MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afde76fdce32d093155f03eb1143e15f1114007b21fe72a65bf5b7b6c4c459a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afde76fdce32d093155f03eb1143e15f1114007b21fe72a65bf5b7b6c4c459a8
SHA3-384 hash: cd2da1df906698880ed9584577db2998cae281e76bdc8db2bd4b264cddf93f668766dfcfa0e3530a8def796ef17a0bf0
SHA1 hash: c9a46897b5711b39802abb67e21f8ccc67e0b8f2
MD5 hash: a1b89bc33a0fc04686d495e2bf4021fc
humanhash: finch-foxtrot-lake-hot
File name:Afklde.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:287'040 bytes
First seen:2023-04-14 06:09:40 UTC
Last seen:2023-04-14 12:57:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e221f4f7d36469d53810a4b5f9fc8966 (118 x GuLoader, 28 x RemcosRAT, 21 x Formbook)
ssdeep 6144:/lJZfrFfXujQokjV8DCPb08s8wVptKwdzzaxqfKJaSdUFPAq7pNz:/ljUojVY00hpt1dz+cKJaS0P77pNz
Threatray 2'528 similar samples on MalwareBazaar
TLSH T1C354121583E089DBE9D75AB32F7AEFFBF67E46313111461FA3501F682E10244DD262A2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-05-05T23:38:30Z
Valid to:2025-05-04T23:38:30Z
Serial number: 2e8333514407e2fff67ab065e6b8197cb29838e2
Thumbprint Algorithm:SHA256
Thumbprint: 3e9347786e227314f630ad614e1f95a61c1e8957d28c1101f14d9b080ec013cf
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
222
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Afklde.exe
Verdict:
Malicious activity
Analysis date:
2023-04-14 06:24:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e3ce587f-eff0-4485-a18a-065c20212585

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382165/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66387625.14440.20861.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Delayed reading of the file
Creating a file in the Windows subdirectories
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6438ee3d59a1287810bc1c9c/reports/edc3dfe9-c156-4a22-b367-c77bedc9f82c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/afde76fdce32d093155f03eb1143e15f1114007b21fe72a65bf5b7b6c4c459a8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ff7836cb-404d-4d29-addf-8d450616799e
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213696
Signature
Antivirus detection for URL or domain
Found potential ransomware demand text
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 846627 Sample: Afklde.exe Startdate: 14/04/2023 Architecture: WINDOWS Score: 100 35 www.kkqqzb.xyz 2->35 37 wwwgafasreticulares.com 2->37 39 31 other IPs or domains 2->39 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 59 6 other signatures 2->59 10 Afklde.exe 44 2->10         started        signatures3 57 Performs DNS queries to domains with low reputation 35->57 process4 file5 27 C:\Users\user\AppData\...\gnsdk_link.dll, PE32 10->27 dropped 29 C:\Users\user\AppData\Local\...behaviorgraphracenote.dll, PE32 10->29 dropped 31 C:\Users\user\AppData\Local\...\lang-1081.dll, PE32 10->31 dropped 33 C:\Users\user\AppData\Local\...\System.dll, PE32 10->33 dropped 71 Tries to detect Any.run 10->71 14 Afklde.exe 6 10->14         started        signatures6 process7 dnsIp8 47 googlehosted.l.googleusercontent.com 172.217.16.193, 443, 49839 GOOGLEUS United States 14->47 49 drive.google.com 172.217.18.14, 443, 49838 GOOGLEUS United States 14->49 73 Modifies the context of a thread in another process (thread injection) 14->73 75 Tries to detect Any.run 14->75 77 Maps a DLL or memory area into another process 14->77 79 2 other signatures 14->79 18 explorer.exe 2 1 14->18 injected signatures9 process10 dnsIp11 41 www.nuiband.life 184.94.212.57, 49871, 49872, 49873 VXCHNGE-NC01US United States 18->41 43 pristeofficial.com 67.223.118.125, 49853, 49854, 49855 VIMRO-AS15189US United States 18->43 45 15 other IPs or domains 18->45 61 System process connects to network (likely due to code injection or exploit) 18->61 22 help.exe 13 18->22         started        signatures12 process13 signatures14 63 Tries to steal Mail credentials (via file / registry access) 22->63 65 Tries to harvest and steal browser information (history, passwords, etc) 22->65 67 Writes to foreign memory regions 22->67 69 3 other signatures 22->69 25 firefox.exe 22->25         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/afde76fdce32d093155f03eb1143e15f1114007b21fe72a65bf5b7b6c4c459a8/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-13 11:55:40 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v7phn7ooglijgfk7apvrcq7bl4iriad3eh7hfjs36w33nrgelgua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02033ee5f18dc5c14cca3e808111693ff1b41d8d705268ae55e86251fe6bcc8b
Formbook
02aeec3b3700be483dbe07a20959c39e57b9281680aad00a7683a130bf3a01a2
Formbook
05977847b0408ec1abb7b4cd05ad10b4004c97d5c949e579d695d47518f4f376
Formbook
4da18f5e360f53c89bbffc55376aba4d8e2b088d74eaa60546f574a6c976fb36
Formbook
6769905302dd965b16c74da2c0a5633dd4cbfe5c8879a5db6a7322d53d668533
Formbook
bbce488ca134416b61010d40ba42d0c867493d6785bffa25c5e7568e3eeacb7c
Formbook
c03d796c8b75c36e92aa53d1fb21d89fb0fc6aa57df540ca0074c43661a6cec0
Formbook
ec3aca205b55b422244e9d46cffe68348e1e6691fcf465495ca69a0f972ce1b3
Formbook
+ 2'518 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230414-gw3bhsge87/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
2033e771aceb139415b6c378f21ab7ef8c2d7fa44b881085b4c01fcdbd87d83a
MD5 hash:
f049e2caaa077327bb3de9e56da43071
SHA1 hash:
cf17fd5e336e4af212725e22e20aa5842f4f3baa
Link:
https://www.unpac.me/results/bf8c462b-367d-435e-ae2a-21f11c317a0c/
SH256 hash:
7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
MD5 hash:
fc90dfb694d0e17b013d6f818bce41b0
SHA1 hash:
3243969886d640af3bfa442728b9f0dff9d5f5b0
Link:
https://www.unpac.me/results/bf8c462b-367d-435e-ae2a-21f11c317a0c/
SH256 hash:
08929e352de8799a2036c6fc7d2a05d6ec437da8be6be5b05171fed5e786ca6e
MD5 hash:
927d128df6b67fc942b8f8e411bfb19b
SHA1 hash:
2fff7d2b9d0c2040ee2ed2fad92ef6216ddb4084
Link:
https://www.unpac.me/results/bf8c462b-367d-435e-ae2a-21f11c317a0c/
SH256 hash:
afde76fdce32d093155f03eb1143e15f1114007b21fe72a65bf5b7b6c4c459a8
MD5 hash:
a1b89bc33a0fc04686d495e2bf4021fc
SHA1 hash:
c9a46897b5711b39802abb67e21f8ccc67e0b8f2
Link:
https://www.unpac.me/results/bf8c462b-367d-435e-ae2a-21f11c317a0c/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/afde76fdce32/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe afde76fdce32d093155f03eb1143e15f1114007b21fe72a65bf5b7b6c4c459a8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382165/

Comments