MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4be4226b685156a19f30ba35099d97c9608c08053992fc0d158b8f6b2bb7712. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4be4226b685156a19f30ba35099d97c9608c08053992fc0d158b8f6b2bb7712
SHA3-384 hash: d92f10968536dce51d1e06cb6a8398ea86cd49ed147953161fab390abe50f8d799f430ecda880d9dd589a003dcf14f1c
SHA1 hash: 840b21eb96719e91e063448d53eee6334c7f656a
MD5 hash: e7e24dc3a53ea2ae2a518ae5d743d100
humanhash: fanta-cup-xray-papa
File name:QUOTATION_DOC_DOCX_PDF.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:98'304 bytes
First seen:2020-08-17 13:56:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6cafd950d23f4d8ad14b651ea7a408d6 (1 x FormBook)
ssdeep 768:SRw1fMPG8QCoxxjRFIBsmtzgrXGAldRex+nx6VF/G1xOk6EdoxfkVaI4Dca4rTle:S6UPZzgzDl62xUqHofkVaHWZmMG
Threatray 148 similar samples on MalwareBazaar
TLSH F7A33A12A1D88735F36CCB741AB529B7527DAC30760B8A0793C93EAA67B3F05C721257
Reporter abuse_ch
Tags:exe FormBook GuLoader Hostwinds


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: hwsrv-760084.hostwindsdns.com
Sending IP: 104.168.145.121
From: info@hemoclan.com
Subject: QUOTE PRICE
Attachment: QUOTATION_DOC_DOCX_PDF.GZ (contains "QUOTATION_DOC_DOCX_PDF.exe")

GuLoader pushing Formbook:
https://onedrive.live.com/download?cid=6A851B3D3D1425A8&resid=6A851B3D3D1425A8%21109&authkey=ADruIa-EK-olg1M

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47068/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Setting a single autorun event
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/433665
Signature
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 269212 Sample: QUOTATION_DOC_DOCX_PDF.exe Startdate: 17/08/2020 Architecture: WINDOWS Score: 72 53 Yara detected GuLoader 2->53 55 Initial sample is a PE file and has a suspicious name 2->55 57 Yara detected VB6 Downloader Generic 2->57 8 QUOTATION_DOC_DOCX_PDF.exe 2 2 2->8         started        11 wscript.exe 2->11         started        13 wscript.exe 2->13         started        process3 signatures4 63 Creates autostart registry keys with suspicious values (likely registry only malware) 8->63 65 Tries to detect Any.run 8->65 67 Hides threads from debuggers 8->67 69 Contains functionality to hide a thread from the debugger 8->69 15 QUOTATION_DOC_DOCX_PDF.exe 4 8->15         started        19 respondencies.exe 2 11->19         started        21 respondencies.exe 2 13->21         started        process5 file6 35 C:\Users\user\AppData\...\respondencies.exe, PE32 15->35 dropped 37 C:\Users\user\AppData\...\respondencies.vbs, ASCII 15->37 dropped 45 Tries to detect Any.run 15->45 47 Hides threads from debuggers 15->47 23 respondencies.exe 2 15->23         started        26 respondencies.exe 13 19->26         started        29 respondencies.exe 13 21->29         started        signatures7 process8 dnsIp9 59 Tries to detect Any.run 23->59 61 Hides threads from debuggers 23->61 31 respondencies.exe 13 23->31         started        39 onedrive.live.com 26->39 41 onedrive.live.com 29->41 signatures10 process11 dnsIp12 43 onedrive.live.com 31->43 49 Tries to detect Any.run 31->49 51 Hides threads from debuggers 31->51 signatures13
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d4be4226b685156a19f30ba35099d97c9608c08053992fc0d158b8f6b2bb7712/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 09:32:28 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2s7eejvwqukwugptborvbgozpslarqeakoms7qgrlc4pnmv3o4ja._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
FormBook
20a6cb528c226cb7076f9bdcac76a942b32af0baa48df8aeae65aeb20380c2d5
FormBook
37d7bba1bacdbcb35e301c1fc391449ea84d1203ca59a8b1f1142acf4596e032
FormBook
3e487a6e78ce053ac4add56861cd380be9c2920d292f83448c0a3f8a814c53d7
FormBook
79a2240a25ae035c8fb372974e643f276099d86118d018bb6053571cc3d06ce8
FormBook
81d221135435a226a35c3099f181b6d1b427e72f414b7a8ab89ac8206b2b4959
FormBook
8869b2576e5e5ebd15edee49935a89a27bb6dee506483a27f805f708d4bf8957
FormBook
baeafce74cc8a5c40bd2b6ba2e38312834e48f23f655cfae1d1ae8e78e375b84
FormBook
d18ed67b05d0bbd6dfaba77a6053c92674bfef8abc8c7aae7c17f703adc6ea5c
FormBook
d7e91c4ae1a0b9f6bd1c2ae422b2d9488949110017b9d06001e6bcd386905c8e
FormBook
+ 138 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200817-6pg51c2tve/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.sandrxy.com/yby/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.06
Link:
https://yomi.yoroi.company/submissions/d4be4226b685156a19f30ba35099d97c9608c08053992fc0d158b8f6b2bb7712

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip cfd0bc152c70931b1491f264176cacc609b7527eae471dc1f9bae04d1927fd12

FormBook

Executable exe d4be4226b685156a19f30ba35099d97c9608c08053992fc0d158b8f6b2bb7712

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/434382/
  
Dropped by
MD5 07a3c0430a1e0a6730bece2b57e24623
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47068/
  
Dropped by
SHA256 cfd0bc152c70931b1491f264176cacc609b7527eae471dc1f9bae04d1927fd12

Comments