MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fdc286a9b7ea65bd8e90e8b413c43e16763c3e1bcef52daedcc97894482bb06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fdc286a9b7ea65bd8e90e8b413c43e16763c3e1bcef52daedcc97894482bb06
SHA3-384 hash: efe8d55c719ca9bcbd01efc0eab3bc9595ea796746e7c5cd931120eceaf28e7838e93002261975af6563e3da13313b42
SHA1 hash: 220a1b6e8bf4a05cc6affb347af629a3aab8b32f
MD5 hash: fb265e69d9c11abc29e5454d4f97cc62
humanhash: arkansas-johnny-yellow-fillet
File name:Trimeter4.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:529'642 bytes
First seen:2023-07-21 13:12:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (277 x GuLoader, 44 x RemcosRAT, 39 x VIPKeylogger)
ssdeep 12288:wT3tfCDvBPqPyCuj8tnsY0aE5K96yXsz5t8AN:wTN4vB2yCuj8tnsY0aE/RN
Threatray 984 similar samples on MalwareBazaar
TLSH T181B4F195679080C7D1E644B2DE16EE6AC502BD37624AC72323603E6F7F7F6638453A23
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9f8fbebfbebfbbdd (1 x GuLoader, 1 x Formbook)
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Trimeter4.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-21 13:13:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/05960998-4509-430a-b2e6-50ee43ae6c87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/427407/
Detection(s):
SecuriteInfo.com.FileRepMalware.21902.4861.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8fdc286a9b7ea65bd8e90e8b413c43e16763c3e1bcef52daedcc97894482bb06
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/00c6824c-1605-41f4-a829-2a5b866a7e75
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277415
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1277415 Sample: Trimeter4.exe Startdate: 21/07/2023 Architecture: WINDOWS Score: 100 34 www.vusujhyf.click 2->34 36 www.viaridesentralasia.com 2->36 38 21 other IPs or domains 2->38 52 Snort IDS alert for network traffic 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 6 other signatures 2->58 10 Trimeter4.exe 1 34 2->10         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\...\System.dll, PE32 10->32 dropped 68 Tries to detect Any.run 10->68 14 Trimeter4.exe 6 10->14         started        signatures6 process7 dnsIp8 46 googlehosted.l.googleusercontent.com 172.217.168.1, 443, 49976 GOOGLEUS United States 14->46 48 drive.google.com 172.217.168.46, 443, 49975 GOOGLEUS United States 14->48 72 Modifies the context of a thread in another process (thread injection) 14->72 74 Tries to detect Any.run 14->74 76 Maps a DLL or memory area into another process 14->76 78 Queues an APC in another process (thread injection) 14->78 18 RAVCpl64.exe 14->18 injected signatures9 process10 signatures11 50 Sample uses process hollowing technique 18->50 21 NETSTAT.EXE 13 18->21         started        24 autochk.exe 18->24         started        process12 signatures13 60 Tries to steal Mail credentials (via file / registry access) 21->60 62 Tries to harvest and steal browser information (history, passwords, etc) 21->62 64 Writes to foreign memory regions 21->64 66 3 other signatures 21->66 26 explorer.exe 3 1 21->26 injected 30 firefox.exe 21->30         started        process14 dnsIp15 40 www.tuxn1.buzz 170.106.114.35, 50035, 50036, 50037 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN Singapore 26->40 42 www.49zyw.com 64.32.3.218, 50007, 50008, 50009 ST-BGPUS United States 26->42 44 12 other IPs or domains 26->44 70 System process connects to network (likely due to code injection or exploit) 26->70 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8fdc286a9b7ea65bd8e90e8b413c43e16763c3e1bcef52daedcc97894482bb06/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-07-21 07:13:54 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r7ocq2u3p2tfxwhjb2fucpcd4ftwhq7bxtxvfwxnzslysrecxmda._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
46eeb436a29d74d779e09058eb574f83903c09c31706791288842640ddd94052
Formbook
5edb99afba36f3aa19c0b065b263b65e27d37d588c5441d5f9518e8423480344
Formbook
68ba26474bb29bdbc42cfddd75f212eec1ffa22d5c1affc893addce5330f4e11
Formbook
6e5b648d1e574dfbbd6337c6d11b851b2b12efec1f0ae59b1327e0dce1dfe7e6
Formbook
99cd4e51fb0f2d9ba76ee4d12afd5c3cd096f0c390ecf657ea3a3d78158451ef
Formbook
c1e64e86dd89a5820bbb518ead2176741f91d3bf5c579e154533d44e816c1f76
Formbook
de30e038eaa635585c23ec16221f9307e49152fe0d42d6f49a9435beb42f1f9f
Formbook
f5514ba2ddd26604600411906b8391af11ef05fa5c034f45f30c50ee7048ddd4
Formbook
fed0556f87884c7d40eadd3e2f22d432da0b5854edda4404a936f5b66e00b534
Formbook
+ 974 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230721-qf3rsaeg88/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
MD5 hash:
6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 hash:
070ea80e2192abc42f358d47b276990b5fa285a9
Link:
https://www.unpac.me/results/11287f48-23b9-4208-8bce-f675e5e543b9/
SH256 hash:
8fdc286a9b7ea65bd8e90e8b413c43e16763c3e1bcef52daedcc97894482bb06
MD5 hash:
fb265e69d9c11abc29e5454d4f97cc62
SHA1 hash:
220a1b6e8bf4a05cc6affb347af629a3aab8b32f
Link:
https://www.unpac.me/results/11287f48-23b9-4208-8bce-f675e5e543b9/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8fdc286a9b7e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8fdc286a9b7ea65bd8e90e8b413c43e16763c3e1bcef52daedcc97894482bb06

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/427407/

Comments