MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd3ecf0b5a39b287ba63687fe12ff1f1fcdde34adf0f3e30f7990ebc158347d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd3ecf0b5a39b287ba63687fe12ff1f1fcdde34adf0f3e30f7990ebc158347d8
SHA3-384 hash: cd478fbfdf9e344d6406dd9456580fa248416f105a868659c701900d2bdc01ffc5d7c823ac32b7af5421abdfab907d0a
SHA1 hash: 80f9a44457b63b766ce26acfb69676a402c2b838
MD5 hash: 04d6b8269105608ef9a560927dc3a9fa
humanhash: kilo-ack-green-stream
File name:SecuriteInfo.com.Gen.Variant.Androm.29.22420.16142
Download: download sample
Signature Formbook
Create hunting rule
File size:258'048 bytes
First seen:2021-05-07 16:56:04 UTC
Last seen:2021-05-10 04:20:32 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 6144:nEK9X0GgQZ140UzRacqVsqgat+qUeNmD1hI4:nE80VO40Uq9gaQmUI
Threatray 5'079 similar samples on MalwareBazaar
TLSH B5441229B8D0D67BCC4092710E3687A6CFE2DD0858965B0B7BD03B1E7DB2652151FAE2
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
3
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Gen.Variant.Androm.29.22420.16142.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/dd3ecf0b5a39b287ba63687fe12ff1f1fcdde34adf0f3e30f7990ebc158347d8
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd3ecf0b5a39b287ba63687fe12ff1f1fcdde34adf0f3e30f7990ebc158347d8/
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2021-05-07 13:57:39 UTC
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3u7m6c22hgzipotdnb76cl7r6h6n3y2k34ht4mhxtehlyfmdi7ma._file
Verdict:
malicious
Similar samples:
024c67bdc81850f0d4acf648be1016358c78e21a74dbde96b0d753cffd76ffa7
Formbook
0c856e57da034a8943b4065297d075365090d9eb925abb7ba74dd3df9acefc1f
Formbook
2080ae2cfe843c0e1754f994b356086718dd6dceedf974ca37b629fb4da817a6
Formbook
3f2cdc7783014a37d7ad61ee00c226d5221d4932f4113eb3590a9c9d0447b461
Formbook
5313ca84959a3d88973ad5b85acc66e268c3e8874d5d6f21fcd4a4c1a7628496
Formbook
6120294360629da33cd6f897de16401325be12ae2cd9dcc03857de7e0b4f94e4
Formbook
9de1892b227f07e8896b3dfa4d1f8b450bf2af962b1ec34f3075acc7a4187259
Formbook
b3c5b3cf581d15fcbacf67b4bdba199bfe7089704875746109b3206eb07b99e2
Formbook
cfee90218720f31491495dd353027017808fb3b9524d6c86ddfd016a372f627c
Formbook
ee1e6c57be9de3dde5f374dd49232f23b3667b52fdf770649bbd27a1abceaa16
Formbook
+ 5'069 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook macro rat spyware stealer trojan xlm
Link:
https://tria.ge/reports/210507-4bgegmyl1e/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.111bjs.com/ccr/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/dd3ecf0b5a39b287ba63687fe12ff1f1fcdde34adf0f3e30f7990ebc158347d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Executable_Converted_to_MSI
Create hunting rule
Rule name:INDICATOR_MSI_EXE2MSI
Create hunting rule
Author:ditekSHen
Description:Detects executables converted to .MSI packages using a free online converter.
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Microsoft Software Installer (MSI) msi dd3ecf0b5a39b287ba63687fe12ff1f1fcdde34adf0f3e30f7990ebc158347d8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1204513/
  
Delivery method
Distributed via web download

Comments