MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e015835dd69bbd384cb9b347984b648562281ba9e532ca110b6962bce9262251. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e015835dd69bbd384cb9b347984b648562281ba9e532ca110b6962bce9262251
SHA3-384 hash: c0747c209f5a4a972304a0caac6415f9a9dc8f1abadd6c58ee828ac379d3c6cc5914e9072439faafad147e1271e2a933
SHA1 hash: b58f485d5153dc4cb1a608091e1174d6fc966a4a
MD5 hash: 744d832006910318b2826e4cc8db4b11
humanhash: twenty-diet-white-ack
File name:Order List from Dunen Enterprise Corporation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:131'072 bytes
First seen:2021-09-14 04:20:37 UTC
Last seen:2021-09-15 06:27:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 44cde914d1969d7de2a52adae7c22460 (2 x GuLoader, 1 x Loki, 1 x Formbook)
ssdeep 3072:CwbDzFr9RfmrBv2ubFB2NNq1KvyFwZddImz:CwbDzFrnfmrUWD2/6wpIm
Threatray 5'256 similar samples on MalwareBazaar
TLSH T162D38CB17D0CA821D248C5F80261C66883D62D33E6915A677824BBCA4471BCF6DFAF5F
Reporter GovCERT_CH
Tags:exe FormBook GuLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order List from Dunen Enterprise Corporation.exe
Verdict:
No threats detected
Analysis date:
2021-09-14 04:24:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5efdfd80-9875-4a9d-bbfc-c65278cccb73

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187627/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/617509239a5a1e91c5d1ff1c/reports/090f732d-f809-473f-a4a1-05e76fd6050d/overview
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/775ead63-6f3e-4f00-904d-f8a211db4b9d
Result
Threat name:
GuLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850361
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Potential malicious icon found
Queues an APC in another process (thread injection)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e015835dd69bbd384cb9b347984b648562281ba9e532ca110b6962bce9262251/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 04:21:06 UTC
AV detection:
13 of 43 (30.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4akygxowto6tqtfzwndzqs3eqvrcqg5j4uzmueilnfrlz2jgejiq._file
Verdict:
malicious
Similar samples:
48aac53ca47241dd233ec894895239d5539c53b5e35310389529724a457555a7
Formbook
5e74833e8f9a6e8a92cca35de25fb0d6b68c84d0bc22b9c939b51737acb83494
Formbook
7c72d2e12ed2db6353a373d16c07eaf27fbf110c75a2dc7535ec7d624cb42012
Formbook
9e313db794797641d0c55ff15c1f663e13893bb443bb84e0dd212f8a7aeca598
Formbook
ace7e59fa80a108d4f3fd0a56a99f03d17e56ec2c756092aa65b910352f59921
Formbook
ae83f208925ec791bd10f37e0cd1bfc98473ea586c4814288a243c7d579c2e55
Formbook
bf41232cf8f3b7a59706152858b300a9c7af30e7e0291f120dfd38657daf5b9c
Formbook
db48dc160b1f48b8939b0d49c5f0bee2a28bc3b340cff62cea8da50424e1afea
Formbook
e4effdebb79bd1b3d2e3a2510a96f44cbf9ca4961340c7ca1f276bd3c527afb2
Formbook
+ 5'246 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:xloader campaign:hhse downloader loader rat
Link:
https://tria.ge/reports/210914-eynj2ahggq/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Deletes itself
Xloader Payload
Guloader,Cloudeye
Xloader
Malware Config
C2 Extraction:
http://www.mx-online-service.xyz/hhse/
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/78efbe6c-5e64-482b-a544-7589ab2120e4/
SH256 hash:
e015835dd69bbd384cb9b347984b648562281ba9e532ca110b6962bce9262251
MD5 hash:
744d832006910318b2826e4cc8db4b11
SHA1 hash:
b58f485d5153dc4cb1a608091e1174d6fc966a4a
Link:
https://www.unpac.me/results/78efbe6c-5e64-482b-a544-7589ab2120e4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e015835dd69bbd384cb9b347984b648562281ba9e532ca110b6962bce9262251

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e015835dd69bbd384cb9b347984b648562281ba9e532ca110b6962bce9262251

(this sample)

  
Dropped by
guloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/187627/

Comments