MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dda1b2cf6d02fd22ce9bdeac8a3a6e6ff669928524a2ec4af673bfe1c75ae690. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 19


Intelligence 19 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dda1b2cf6d02fd22ce9bdeac8a3a6e6ff669928524a2ec4af673bfe1c75ae690
SHA3-384 hash: 5f439cb82a93d5582c74f2b68d405c54fc1dd29a03b45f4118d3b6f29eec3188932bc479b70fea50939eb7040c37e519
SHA1 hash: 672ee2e87cb398271dabb00bf1a3ab4f86f929e3
MD5 hash: 5ad92d3dc70657eb8ba837ef436c986e
humanhash: pluto-music-oscar-december
File name:E-dekont.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:651'264 bytes
First seen:2025-04-03 05:45:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:duFs1hSFlsxUbHYBYdGM13sQSDKRdn2rrP2dnGTuMUf:IaK2UjUYT13sQSDGB4idnGq
Threatray 1'156 similar samples on MalwareBazaar
TLSH T11CD4015C2215DB0BCD686BF40A61F2B917BC5EEEB902D3134ED8ADEBF56AB105C04583
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
524
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
E-dekont.pdf.exe
Verdict:
Malicious activity
Analysis date:
2025-04-03 05:53:14 UTC
Tags:
formbook stealer xloader
Link:
https://app.any.run/tasks/172beff3-17de-4bee-97e1-f8688e38f12e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/231/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ee224acfd0a37f830ce8d1
Tags:
underscore spawn shell micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67ee209d40adfb5162b7ad7e/reports/44942513-6674-4b45-bf04-4e4d2792dd93/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dda1b2cf6d02fd22ce9bdeac8a3a6e6ff669928524a2ec4af673bfe1c75ae690
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a2e1b54-d6f2-4677-a8c9-f598f8f0f5c0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1655241
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1655241 Sample: E-dekont.pdf.exe Startdate: 03/04/2025 Architecture: WINDOWS Score: 100 39 www.partmentflatart.xyz 2->39 41 www.bjcwedding.xyz 2->41 43 9 other IPs or domains 2->43 61 Suricata IDS alerts for network traffic 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 69 12 other signatures 2->69 11 E-dekont.pdf.exe 4 2->11         started        15 svchost.exe 1 1 2->15         started        signatures3 67 Performs DNS queries to domains with low reputation 41->67 process4 dnsIp5 37 C:\Users\user\...-dekont.pdf.exe.log, ASCII 11->37 dropped 71 Adds a directory exclusion to Windows Defender 11->71 73 Tries to detect virtualization through RDTSC time measurements 11->73 75 Injects a PE file into a foreign processes 11->75 77 Switches to a custom stack to bypass stack traces 11->77 18 E-dekont.pdf.exe 11->18         started        21 powershell.exe 23 11->21         started        49 127.0.0.1 unknown unknown 15->49 file6 signatures7 process8 signatures9 51 Modifies the context of a thread in another process (thread injection) 18->51 53 Maps a DLL or memory area into another process 18->53 55 Sample uses process hollowing technique 18->55 59 2 other signatures 18->59 23 explorer.exe 102 7 18->23 injected 57 Loading BitLocker PowerShell Module 21->57 26 WmiPrvSE.exe 21->26         started        28 conhost.exe 21->28         started        process10 dnsIp11 45 204.79.197.203, 443, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->45 47 www.peekr.app 34.76.205.124, 49694, 80 GOOGLEUS United States 23->47 30 cmstp.exe 23->30         started        process12 signatures13 79 Modifies the context of a thread in another process (thread injection) 30->79 81 Maps a DLL or memory area into another process 30->81 83 Tries to detect virtualization through RDTSC time measurements 30->83 85 Switches to a custom stack to bypass stack traces 30->85 33 cmd.exe 1 30->33         started        process14 process15 35 conhost.exe 33->35         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dda1b2cf6d02fd22ce9bdeac8a3a6e6ff669928524a2ec4af673bfe1c75ae690
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dda1b2cf6d02fd22ce9bdeac8a3a6e6ff669928524a2ec4af673bfe1c75ae690/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-04-02 13:06:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3wq3ft3nal6sftu332wiuoton73gteufesroysxwoo76dr2242ia._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
089e95b16d5f1acc07ddaf59d1edf60fd52ce6cd29f4bfa17377f4a68c383d12
Formbook
28a65019d2736dd82fdb229c9e6f5ff053c25e095d118ae03359238f44ba22d7
Formbook
439e270481fa6cf85666be16e0f41dcbf80e2515b304573591528a1cfa3d9758
Formbook
4a16f87ede74f8f5cf4af54e78a69380979b1147a8302cd371d50947c4a0f0fe
Formbook
682ea9386cf6916b93cd4d71b6e9a56766178c8479e9a5121ca42672d4680754
Formbook
e69d37275cc3b52a9d3a26f76073191ab8f59901781b5ef2859f33dee2252ddc
Formbook
+ 1'146 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:m13o discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250403-ggb6satjz5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3c785c34-f5d4-4206-83f0-bcc6144473d7
Unpacked files
SH256 hash:
dda1b2cf6d02fd22ce9bdeac8a3a6e6ff669928524a2ec4af673bfe1c75ae690
MD5 hash:
5ad92d3dc70657eb8ba837ef436c986e
SHA1 hash:
672ee2e87cb398271dabb00bf1a3ab4f86f929e3
Link:
https://www.unpac.me/results/7bb63d2e-68cf-4b59-ba5d-5ba5bf118362/
SH256 hash:
4133ed4aeae29c29a7418b9436c053b60f2ea0839439a976b59a5363709e68d5
MD5 hash:
5efde2b247de91c3cdebf62e5be315b8
SHA1 hash:
007a741e896b47eeaf90454751b6ee828ab3f872
Link:
https://www.unpac.me/results/7bb63d2e-68cf-4b59-ba5d-5ba5bf118362/
SH256 hash:
11b5701487cee032487ac13a25751106a52d861faefc9cc8bc7627256e77b143
MD5 hash:
8b46bdaf347a68f3020fac21f6d00d96
SHA1 hash:
d72cb1dfc38bf7c8fc052a6fec81fc1232b52f66
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/7bb63d2e-68cf-4b59-ba5d-5ba5bf118362/
SH256 hash:
9bb95fcf7dfd0852612dd070707d64f3d5c07d43a25fa637b8887f831c933bc0
MD5 hash:
8a10c1f7a85da013ae7a70dc499cf59a
SHA1 hash:
b15e28f226cce514e0bcb7457552d21e5a3dcde4
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/7bb63d2e-68cf-4b59-ba5d-5ba5bf118362/
Parent samples :
1813e0f9ae87ebcdbdd10834c3fa6a57cd3192c62fa4a35e16a201f4c6d48dd7
97b825e713db39ad07e6dcd7ed37ef80379f2838f8c89df538b942c15c4bfc2a
3fbcec3b7e1d2b8efef9e2ab1be54a55e2252166cd357fc2ee9cb42581851365
439e270481fa6cf85666be16e0f41dcbf80e2515b304573591528a1cfa3d9758
dda1b2cf6d02fd22ce9bdeac8a3a6e6ff669928524a2ec4af673bfe1c75ae690
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dda1b2cf6d02fd22ce9bdeac8a3a6e6ff669928524a2ec4af673bfe1c75ae690

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe dda1b2cf6d02fd22ce9bdeac8a3a6e6ff669928524a2ec4af673bfe1c75ae690

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/231/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments