MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da71644ee66cad527be192aefdfb9e5c70f0977d111d95e3591c8221aca1ccfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	da71644ee66cad527be192aefdfb9e5c70f0977d111d95e3591c8221aca1ccfc
SHA3-384 hash:	75609165ccd8fd6e5ed7c10a4959fa5c68bf84743ba42ba6e99eff763a0cae5c6598bee0e5bba61d992620d63a98c01a
SHA1 hash:	ec9fb1bd1de42be168d4a5565e052a2b5deacf56
MD5 hash:	cd46dbf532b047ca67d19ea025e88051
humanhash:	white-illinois-bacon-tennessee
File name:	http___sowork.duckdns.org_11d_solex.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	98'304 bytes
First seen:	2021-09-02 14:12:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b35907c8152cbadddd8bc306abc4b99c (1 x Formbook, 1 x RemcosRAT)
ssdeep	1536:rEyLmLWGPf+m2kxPqg6ANKLWG6+K3Cwx3ektcs3AGVD:IImb2khC15QSqWo
Threatray	6'105 similar samples on MalwareBazaar
TLSH	T11AA3AE31AB6C8816F0FD46B64782B9A70E3DBC4207A62F31115339475F3D22E6979A0F
dhash icon	0000001858b4a600 (8 x RemcosRAT, 3 x GuLoader, 1 x Formbook)
Reporter	Racco42
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

229

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

http___sowork.duckdns.org_11d_solex.exe

Verdict:

No threats detected

Analysis date:

2021-09-02 15:59:13 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2d1afb93-b609-4f87-96d0-caca61b94ff7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/184814/

Detection(s):

Win.Dropper.Guloader-9890276-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a UDP request

Unauthorized injection to a recently created process

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5e187e59-c8e3-4288-9d84-98593ff872a0

Result

Threat name:

GuLoader Remcos

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/844093

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

GuLoader behavior detected

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected GuLoader

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/da71644ee66cad527be192aefdfb9e5c70f0977d111d95e3591c8221aca1ccfc/

Threat name:

Win32.Trojan.GuLoader

Status:

Malicious

First seen:

2021-09-02 14:13:04 UTC

AV detection:

7 of 28 (25.00%)

Threat level:

5/5

Verdict:

malicious

Label(s):

remcos

azorult

formbook

cloudeye

Formbook

7afa7c7724abb034d3155e1e1fc1fd3f9961e56fd6119428d975d8aaee3070f9

Formbook

80815a7e6ad20eed27bf6b3112f7b735d102cfc375e40444cef9abca506ed80a

Formbook

aaded4fcee9176fe04085b40b5c11861cfbcdf76eea26f508b119eda00ada941

Formbook

b9b1a3245f7aa2f9fadc4cff8343866030a63f297167df00ca0aa4284f453be1

Formbook

d3257f22e55152e6f6814a0d273d4113f802e9cf39a4841622a7b82cf38bd6af

Formbook

d9040bf8ad755cd41dc6266c0e0049f4bac0eaa23f18a26931357fe21c719701

Formbook

de2346e7683a4ed34d62a2954a38949335e6c1b27085a1cc82c08b0c6aec514e

Formbook

dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac

Formbook

+ 6'095 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:azorult family:guloader family:remcos family:xloader botnet:remotehost campaign:qg09 downloader infostealer loader rat spyware stealer trojan

Link:

https://tria.ge/reports/210902-rjed2aacb9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks QEMU agent file

Reads user/profile data of web browsers

NirSoft WebBrowserPassView

Nirsoft

Xloader Payload

Azorult

Guloader,Cloudeye

Remcos

Xloader

Malware Config

C2 Extraction:

slx-wave.duckdns.org:2222
slx-wave.duckdns.org:1111
http://www.kingbirdad.com/qg09/
http://195.245.112.115/index.php

Unpacked files

SH256 hash:

49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3

MD5 hash:

1f1b425190b2fb0396ad2d538b1060ba

SHA1 hash:

413f98641d46fdcabfcaf64f29495667de6282ea

Link:

https://www.unpac.me/results/924d4ede-2335-4aad-ae75-5e942f139888/

SH256 hash:

da71644ee66cad527be192aefdfb9e5c70f0977d111d95e3591c8221aca1ccfc

MD5 hash:

cd46dbf532b047ca67d19ea025e88051

SHA1 hash:

ec9fb1bd1de42be168d4a5565e052a2b5deacf56

Link:

https://www.unpac.me/results/924d4ede-2335-4aad-ae75-5e942f139888/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/da71644ee66c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/da71644ee66cad527be192aefdfb9e5c70f0977d111d95e3591c8221aca1ccfc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/184814/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample