MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de33667dae23bef601f35b12ddf77d50031c4d4565662d296019df378950a22e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de33667dae23bef601f35b12ddf77d50031c4d4565662d296019df378950a22e
SHA3-384 hash: b1d0f11475400f1c51a8a518cb5391b9b4c76db5fac36d8b98ecd6c2841ed7981d435a9d91822250bc0bfc63b2089e60
SHA1 hash: 081f7f7a7b1fe38bcb72c595f221bbcb639391a7
MD5 hash: aa8f89c7d81861d53ed1c835e996b56b
humanhash: diet-romeo-bacon-shade
File name:Inquiry 22602057.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:409'771 bytes
First seen:2022-04-19 05:34:15 UTC
Last seen:2022-04-19 07:21:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:KY5IN3iISE6MOnp+HCieCJEyvbk51qmk9pKmd7VMkawDGznoe:KYKN3iISE6MOnp+HCieCJEyvbk51qmki
Threatray 15'131 similar samples on MalwareBazaar
TLSH T1AA943A5A7C90C68BC5BD1FB0B8E0EDB849249D767AE0033C68F06C377476643654EA7A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a292ceaca17ecea2 (3 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264485/
Detection(s):
SecuriteInfo.com.generic.ml.29986.32692.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/625e4a07482f2f41cacfb436/reports/74e825c5-39a0-422c-b8d7-908354edaa55/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5e118588-55b1-473a-8bb1-ba74be3ef47a
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/978629
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Application Executed Non-Executable Extension
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 611115 Sample: Inquiry 22602057.exe Startdate: 19/04/2022 Architecture: WINDOWS Score: 100 57 yeswayclub.com 2->57 59 www.yxmcha.com 2->59 61 50 other IPs or domains 2->61 85 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->85 87 Multi AV Scanner detection for domain / URL 2->87 89 Found malware configuration 2->89 91 12 other signatures 2->91 11 Inquiry 22602057.exe 25 2->11         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\vmhgfs_x86.dll, PE32 11->49 dropped 51 C:\Users\user\AppData\Local\...\System.dll, PE32 11->51 dropped 109 Tries to detect Any.run 11->109 111 Hides threads from debuggers 11->111 15 Inquiry 22602057.exe 6 11->15         started        signatures6 process7 dnsIp8 69 107.173.229.154, 49754, 49839, 49843 AS-COLOCROSSINGUS United States 15->69 71 Modifies the context of a thread in another process (thread injection) 15->71 73 Tries to detect Any.run 15->73 75 Maps a DLL or memory area into another process 15->75 77 3 other signatures 15->77 19 explorer.exe 3 6 15->19 injected signatures9 process10 dnsIp11 63 www.marinpalm.com 154.213.72.40, 49833, 80 VPSQUANUS Seychelles 19->63 65 www.nichesiteformula.com 103.224.212.220, 49857, 49858, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 19->65 67 25 other IPs or domains 19->67 47 C:\Users\user\AppData\...\7nad_jopirmx.exe, PE32 19->47 dropped 93 System process connects to network (likely due to code injection or exploit) 19->93 95 Benign windows process drops PE files 19->95 24 rundll32.exe 1 12 19->24         started        27 7nad_jopirmx.exe 18 19->27         started        30 7nad_jopirmx.exe 18 19->30         started        file12 signatures13 process14 file15 97 Tries to steal Mail credentials (via file / registry access) 24->97 99 Self deletion via cmd delete 24->99 101 Tries to harvest and steal browser information (history, passwords, etc) 24->101 107 4 other signatures 24->107 32 cmd.exe 2 24->32         started        35 cmd.exe 1 24->35         started        37 firefox.exe 24->37         started        53 C:\Users\user\AppData\Local\...\System.dll, PE32 27->53 dropped 103 Tries to detect Any.run 27->103 105 Hides threads from debuggers 27->105 39 7nad_jopirmx.exe 6 27->39         started        55 C:\Users\user\AppData\Local\...\System.dll, PE32 30->55 dropped 41 7nad_jopirmx.exe 6 30->41         started        signatures16 process17 signatures18 79 Tries to harvest and steal browser information (history, passwords, etc) 32->79 43 conhost.exe 32->43         started        45 conhost.exe 35->45         started        81 Tries to detect Any.run 41->81 83 Hides threads from debuggers 41->83 process19
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/de33667dae23bef601f35b12ddf77d50031c4d4565662d296019df378950a22e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3yzwm7noeo7pmaptlmjn3535kabrytkfmvtc2kladhptpckquixa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
409d082509f1965c92e8be062f7dccb0b9af2458e720460658729468d44fef28
Formbook
5c6bb4be3e5abfc077f779645b07502ad3f9357fa3c486db79d0a2fb4f470527
Formbook
7a0cd1587a69eaf31f745c4f39b0bfbbfbf23f1d1b483b1448da6b90fdaf6caa
Formbook
93da913f4b899003071cf8743f4a06f14464397cdb135638e2e76072a283f970
Formbook
945e623b814b647326ed96bc5be37010053fdc50f9dce11d96e408c22a8afd4a
Formbook
95c771c632d3d8501bcb90643f6587624eb5c5773557eeceb34bb08872cbd3cd
Formbook
99889ef9126eddb7fee40e181c9832c734f8cef74736e2c577438300b468751c
Formbook
9e6a92df11bb23b335d5bbf85731a1ea96f6c4038a24c2e4edb28e2169804c30
Formbook
bc7cf974c3cfb35a9e7f4abff78a9c68ae6a9ecb2eb78725adfd3ef6db6d6e0a
Formbook
bec65782844355875f88723419b44dc543ba07b83c8a339036f79e39364493c6
Formbook
+ 15'121 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:xloader campaign:f7sb downloader loader rat
Link:
https://tria.ge/reports/220419-f91jeaagc2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Deletes itself
Loads dropped DLL
Xloader Payload
Guloader,Cloudeye
Xloader
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/ce62caf6-40df-4702-8ffd-20b96a90bd61/
SH256 hash:
93aa1f63a8e9447fa73916cf08a1494b02c6177553a9d05b4f6e9eb160e5c792
MD5 hash:
4c7dbce3765f081c9bbbbb9f0515fcab
SHA1 hash:
7658ca8087e17efc35f4e58919e5e12f1434dd67
Link:
https://www.unpac.me/results/ce62caf6-40df-4702-8ffd-20b96a90bd61/
SH256 hash:
de33667dae23bef601f35b12ddf77d50031c4d4565662d296019df378950a22e
MD5 hash:
aa8f89c7d81861d53ed1c835e996b56b
SHA1 hash:
081f7f7a7b1fe38bcb72c595f221bbcb639391a7
Link:
https://www.unpac.me/results/ce62caf6-40df-4702-8ffd-20b96a90bd61/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de33667dae23bef601f35b12ddf77d50031c4d4565662d296019df378950a22e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe de33667dae23bef601f35b12ddf77d50031c4d4565662d296019df378950a22e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/264485/

Comments