MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f320ff644d3fdfa1aab47e0e534e0c109cdc85022a7b692559c27a16e94696fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f320ff644d3fdfa1aab47e0e534e0c109cdc85022a7b692559c27a16e94696fa
SHA3-384 hash: 0a4e2bb177a5efd05dbbc2ce6065b2825fd4e0b87f8fab98935ee8058f1f7e5eb100dff215dc77ed7f2e450535094bf0
SHA1 hash: bc19d6af2ea26015793bc6ffbe8527254d5c4e58
MD5 hash: 2f513d44fd0845e6cdbabc874dc55a53
humanhash: fillet-kansas-ten-don
File name:Tripleness.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'111'392 bytes
First seen:2024-09-20 20:04:03 UTC
Last seen:2024-09-23 12:35:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f0c714c36e6cc016b3a1f4bc86559e4 (199 x GuLoader, 14 x Formbook, 4 x AgentTesla)
ssdeep 12288:Cm12amGfy0D581DiNyQm6m3zwKjhMDQ73Ti/aG7cJEgH7K3UK+n1hxOcCMV3fAy9:Cmrm70l81DiNhbghFH7qUrvxOcC899
Threatray 1'028 similar samples on MalwareBazaar
TLSH T15335BE4226118D86D7B477F88FA4E3B9030A4F9EF955CA0299F0AC53F8EDE276C254D4
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon e4f0b90098b4722c (1 x Formbook)
Reporter threatcat_ch
Tags:exe FormBook signed

Code Signing Certificate

Organisation:Boom Gladest
Issuer:Boom Gladest
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-13T02:11:21Z
Valid to:2026-12-12T02:11:21Z
Serial number: 4a795c2fda774c264641092de9b1e53fd36eee88
Thumbprint Algorithm:SHA256
Thumbprint: f73555f7d50c031e102cd32b48bb5863bd24890d3e9c5af65cdebc15ff642fa0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
469
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
Tripleness.exe
Verdict:
Malicious activity
Analysis date:
2024-09-20 20:04:23 UTC
Tags:
guloader loader
Link:
https://app.any.run/tasks/9808a88f-c404-44b4-a865-de14fa697d3b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.10107.14435.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66edd5341db25d66857c5c86
Tags:
Encryption Execution Generic Static Malware
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66edd5383d94125307287b07/reports/9d139717-6fd7-4b72-92f9-963443f87a5a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f320ff644d3fdfa1aab47e0e534e0c109cdc85022a7b692559c27a16e94696fa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2cb28c25-3bfc-45b0-8c4b-d75f0c38a16e
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1514698
Signature
Found suspicious powershell code related to unpacking or dynamic code loading
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Suspicious powershell command line found
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1514698 Sample: Tripleness.exe Startdate: 20/09/2024 Architecture: WINDOWS Score: 68 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected GuLoader 2->29 8 Tripleness.exe 4 33 2->8         started        process3 file4 25 C:\Users\user\AppData\...kkoloddet.Ret181, ASCII 8->25 dropped 31 Suspicious powershell command line found 8->31 12 powershell.exe 18 8->12         started        signatures5 process6 signatures7 33 Sample uses process hollowing technique 12->33 35 Found suspicious powershell code related to unpacking or dynamic code loading 12->35 15 MpCmdRun.exe 12->15         started        17 SIHClient.exe 6 12->17         started        19 conhost.exe 12->19         started        21 37 other processes 12->21 process8 process9 23 conhost.exe 15->23         started       
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f320ff644d3fdfa1aab47e0e534e0c109cdc85022a7b692559c27a16e94696fa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f320ff644d3fdfa1aab47e0e534e0c109cdc85022a7b692559c27a16e94696fa/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2024-09-20 03:54:51 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6mqp6zcnh7p2dkvupyhfgtqmcconzbicfj5wsjkzyj5bn2kgs35a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
27a27f7a05d98177ca443f7341412869205ce10deaec52148989f4ded45605fc
Formbook
3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1
Formbook
42568b23642c3e00e11b6cec958a4395b96538b04148b9855b4881392dce66d1
Formbook
728471dd6fdd1869a99bfff247c5bf66da0d0185b464a5dbef3ad1e7e58d4980
Formbook
7298b43de9d8dc586ce35f452e67b98d234c2b005648ffb7e6a21bea06a8dcb9
Formbook
c527daf2491bb0c007246173bd7dee7926a01418ae3550f60f6971f2fb8caa94
Formbook
f320ff644d3fdfa1aab47e0e534e0c109cdc85022a7b692559c27a16e94696fa
Formbook
+ 1'018 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader execution
Link:
https://tria.ge/reports/240920-ytal6avhjm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Command and Scripting Interpreter: PowerShell
Guloader,Cloudeye
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/413a9868-d71b-45ab-b281-5973f74a7249
Unpacked files
SH256 hash:
f320ff644d3fdfa1aab47e0e534e0c109cdc85022a7b692559c27a16e94696fa
MD5 hash:
2f513d44fd0845e6cdbabc874dc55a53
SHA1 hash:
bc19d6af2ea26015793bc6ffbe8527254d5c4e58
Link:
https://www.unpac.me/results/43d04761-5e3c-4db5-8148-c681a692d017/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f320ff644d3f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f320ff644d3fdfa1aab47e0e534e0c109cdc85022a7b692559c27a16e94696fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_APT29_WINELOADER_Backdoor
Create hunting rule
Author:daniyyell
Description:Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f320ff644d3fdfa1aab47e0e534e0c109cdc85022a7b692559c27a16e94696fa

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments