MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6335645313d55821bf05b78a4a036eb02bd3fbd6185f6bbd6aef66857c07d09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6335645313d55821bf05b78a4a036eb02bd3fbd6185f6bbd6aef66857c07d09
SHA3-384 hash: 7362128018174c98fa5ed30ba4559e7cf4d1c194ebe39813be0c0608d62e90cd44f7b95781f0096774e4ac73f2675f20
SHA1 hash: 55a1ab1356d69116d82f16a3877b2bff2d923d7f
MD5 hash: 6c9bc8e528a6f60fd4a323fc518cc416
humanhash: eleven-bakerloo-mountain-angel
File name:Enquiry 220519.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:972'296 bytes
First seen:2022-05-19 06:30:44 UTC
Last seen:2022-05-19 07:41:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:SYa6Km9LT0r38pr2y6byYTkhmAvKVXX8+FshP0il93TOYfEOELcw9wpP+Ty3ajrh:SY9rpr2y6kgzXX1Iv9DOBd4hQfec73tl
TLSH T1AD258CC62108AEDCF99DC8F08338BDB143753E29E9EA8C0277E577ACD93364C451A566
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 71f0f4b6b2d2f079 (3 x Formbook)
Reporter lowmal3
Tags:exe FormBook signed

Code Signing Certificate

Organisation:hinderingly UMBELAP hjemmelssprgsmaalene Lakeringens5
Issuer:hinderingly UMBELAP hjemmelssprgsmaalene Lakeringens5
Algorithm:sha256WithRSAEncryption
Valid from:2022-05-18T21:22:53Z
Valid to:2023-05-18T21:22:53Z
Serial number: -0db6e9f06edddb32
Thumbprint Algorithm:SHA256
Thumbprint: f160bbe43738d3f9dd69f9ef8df2d20233b79d0477df32580cec27706b156489
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
311
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Enquiry 220519.exe
Verdict:
Malicious activity
Analysis date:
2022-05-19 07:25:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/71dd2b5d-2b97-4451-8980-eeedec7a5f1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/272370/
Detection(s):
SecuriteInfo.com.Artemis6C9BC8E528A6.18558.6618.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6285e4373baea5a8c041d247/reports/9a169a60-9074-48db-a08d-520f240b5a05/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78406cef-8fa2-413f-a746-948bc31590b7
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/997419
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 629915 Sample: Enquiry 220519.exe Startdate: 19/05/2022 Architecture: WINDOWS Score: 100 61 yeswayclub.com 2->61 63 www.zedhaque.com 2->63 65 44 other IPs or domains 2->65 87 Snort IDS alert for network traffic 2->87 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 9 other signatures 2->93 11 Enquiry 220519.exe 27 2->11         started        signatures3 process4 file5 51 C:\Users\user\AppData\...\vm3ddevapi.dll, PE32 11->51 dropped 53 C:\Users\user\AppData\Local\...\System.dll, PE32 11->53 dropped 55 C:\...\System.Net.WebHeaderCollection.dll, PE32+ 11->55 dropped 109 Tries to detect Any.run 11->109 15 Enquiry 220519.exe 6 11->15         started        signatures6 process7 dnsIp8 73 192.210.214.207, 49765, 49810, 49814 AS-COLOCROSSINGUS United States 15->73 75 Modifies the context of a thread in another process (thread injection) 15->75 77 Tries to detect Any.run 15->77 79 Maps a DLL or memory area into another process 15->79 81 2 other signatures 15->81 19 explorer.exe 3 6 15->19 injected signatures9 process10 dnsIp11 67 mrfnr.com 108.167.142.231, 49801, 80 UNIFIEDLAYER-AS-1US United States 19->67 69 yeswayclub.com 15.197.142.173, 49796, 80 TANDEMUS United States 19->69 71 22 other IPs or domains 19->71 49 C:\Users\user\AppData\Local\...\gdiedu.exe, PE32 19->49 dropped 95 System process connects to network (likely due to code injection or exploit) 19->95 97 Benign windows process drops PE files 19->97 24 raserver.exe 1 12 19->24         started        27 gdiedu.exe 18 19->27         started        30 gdiedu.exe 18 19->30         started        32 autochk.exe 19->32         started        file12 signatures13 process14 file15 99 Tries to steal Mail credentials (via file / registry access) 24->99 101 Self deletion via cmd delete 24->101 103 Creates autostart registry keys with suspicious names 24->103 107 5 other signatures 24->107 34 cmd.exe 2 24->34         started        37 cmd.exe 1 24->37         started        39 firefox.exe 24->39         started        57 C:\Users\user\AppData\Local\...\System.dll, PE32 27->57 dropped 105 Tries to detect Any.run 27->105 41 gdiedu.exe 6 27->41         started        59 C:\Users\user\AppData\Local\...\System.dll, PE32 30->59 dropped 43 gdiedu.exe 6 30->43         started        signatures16 process17 signatures18 83 Tries to harvest and steal browser information (history, passwords, etc) 34->83 45 conhost.exe 34->45         started        47 conhost.exe 37->47         started        85 Tries to detect Any.run 43->85 process19
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c6335645313d55821bf05b78a4a036eb02bd3fbd6185f6bbd6aef66857c07d09/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-05-19 01:01:09 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yyzvmrjrhvkyeg7qln4kjibw5mbl2p55mgc7no6wv33gqv6apueq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:xloader campaign:f7sb downloader loader rat suricata
Link:
https://tria.ge/reports/220519-g92bdabhd9/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Deletes itself
Loads dropped DLL
Xloader Payload
Guloader,Cloudeye
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE Generic .bin download from Dotted Quad
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/c37b9d69-58d7-43b0-963c-7e8de46d4588/
SH256 hash:
090734874a2d9ba30719062e2086dcb9dc3d813e8237863640513572c673eba2
MD5 hash:
45060e463944ed58b53b9eea4a53d33e
SHA1 hash:
4cc73b494d52bfb03497f81cb3a6e62df3bdabd2
Link:
https://www.unpac.me/results/c37b9d69-58d7-43b0-963c-7e8de46d4588/
SH256 hash:
c6335645313d55821bf05b78a4a036eb02bd3fbd6185f6bbd6aef66857c07d09
MD5 hash:
6c9bc8e528a6f60fd4a323fc518cc416
SHA1 hash:
55a1ab1356d69116d82f16a3877b2bff2d923d7f
Link:
https://www.unpac.me/results/c37b9d69-58d7-43b0-963c-7e8de46d4588/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.28
Link:
https://yomi.yoroi.company/submissions/c6335645313d55821bf05b78a4a036eb02bd3fbd6185f6bbd6aef66857c07d09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c6335645313d55821bf05b78a4a036eb02bd3fbd6185f6bbd6aef66857c07d09

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/272370/

Comments