MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd086f5b3e968fddaf79e87afc4f11d6e0c031e7c839e394b54b76c3f51c1f77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 7 File information Comments

SHA256 hash:	dd086f5b3e968fddaf79e87afc4f11d6e0c031e7c839e394b54b76c3f51c1f77
SHA3-384 hash:	85fa0896ab3928d6c17b506c25069b9160e6eb45ce23ebc48009eb9e7b91528da796b1efef3b79d0a2f185758130c27c
SHA1 hash:	9e6414c9399f318ba9060964026a67b143ea7399
MD5 hash:	b785b8a629f1d164fb1090c19f8001c3
humanhash:	bulldog-december-kentucky-skylark
File name:	new order_pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	280'614 bytes
First seen:	2023-04-16 18:05:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 429 x GuLoader)
ssdeep	6144:/Ya6DsaY+xQDoTo8NSpybh++7Cb/kxVi9aUw/xZOBdkvGT1Yq0g0BYVG5F6Yo:/YRDY+WcU2SuRub+ZUoyWvGeq0gDG5ro
Threatray	2'605 similar samples on MalwareBazaar
TLSH	T1BE5412047991D1D7E07705B26D7E326BFBE2A90320E4A64F5780AB8EFD227416D0F762
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

274

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

new order_pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-04-16 18:05:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f369dab0-9da5-4984-97ec-abf4f433ebe8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/382655/

Detection(s):

SecuriteInfo.com.Trojan.Generic.33454557.29881.18354.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/79942/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo nemesis overlay packed remcos shell32.dll

Link:

https://www.filescan.io/uploads/643c390bb197bbdcf7dc1e20/reports/c1b0b75c-133e-43e9-95b1-76ac8c640f54/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/dd086f5b3e968fddaf79e87afc4f11d6e0c031e7c839e394b54b76c3f51c1f77

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/278b0b96-c42a-4ab5-b8ce-6d5c2e9c1266

Result

Threat name:

FormBook

Detection:

malicious

Classification:

evad.troj

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1214787

Signature

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dd086f5b3e968fddaf79e87afc4f11d6e0c031e7c839e394b54b76c3f51c1f77/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-04-15 09:39:33 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3ueg6wz6s2h53l3z5b5pytyr23qmamphza46hffvjn3mh5i4d53q._file

Verdict:

malicious

Label(s):

formbook

Formbook

407cca2ad9433a2a222f9ab1ce14060bf6d5a5c041dc8d2b545257fd0be9e8b1

Formbook

4669b95ca73b3835e391016b48633970c1d25f4394bf4046b7eabaab725ad0d9

Formbook

53ef5cf03618cf6124b33c3ef3fbb97a993b9612b2fff665bb7de2fec5d7dfac

Formbook

564bbf886f8ca5cb5674f3d073bc27faf96cd76e234eface059c53e676d8a6de

Formbook

99c70511abddfe39ccaea3fd4cafb9bc382ebdf0bd8b9a9c8f18a178ef63e664

Formbook

b0302231ae277b08e383cef527b093307edf552a1777b5c9a088e2e1c61ad6fe

Formbook

b5b596f70279f40da033a19eb80841b5486fb16d9d44c2778cc158910adde7a1

Formbook

bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb

Formbook

f75f11958cb9b23e256cd0668e7490113565acd86d66180483e7b909d7750ed3

Formbook

+ 2'595 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230416-wpqfpscf2v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

1ec556b9804a8195576bd569f55123e08c93406905b7fe66daadc5369d6c2dc3

MD5 hash:

62459803fbeef4fd6a4a096c937f9d70

SHA1 hash:

ec5a7eab356a72fe2da78f15922b35ae1b411ad3

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/34c4075d-a221-4aeb-91af-99ba58013215/

Parent samples :

564bbf886f8ca5cb5674f3d073bc27faf96cd76e234eface059c53e676d8a6de
dd086f5b3e968fddaf79e87afc4f11d6e0c031e7c839e394b54b76c3f51c1f77
07e58562c48d6c226bc1dc5df78dea39e3cba578439d7ad04ed5d46975528ee5
4e4db170fba9aaf6faf5e401a583f6d7811236f6df70eb76e3ccc6c4139c3f4c
81f8ce446b9d3e123d81d617d24cd593050befc695ba76636b548c066f0a9b1f

SH256 hash:

67e25baff0b3f7a1c113efcc745954458fec8a4f7a820602e79eac9d292d48c3

MD5 hash:

7534319157a5fee111d00c04db2ae29e

SHA1 hash:

5e2e6995a015088745da4a1a0cb119fadc1c9e69

Link:

https://www.unpac.me/results/34c4075d-a221-4aeb-91af-99ba58013215/

SH256 hash:

a844410700062b537bc25019e7f84bb88a1d59b1f476599ae9dda8f9a41551f5

MD5 hash:

f841a047a571c92b2bdc768c9881f6f4

SHA1 hash:

166277b26c426bfdc707de27b33a158f063960ab

Link:

https://www.unpac.me/results/34c4075d-a221-4aeb-91af-99ba58013215/

SH256 hash:

dd086f5b3e968fddaf79e87afc4f11d6e0c031e7c839e394b54b76c3f51c1f77

MD5 hash:

b785b8a629f1d164fb1090c19f8001c3

SHA1 hash:

9e6414c9399f318ba9060964026a67b143ea7399

Link:

https://www.unpac.me/results/34c4075d-a221-4aeb-91af-99ba58013215/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/dd086f5b3e96/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dd086f5b3e968fddaf79e87afc4f11d6e0c031e7c839e394b54b76c3f51c1f77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/382655/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample