MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd24796ce83ec93f4e5e116d5402986cca52840cf878f7cdedc63f865734d409. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd24796ce83ec93f4e5e116d5402986cca52840cf878f7cdedc63f865734d409
SHA3-384 hash: e390a49cbea34869361b9b0667c8cca55ee66257d6b6f87bf098c8b030de457574ab1b2c45f48cb87ac68f1d60b39c3c
SHA1 hash: 04577bf9f9a526612533547eac8538eae371af2d
MD5 hash: b202fbf7da253a4eb12808791ad0a4c5
humanhash: tennis-solar-oxygen-connecticut
File name:Ziraat Bankasi Swift Mesaji_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:376'352 bytes
First seen:2023-04-17 12:30:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:wT5Uzm/ONiIvlIxyOPZ06YUOHB/ZXIsy9/l/uzYf5CW1CQ64B6GuWhWJJgRPGCWp:wT5j6l4C6YlHcsy9NH5CaC98JujJgRPM
Threatray 1'152 similar samples on MalwareBazaar
TLSH T132841399BAB1D427D5B69D301D6CC1238DF2D52A0D3A5B0613006EA83E63B835E1FF63
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-07-04T23:38:37Z
Valid to:2025-07-03T23:38:37Z
Serial number: 502d75ff1f096e4f60bef9d23781261b3ab4d015
Thumbprint Algorithm:SHA256
Thumbprint: a63a8e4d238a4f7e54c656df0cb7e4784f06dd0d79f5406d150b536d581c6254
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ziraat Bankasi Swift Mesaji_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-04-17 12:31:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/55e8515f-9635-4858-8c4b-aa1612a40c1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382789/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.29639.31050.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the %AppData% directory
Delayed reading of the file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/80062/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
guloader icedid overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/643d3c065e1ef31d26328c91/reports/5423f20b-d4e3-4412-91c2-364362140040/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/cd24796ce83ec93f4e5e116d5402986cca52840cf878f7cdedc63f865734d409
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4ccff66f-5616-4944-9df5-1995cdabdda2
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215162
Signature
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd24796ce83ec93f4e5e116d5402986cca52840cf878f7cdedc63f865734d409/
Threat name:
Win32.Malware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-04-17 03:32:07 UTC
File Type:
PE (Exe)
Extracted files:
96
AV detection:
6 of 36 (16.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zushs3hih3et6ts6cfwviauyntfffbam7b4pptpnyy7ymvzu2qeq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
28384833cb4f57932b5344a38245cc995941d7fcccc387a2ffa7f295c91108ac
Formbook
3e48726d82d9e1f43739b669d15d4f08a829ac4b31b12a8e0e2f003dcb65ae11
Formbook
41618cb3eabd9750fa776f31b8117e4025fd3d03af5e30d62100d84ce8101406
Formbook
7cdb9e0fde39ad1578dbd905a88c8b6492a608349c0fed0c79879f5a086108e9
Formbook
84cd1092d3d60114702dd6db25a79ac062b5f8f481413bb3e5eaf263a06016d8
Formbook
9b30d60ee8253334584b819faeb61933b028a0767b5cd3c99f2a4d3c2d8f5aae
Formbook
a10c47f496d40583af7bfb8b2fd41014e9f37a527ed72df784a874fceaf558a4
Formbook
e29c4da2ffb29da2ca94953e638058674b6234ac0c75864d644a661d582a3ab1
Formbook
+ 1'142 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:be83 discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/230417-pp2qeaeb83/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
Formbook payload
Formbook
Unpacked files
SH256 hash:
a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c
MD5 hash:
d968cb2b98b83c03a9f02dd9b8df97dc
SHA1 hash:
d784c9b7a92dce58a5038beb62a48ff509e166a0
Link:
https://www.unpac.me/results/7e713858-5393-4c3e-94ba-928e9f7384b8/
SH256 hash:
cd24796ce83ec93f4e5e116d5402986cca52840cf878f7cdedc63f865734d409
MD5 hash:
b202fbf7da253a4eb12808791ad0a4c5
SHA1 hash:
04577bf9f9a526612533547eac8538eae371af2d
Link:
https://www.unpac.me/results/7e713858-5393-4c3e-94ba-928e9f7384b8/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd24796ce83e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd24796ce83ec93f4e5e116d5402986cca52840cf878f7cdedc63f865734d409

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe cd24796ce83ec93f4e5e116d5402986cca52840cf878f7cdedc63f865734d409

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382789/

Comments