MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d989ab685c59463a2ae115503881d520032409525de9846d458583e4ad75fc15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d989ab685c59463a2ae115503881d520032409525de9846d458583e4ad75fc15
SHA3-384 hash: b3b1bd8110d35eb34ce4bdf08dee2949ab88453660b84ff22c8938f70be6c1d954cb5cfdb4f6bafe5dfb043818db7cb4
SHA1 hash: 0149da2dd3a686c11f8a6791f6ce6057b6df2923
MD5 hash: d5483fe9cbf398d6af54199dce725081
humanhash: vegan-seven-carolina-music
File name:Geparders.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:287'456 bytes
First seen:2023-04-12 18:27:56 UTC
Last seen:2023-04-12 19:24:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e221f4f7d36469d53810a4b5f9fc8966 (118 x GuLoader, 28 x RemcosRAT, 21 x Formbook)
ssdeep 6144:+lJZfr5Bt16Ofo1vMLI1rGV0BV6PQvI8WWrY6efDBY9QPQzCK2u:+lj5BJ6vlrQxQvI8HY6efQwQzCK2u
Threatray 781 similar samples on MalwareBazaar
TLSH T10D54129935D4D0EFE9B76EB11E2AABB0B9B392146410534B13603F9F9A30F46DE05393
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter James_inthe_box
Tags:exe FormBook signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-04-08T01:00:04Z
Valid to:2026-04-07T01:00:04Z
Serial number: 23d2ffb5b5e79502485f2d7812bfa2c9b78d0f2c
Thumbprint Algorithm:SHA256
Thumbprint: dfbc75a396d7d9940455564bc06767d235d568fa86eb567cee50b6a73ffd60b1
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Geparders.exe
Verdict:
Malicious activity
Analysis date:
2023-04-12 18:31:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/50873404-9c96-4380-8024-af1b5fea97e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381888/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Delayed reading of the file
Creating a file in the Windows subdirectories
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6436f83359a1287810bbf944/reports/4323acfe-d3d8-4a29-90e2-116c13398699/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/d989ab685c59463a2ae115503881d520032409525de9846d458583e4ad75fc15
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4e1758bd-bc24-4928-be2c-71db5d57f063
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1212806
Signature
Antivirus detection for URL or domain
Found potential ransomware demand text
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 845722 Sample: Geparders.exe Startdate: 12/04/2023 Architecture: WINDOWS Score: 100 39 yourbestversioneua.com 2->39 41 www.yourbestversioneua.com 2->41 43 22 other IPs or domains 2->43 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 5 other signatures 2->57 9 Geparders.exe 46 2->9         started        signatures3 process4 file5 27 C:\Users\user\AppData\Local\...\lang-1081.dll, PE32 9->27 dropped 29 C:\Users\user\AppData\...\gnsdk_link.dll, PE32 9->29 dropped 31 C:\Users\user\AppData\Local\...behaviorgraphracenote.dll, PE32 9->31 dropped 33 C:\Users\user\AppData\Local\...\System.dll, PE32 9->33 dropped 61 Tries to detect Any.run 9->61 13 WWAHost.exe 13 9->13         started        16 Geparders.exe 6 9->16         started        signatures6 process7 dnsIp8 63 Tries to steal Mail credentials (via file / registry access) 13->63 65 Tries to harvest and steal browser information (history, passwords, etc) 13->65 67 Writes to foreign memory regions 13->67 75 3 other signatures 13->75 19 explorer.exe 3 1 13->19 injected 23 firefox.exe 13->23         started        35 googlehosted.l.googleusercontent.com 142.250.186.33, 443, 49832 GOOGLEUS United States 16->35 37 drive.google.com 142.250.74.206, 443, 49831 GOOGLEUS United States 16->37 69 Tries to detect Any.run 16->69 71 Maps a DLL or memory area into another process 16->71 73 Sample uses process hollowing technique 16->73 signatures9 process10 dnsIp11 45 yourbestversioneua.com 108.179.252.69, 49886, 49887, 49888 UNIFIEDLAYER-AS-1US United States 19->45 47 agenciaeducar.store 162.240.81.18, 49850, 49851, 49852 UNIFIEDLAYER-AS-1US United States 19->47 49 13 other IPs or domains 19->49 59 System process connects to network (likely due to code injection or exploit) 19->59 25 WerFault.exe 2 23->25         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d989ab685c59463a2ae115503881d520032409525de9846d458583e4ad75fc15/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-04-12 18:27:26 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ge2w2c4lfddukxbcvidraoveabsickslxuyi3kfqwb6jllv7qkq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
094dc63a99e7f4978723577fdbbbadc74ffa4b907368c0cd48b3d0b5f14e3fbc
Formbook
41618cb3eabd9750fa776f31b8117e4025fd3d03af5e30d62100d84ce8101406
Formbook
4b01d8e4729b07277f8f71037f9fbda1f8d817d9688850d941e7832727bb0276
Formbook
4bf75ced5431972bf4d34227e7fbf107f16ca9879bee1d0b225321ee100e3a11
Formbook
601d52629466f941c618f71698c7ef86fa1de8329e3de879960b10168c28c5ba
Formbook
728d23546a438f5238ca4a534635f87086f2ffa4fc71e215a0222a733700de96
Formbook
9bdc185c4c52ab97921a7d99b7bfe6e22ac5be828d999b19e41983b3c79af0c9
Formbook
b394bd2bf5686012f76693ff9daddc941662d0c564e4ac4a530ea34b4b0d8cc6
Formbook
b819e0dd1a5dc229d16fa74251262ce7fdd7581a71f66c9dec61149a7c4c7a76
Formbook
e29c4da2ffb29da2ca94953e638058674b6234ac0c75864d644a661d582a3ab1
Formbook
+ 771 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/230412-w4babseb38/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
2033e771aceb139415b6c378f21ab7ef8c2d7fa44b881085b4c01fcdbd87d83a
MD5 hash:
f049e2caaa077327bb3de9e56da43071
SHA1 hash:
cf17fd5e336e4af212725e22e20aa5842f4f3baa
Link:
https://www.unpac.me/results/a5f4167e-2a3a-44f5-9f26-c85335625826/
SH256 hash:
7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
MD5 hash:
fc90dfb694d0e17b013d6f818bce41b0
SHA1 hash:
3243969886d640af3bfa442728b9f0dff9d5f5b0
Link:
https://www.unpac.me/results/a5f4167e-2a3a-44f5-9f26-c85335625826/
SH256 hash:
08929e352de8799a2036c6fc7d2a05d6ec437da8be6be5b05171fed5e786ca6e
MD5 hash:
927d128df6b67fc942b8f8e411bfb19b
SHA1 hash:
2fff7d2b9d0c2040ee2ed2fad92ef6216ddb4084
Link:
https://www.unpac.me/results/a5f4167e-2a3a-44f5-9f26-c85335625826/
SH256 hash:
d989ab685c59463a2ae115503881d520032409525de9846d458583e4ad75fc15
MD5 hash:
d5483fe9cbf398d6af54199dce725081
SHA1 hash:
0149da2dd3a686c11f8a6791f6ce6057b6df2923
Link:
https://www.unpac.me/results/a5f4167e-2a3a-44f5-9f26-c85335625826/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d989ab685c59/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.13
Link:
https://yomi.yoroi.company/submissions/d989ab685c59463a2ae115503881d520032409525de9846d458583e4ad75fc15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/381888/

Comments