MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd3f64e6a847fd8ba77ec995ef3c1b9b6ce164df8056545b9e537cf5a23f64a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd3f64e6a847fd8ba77ec995ef3c1b9b6ce164df8056545b9e537cf5a23f64a0
SHA3-384 hash: eb1aade7d088c1e06e19f64b247aa53462c916a78dfbee3bf7714b538c9aa8a0ccee3780ff4d4056b07f1a6754d8aaaf
SHA1 hash: fce4cc44725b823a076f5cf10b3b3ba7d5f6eb8c
MD5 hash: bd985fa9dab5379cad24e6ad1c2d8bed
humanhash: wolfram-summer-violet-butter
File name:Product specification.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:433'344 bytes
First seen:2022-01-03 12:16:50 UTC
Last seen:2022-01-03 13:58:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 12288:jbLfJZKtTkBhrzMzvZsHLYurx9X9k0lrEbmIqil:joTkBhrev+LYaxBlNIVl
Threatray 12'960 similar samples on MalwareBazaar
TLSH T1F794230825D2D4F7FBAD6631085BFD76C3F7C29216654CE35F482F2A297461B292E903
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Product specification.exe
Verdict:
Malicious activity
Analysis date:
2022-01-03 12:18:09 UTC
Tags:
installer trojan formbook stealer
Link:
https://app.any.run/tasks/2a5ce68a-36be-4ddf-99e5-2e57bb756f27

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217146/
Detection(s):
SecuriteInfo.com.Trojan.Risis.1.Gen.1232.29928.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
DNS request
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Reading critical registry keys
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
60%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61d2e95892bdc4b4077b5e27/reports/429f2f49-9b1a-4866-b366-5501395110a0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff32bd33-260a-4ddf-a0c9-66939e2bcce6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914855
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 547333 Sample: Product specification.exe Startdate: 03/01/2022 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 8 other signatures 2->42 10 Product specification.exe 18 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\qkewtxymr.dll, PE32 10->28 dropped 52 Injects a PE file into a foreign processes 10->52 14 Product specification.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 ipufa.net 116.206.106.239, 49765, 80 PUBLIC-DOMAIN-REGISTRYUS Seychelles 17->30 32 www.kfitfabfrugal.com 45.199.79.162, 49752, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 msiexec.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dd3f64e6a847fd8ba77ec995ef3c1b9b6ce164df8056545b9e537cf5a23f64a0/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-01-03 11:27:51 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3u7wjzvii76yxj36zgk66pa3tnwoczg7qblfiw46kn6plir7msqa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0fae331eb46ca1a2971d2d03cc3558e51f73c36d14b70dd731ce44f799c723ef
Formbook
26a193d73c8ff03c76bab877f9a6a4d16078a09bf5abb85ab104d2d7d0685315
Formbook
4bc96a8bb1739c227e539a7aa4156cb6c1023a254e2660135351edbe9a7db8e2
Formbook
4fd44b1855341a3f6f31e08e4ad288747ecb8e5b8637b95fff99aa689de07446
Formbook
62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f
Formbook
6d1ae3278059d592ae7c4426df9456553b8abfbc3bd90ce0f8d1792e94ae95c2
Formbook
8cacd20da785153237d5602e9fb15f7d18343b16e37dfbbf36b549e89a93378f
Formbook
ace8d85c2f02bd3d531cd8d609d23c6d35588ecce52f40a8d129b39a6b1d7723
Formbook
+ 12'950 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:t0y7 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220103-pf2daahfhl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
dd3f64e6a847fd8ba77ec995ef3c1b9b6ce164df8056545b9e537cf5a23f64a0
MD5 hash:
bd985fa9dab5379cad24e6ad1c2d8bed
SHA1 hash:
fce4cc44725b823a076f5cf10b3b3ba7d5f6eb8c
Link:
https://www.unpac.me/results/3c1425db-5005-4200-b593-9fb17987f9f0/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dd3f64e6a847/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/dd3f64e6a847fd8ba77ec995ef3c1b9b6ce164df8056545b9e537cf5a23f64a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe dd3f64e6a847fd8ba77ec995ef3c1b9b6ce164df8056545b9e537cf5a23f64a0

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/217146/

Comments