MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd271b754544623f36a4a601c983247a80147a86aa56397e07d971cf9fe0f5a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd271b754544623f36a4a601c983247a80147a86aa56397e07d971cf9fe0f5a8
SHA3-384 hash: 593c92a3069bd45773a7aa1cfcfe8d434d253363ee79b84d65dbd5973bc5e1dd3cb0c58b4527a92d9945942106e7f7eb
SHA1 hash: 660730d92b0283c3a35c16926be5afbfa2760fe1
MD5 hash: 3a1e1b15fe2e5aa1a930f584fad70644
humanhash: six-carolina-stairway-fanta
File name:3a1e1b15fe2e5aa1a930f584fad70644.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:396'975 bytes
First seen:2023-04-16 10:53:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:xY1mbehrfVIaIFIPmjCPsgRhkgfRQ4tSE5:xY1m6hpRIAUCPvRhfRZH5
Threatray 2 similar samples on MalwareBazaar
TLSH T13284E0C5F9109571DC295771293ADC722A137C2EA1B4290C3ACE3E6B3FBF443A81A553
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0c4 (63 x Formbook, 23 x AgentTesla, 8 x RemcosRAT)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3a1e1b15fe2e5aa1a930f584fad70644.exe
Verdict:
Malicious activity
Analysis date:
2023-04-16 10:55:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3c8e74fd-d355-4836-8021-4285b9f501b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382607/
Detection(s):
Sanesecurity.Malware.28947.BadP.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/79902/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo nemesis overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/643bd3ce0c9f1744b58617e5/reports/20734a4f-320d-4a3f-b4ab-0e5518e44ef7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dd271b754544623f36a4a601c983247a80147a86aa56397e07d971cf9fe0f5a8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c49a50c9-2e19-47ea-8974-c62d49328b80
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1214614
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd271b754544623f36a4a601c983247a80147a86aa56397e07d971cf9fe0f5a8/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-04-16 09:04:34 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3utrw5kfirrd6nveuya4tazepkabi6ugvjlds7qh3fy47h7a6wua._file
Verdict:
malicious
Similar samples:
642caac35b91c7f6346536161060cb7f06ad8e5849ba771eafb0b247447bb64f
Formbook
79bd06f9b86b615ed20afed2f07c1d137ad986fecba89e89ddaefc5c65a49b76
Formbook
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230416-mzkhrsbe8y/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
ea91509205a304b38ba22a345c2bd87da142cbca538019a773f99734527ad97d
MD5 hash:
712ae4eba33187b25cb9fe090864eb35
SHA1 hash:
7f44c81f4be5b5bc25c1e1586e9da5ad769aead2
Link:
https://www.unpac.me/results/d3597812-d056-4777-83f0-c451b069ad61/
SH256 hash:
91f2ec8289a54b418092991f2fe622b2d63966c6fb1176f0e93bcc05967a6434
MD5 hash:
8f8dc381125e659184139c12d82a7fe9
SHA1 hash:
5a48fdbe0e0d1a69b2baa00df89ff2485ce930cf
Link:
https://www.unpac.me/results/d3597812-d056-4777-83f0-c451b069ad61/
SH256 hash:
e1c2c0834652619c41fa8774385830c48170cd39ad0961c8265791ee22b6e18b
MD5 hash:
ef9d8ac02436f8de8601bf16a9662fac
SHA1 hash:
f2e19bec8efd83f2b9884152418789fb862539fa
Link:
https://www.unpac.me/results/d3597812-d056-4777-83f0-c451b069ad61/
SH256 hash:
dd271b754544623f36a4a601c983247a80147a86aa56397e07d971cf9fe0f5a8
MD5 hash:
3a1e1b15fe2e5aa1a930f584fad70644
SHA1 hash:
660730d92b0283c3a35c16926be5afbfa2760fe1
Link:
https://www.unpac.me/results/d3597812-d056-4777-83f0-c451b069ad61/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd271b754544623f36a4a601c983247a80147a86aa56397e07d971cf9fe0f5a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe dd271b754544623f36a4a601c983247a80147a86aa56397e07d971cf9fe0f5a8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2581830/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/382607/

Comments