MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5da038f135ce18d328cd2669818a22472143fca71149a96ede113a018eeaea88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5da038f135ce18d328cd2669818a22472143fca71149a96ede113a018eeaea88
SHA3-384 hash: df13fb888b1a7bffd97752cbfbf89b0ea38392145ca2c18e4ebc4c103bc18485a0faab4fd7f492bee93e035441490b69
SHA1 hash: cb303b9116429cf20fbc51f47d1bc5905451dc92
MD5 hash: 3085ec04f17ac08ca8102f45b9b62f79
humanhash: alpha-shade-oranges-west
File name:ZAMÓWIENIE NR 001 (MP TECH POLSKA)-pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:632'312 bytes
First seen:2023-05-09 07:03:13 UTC
Last seen:2023-05-13 22:58:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (384 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep 12288:lq42FAoxMh2VnYnhjWJhbtL2p/x0ouZazrdLKwoY1c6nq3X2ek96:m1xMhMShjghbtUKojd2woEc6B6
Threatray 1'412 similar samples on MalwareBazaar
TLSH T145D4E0A93952F81ACF2B4E31682FDD642731FC79A9D05A7B31837B2F2574480991B11F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adam_zbadam
Tags:exe FormBook signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-28T07:38:40Z
Valid to:2025-12-27T07:38:40Z
Serial number: 5576105ca52f3b8a3aa1ee84175307bac9d0abcc
Thumbprint Algorithm:SHA256
Thumbprint: ac3508d0aa374a8880ee31a929ac3da431bdbad6bc4b9c1a8865eec4960a5c0b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
291
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
ZAMÓWIENIE NR 001 (MP TECH POLSKA)-pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-09 07:04:48 UTC
Tags:
formbook xloader trojan stealer
Link:
https://app.any.run/tasks/b3de8a03-ad14-44ea-bf2a-8fc7e31dcc48

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387709/
Detection(s):
SecuriteInfo.com.FileRepMalware.4445.3795.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Sending an HTTP GET request
Launching a process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/83167/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
guloader icedid overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6459f063b664422b69d5f0e3/reports/50d48c1d-44fa-4798-b148-b32c11c154f0/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5da038f135ce18d328cd2669818a22472143fca71149a96ede113a018eeaea88
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/07a6b2d7-ba76-4f67-8d40-e9f82c2df871
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1228914
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Very long command line found
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 861879 Sample: ZAM#U00d3WIENIE_NR_001_(MP_... Startdate: 09/05/2023 Architecture: WINDOWS Score: 100 61 www.vortexpostelecom.africa 2->61 63 www.myfedloan.africa 2->63 65 21 other IPs or domains 2->65 85 Snort IDS alert for network traffic 2->85 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 9 other signatures 2->91 13 ZAM#U00d3WIENIE_NR_001_(MP_TECH_POLSKA)-pdf.exe 4 21 2->13         started        signatures3 process4 file5 57 C:\Users\user\AppData\Local\...\Ledgy.Euh, ASCII 13->57 dropped 59 C:\Users\user\...\FanControlPlugin.dll, PE32+ 13->59 dropped 107 Obfuscated command line found 13->107 17 powershell.exe 16 13->17         started        signatures6 process7 signatures8 75 Very long command line found 17->75 20 powershell.exe 13 17->20         started        23 conhost.exe 17->23         started        process9 signatures10 93 Writes to foreign memory regions 20->93 95 Tries to detect Any.run 20->95 25 ieinstal.exe 6 20->25         started        process11 dnsIp12 67 lideentertainmentandfashion.com 69.49.245.112, 49851, 80 UNIFIEDLAYER-AS-1US United States 25->67 97 Modifies the context of a thread in another process (thread injection) 25->97 99 Tries to detect Any.run 25->99 101 Maps a DLL or memory area into another process 25->101 103 2 other signatures 25->103 29 explorer.exe 9 2 25->29 injected signatures13 process14 dnsIp15 69 e-menu.software 119.31.235.70, 49871, 49873, 80 VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG Singapore 29->69 71 www.ldjt.net 103.205.241.185, 49854, 49855, 80 SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong Hong Kong 29->71 73 9 other IPs or domains 29->73 109 System process connects to network (likely due to code injection or exploit) 29->109 111 Uses ipconfig to lookup or modify the Windows network settings 29->111 33 ipconfig.exe 1 18 29->33         started        37 ieinstal.exe 29->37         started        39 ieinstal.exe 29->39         started        signatures16 process17 file18 49 C:\Users\user\AppData\...4916logrv.ini, data 33->49 dropped 51 C:\Users\user\AppData\...5116logri.ini, data 33->51 dropped 77 Detected FormBook malware 33->77 79 Tries to steal Mail credentials (via file / registry access) 33->79 81 Tries to harvest and steal browser information (history, passwords, etc) 33->81 83 4 other signatures 33->83 41 cmd.exe 2 33->41         started        45 firefox.exe 1 33->45         started        signatures19 process20 file21 53 C:\Users\user\AppData\Local\Temp\DB1, SQLite 41->53 dropped 105 Tries to harvest and steal browser information (history, passwords, etc) 41->105 47 conhost.exe 41->47         started        55 C:\Users\user\AppData\...5516logrf.ini, data 45->55 dropped signatures22 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5da038f135ce18d328cd2669818a22472143fca71149a96ede113a018eeaea88/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-09 07:04:07 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lwqdr4jvzymngkgnezuydcrci4quh7fhcfe2s3w6ce5addxk5kea._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
152d5ef19fdfabb482918d51148804bd5227e44e3eb5007dccc347b0ee8585d2
FormBook
21e08bb00bf5a84ec339e16296437ef3f5fc98b93d62da5a2e26bebbb2eb5861
FormBook
3130fe0040aca5135a6c22251a313fcaca05c404082727d8191545fccfcd3a02
FormBook
3ecf38540014a3fe10b883b34592b8e5eefb11d0e4abf64fd98129d00bf4a682
FormBook
53176c142b4a57f89c57ed969d3a578640841c09db2a58bc9f360a636c8d5947
FormBook
5708134963ec09acd66b22cf1115ec458151bdb151b5ecdeb69cca55081acadd
FormBook
a96ec414b99747cf8859a77e2d05ea24053db3fa343474a007180dfefda658ca
FormBook
bf03cd8e5554ec62c98931069f436ec71ac21d57a8922b1bb3c1958a0a9256f3
FormBook
e8bc95bd3989e65c252e733adab5c16d51b18c19bccdab299d914cf6df922826
FormBook
f8b1ba811be8ffc9b87d3f55b5c8c0a10b3d468f119eaf1d5c36d5664b940a84
FormBook
+ 1'402 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader campaign:il07 discovery downloader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230509-hvx6vagf2w/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Adds Run key to start application
Checks QEMU agent file
Checks computer location settings
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook payload
Formbook
Guloader,Cloudeye
Unpacked files
SH256 hash:
5da038f135ce18d328cd2669818a22472143fca71149a96ede113a018eeaea88
MD5 hash:
3085ec04f17ac08ca8102f45b9b62f79
SHA1 hash:
cb303b9116429cf20fbc51f47d1bc5905451dc92
Link:
https://www.unpac.me/results/1e04cc28-f2f3-49f4-8c11-28ea6f4391c4/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5da038f135ce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/387709/

Comments