firefox.exe 24->38         started        file12 signatures13 process14 file15 54 C:\Users\user\AppData\Local\...\System.dll, PE32 26->54 dropped 116 Tries to detect Any.run 26->116 40 0ruh2dl6vtgr5h.exe 26->40         started        118 Tries to steal Mail credentials (via file / registry access) 30->118 120 Creates autostart registry keys with suspicious names 30->120 122 Tries to harvest and steal browser information (history, passwords, etc) 30->122 124 3 other signatures 30->124 56 C:\Users\user\AppData\Local\...\System.dll, PE32 32->56 dropped 43 0ruh2dl6vtgr5h.exe 6 32->43         started        45 conhost.exe 34->45         started        47 conhost.exe 36->47         started        signatures16 process17 signatures18 108 Modifies the context of a thread in another process (thread injection) 40->108 110 Tries to detect Any.run 40->110 112 Maps a DLL or memory area into another process 40->112 49 wscript.exe 40->49         started        114 Sample uses process hollowing technique 43->114 process19 signatures20 82 Modifies the context of a thread in another process (thread injection) 49->82 84 Maps a DLL or memory area into another process 49->84
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3de0400df60c471dc75a466fbddc47900f817e2cc20e8af5da183df84c7a3fd4/
Threat name:
Win32.Downloader.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-05-25 22:28:10 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
7 of 26 (26.92%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hxqeadpwbrdr3r22izx33xchsahyc7rmyihiv5o2da67qtd2h7ka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
01c182ee03e32e4603c205ae79739a559e1d5eb094a27c6174c8555cad20133c
Formbook
24f42aec927ad7e24c314c54b2b70fdab2cb705b216bb2aec243ec6582bdeef4
Formbook
2820fd9299c1cabb347952b4be8678bf8928a389a76f95aa040adf6970653617
Formbook
93da913f4b899003071cf8743f4a06f14464397cdb135638e2e76072a283f970
Formbook
95c771c632d3d8501bcb90643f6587624eb5c5773557eeceb34bb08872cbd3cd
Formbook
9e6a92df11bb23b335d5bbf85731a1ea96f6c4038a24c2e4edb28e2169804c30
Formbook
b85f6d4936a285f58b3902ada91915d91652aa45fd2fa774ce73f8f8e48f0ede
Formbook
c6335645313d55821bf05b78a4a036eb02bd3fbd6185f6bbd6aef66857c07d09
Formbook
de33667dae23bef601f35b12ddf77d50031c4d4565662d296019df378950a22e
Formbook
+ 16'164 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:xloader campaign:f7sb discovery downloader loader rat suricata
Link:
https://tria.ge/reports/220530-jsn1tsbhfp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks QEMU agent file
Deletes itself
Loads dropped DLL
Xloader Payload
Guloader,Cloudeye
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE Generic .bin download from Dotted Quad
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/1fc1222a-1d55-40ef-be91-ee8462f48222/
SH256 hash:
3de0400df60c471dc75a466fbddc47900f817e2cc20e8af5da183df84c7a3fd4
MD5 hash:
9e2b0cc45ca247a7e335a42f80637541
SHA1 hash:
115da2d2a7443dac9dea8b29bdfb11aef95b44aa
Link:
https://www.unpac.me/results/1fc1222a-1d55-40ef-be91-ee8462f48222/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3de0400df60c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3de0400df60c471dc75a466fbddc47900f817e2cc20e8af5da183df84c7a3fd4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3de0400df60c471dc75a466fbddc47900f817e2cc20e8af5da183df84c7a3fd4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/275403/

Comments