MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddb24ba8d91f511ca86554d35f16cb9ef5d6103f5275c90217bc8ddb35111616. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddb24ba8d91f511ca86554d35f16cb9ef5d6103f5275c90217bc8ddb35111616
SHA3-384 hash: 85a1db1a902d5f7e07ec48f090ce5622355a5d91fb1fff17331be60b6b2df357e9e522585a9bcc8910d7d3b92b1aa5aa
SHA1 hash: 63f002cdfcae672339792cd1bf48183e5ff7d182
MD5 hash: a54895ee403246fc977b7ce6cf67ae3e
humanhash: april-green-timing-tango
File name:documents.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'184'768 bytes
First seen:2022-09-08 16:17:59 UTC
Last seen:2022-09-11 16:17:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:8n1oneh6HA8uyhDWxvNlA/Nz3iVxGfSHh1C97ZLo4d9YqoxnXwzQPvZWoM/:8mneX9yhDW/lgRyXrC9G4wvwzQP0oM/
TLSH T1A0454A0231924DA1D1B653B890CDC47287B99E45E23FC6477FC99DEBF182F6846D23A2
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f0cc96b3b392ccf0 (8 x Formbook, 4 x SnakeKeylogger, 4 x AgentTesla)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
349
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
documents.exe
Verdict:
Malicious activity
Analysis date:
2022-09-08 16:19:29 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/01a0ea3b-4c8b-4cf0-a2a4-1d4fa4e7a736

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308835/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.23541.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/631a160fbdec86ddb45d19c0/reports/545da13b-03ee-472a-b1bb-b11c15a8fac5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee5564bd-5c88-4ce2-ad23-a3788d2783bc
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1067311
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 699842 Sample: documents.exe Startdate: 08/09/2022 Architecture: WINDOWS Score: 100 39 www.myhoneybakeefeedback.com 2->39 41 www.namastechocolate.com 2->41 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 10 other signatures 2->55 9 documents.exe 7 2->9         started        signatures3 process4 file5 31 C:\Users\user\AppData\Roaming\lZTDCUWOL.exe, PE32 9->31 dropped 33 C:\Users\...\lZTDCUWOL.exe:Zone.Identifier, ASCII 9->33 dropped 35 C:\Users\user\AppData\Local\...\tmp42D2.tmp, XML 9->35 dropped 37 C:\Users\user\AppData\...\documents.exe.log, ASCII 9->37 dropped 63 Uses schtasks.exe or at.exe to add and modify task schedules 9->63 65 Adds a directory exclusion to Windows Defender 9->65 13 RegSvcs.exe 9->13         started        16 powershell.exe 21 9->16         started        18 schtasks.exe 1 9->18         started        signatures6 process7 signatures8 75 Modifies the context of a thread in another process (thread injection) 13->75 77 Maps a DLL or memory area into another process 13->77 79 Sample uses process hollowing technique 13->79 81 Queues an APC in another process (thread injection) 13->81 20 explorer.exe 13->20 injected 24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        process9 dnsIp10 43 www.retail-trading-ca.site 64.190.63.111, 49722, 80 NBS11696US United States 20->43 45 www.josephmagnoli.com 103.255.45.60, 49723, 49724, 80 COMING-ASABCDEGROUPCOMPANYLIMITEDHK Hong Kong 20->45 47 3 other IPs or domains 20->47 57 System process connects to network (likely due to code injection or exploit) 20->57 59 Performs DNS queries to domains with low reputation 20->59 61 Uses netsh to modify the Windows network and firewall settings 20->61 28 netsh.exe 13 20->28         started        signatures11 process12 signatures13 67 Tries to steal Mail credentials (via file / registry access) 28->67 69 Tries to harvest and steal browser information (history, passwords, etc) 28->69 71 Modifies the context of a thread in another process (thread injection) 28->71 73 Maps a DLL or memory area into another process 28->73
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ddb24ba8d91f511ca86554d35f16cb9ef5d6103f5275c90217bc8ddb35111616/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-09-08 12:52:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
36
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3wzexkgzd5irzkdfktjv6fwlt325meb7kj24saqxxsg5wnircyla._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ejgp rat spyware stealer trojan
Link:
https://tria.ge/reports/220908-tryhzscbfq/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook
Unpacked files
SH256 hash:
dc0b78b8dff95f26b817b087014f09106b2801b9f72d4b5d663c88d032a09718
MD5 hash:
d7635bbf67d9f1e7c6c6a41027b71b4d
SHA1 hash:
63dc09d51b28890543d813f013bfc98a249958dc
Detections:
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/1d00c3b3-8a3a-4505-a8fc-94a1a9b042c3/
Parent samples :
fc437e069c626c4380522863a5329fc7b4aae8330903cdf13eeef54445ab6898
f9cb260e8f4d7486c00f8ead190336a776adbaeab55b514ce808e9c9e6c407dc
1a1523496f14c5d3a3c0cac4e0a5a19a782cb9c6bb2ab6a984bff04cd2ccdd36
ef485b6c343128cd8c40897fe6613cf65d759e330bdf6c6925f2fd7168ff4f06
f47848fb64be8caf6c55a0e4d8773a383ce526c10d072417b3e13edd04b9e73b
7caa5e395127eeb881461690c8c3f47252bee4e42c2b69716fe5fcb8d62b5fef
3014d818f3e7c9dc6feda171ba1370ca613e9a12238ec69ae3c5908a7f8483e7
582b9f31ea52585e315523385506389d3ab7bc50ffe1c5e1ff7f83aed0f1535b
e58b63e862b6038f3c96fc8224ec3c493321e5862b45704c5e3185224426167e
f6d985f7f6ea28d32427fd4543b310febacc8bd94e296c6aee33ae8532c9cae3
d1bb2951d655bd250df5eab810403bf4ca4f37f7bf38a641c74cfc1908464dc6
db43d92fb68d224b483a10ca9ef9e0da10f9073f9a17eb5e532cf8a20a449625
192270166e17780c5b1de39e0b906115798df4185b2413dedcbebd114a01a5e1
1b5882c4ba74d1cc2367938d0dd85e8c651887309d9c0abab0587d903878229e
a044da065d4eaf497ccc5365580e78eaea4411b8650e62052407f16afbb150ca
71b8d65f48ae74c35083b832b4ae5acb5564f744e5895a666f332392bce335cd
2a8df78b05fd8f497ed976ca4db985249c2c6b250850619168d5ee56b4c3d4a4
eb5553282526065116c7a3beaf3c707052f9268b5598fac475f6f96c88080419
16ba659d813dfa2c6d143c32c493f56266d9a408ec75b01b0aa019db2dad216c
41cd3397a694531836178ec9ceec2d7e2b127049bcd9e6a8bdd483728809624d
90d4d8f68b8e94514add55bedfb36e7bbe3bcc1781d6e00b0bc3bfaabe1d9301
3bfc405f340396a4b679a770d8232aec67f5e42d43c9f8b14aa3b689d444b917
49357eea6bdaa8334590e3cae0e14a265730944feef1792298bce6a13d7d54a8
a139b8fab8e24344af7b4f5a261440cb81449a71449e20e1ab16abdd4e35e909
ddb24ba8d91f511ca86554d35f16cb9ef5d6103f5275c90217bc8ddb35111616
dac75f90478b07cd9c53c36a4d2b01e73b7e31554a9bfec57bd328031ec15017
0f8f203e0b21e34ad21c3e762dbae4c4c7b158624a5f805ebf19e8ba05c76e5d
69870e2a61815839fdc55f251a07c89580dc6c1725f850288c4dc190c08b7175
041ee64deb9710bd802be8d6b2cdcf5623cd8ab974a52fe4bc4e4add965bb08d
b96b285d4a28e1c31ca5c844fc8a9c6ff61a7dc3e283d5dc26ad697af46b8df0
be702722d3bc33164534d9eae10457f1344d855ffc1c94dba5c40b97ef144052
443123bad678f73d1fa804d131c23f0ab5a334601de7e4b2681d9e5e2c03bc42
5db9ee8081b4a9e2359bd67b65edeec998aa12fb995a441adcec6e450f0fe6aa
d06e9a0bc38a688ec308ebf3b7806de3d4f13bc7e630f1c34f8e2356a9123e10
a415a91f46c03305f5a94b719f07a14cfe5cd497abda54762dcdd434e9d40927
413ad4daf54c1b3c50f35aa2afb87a3582589599bb20085ccb7b89eb5acccee8
6beb15ecc2ebf386675a66585a253327e094c1c654f3cbe7fe93f8cca3c35b45
3dfbf2852a3ceda68d8e1b2d5e31a440b8ff30c4ed56e8952a9a614dfb2bb008
cf6bd9457b03ee9d17e0249c7d504d02eb902cc67dd1973119cf658531240e56
0f4847c04b273a0cc37ba6f7f9d4d9b3eb2685c3465cda610f90a0afa8440c9f
6bf5a3809ca423061cb16a815ca5e5f3ba86d6c7fbf5233fd68b589012eae0ab
1e68a25ee97601a9898f7af37b64a160c22db3bd8442888912e570bbdf7c5e48
9d3234fef11c8917c540d371dfe4cd268a737bc62cf900997752634c7124f634
SH256 hash:
8b533ffaed24e0351e489b14aaac6960b731db189ce7ed0c0c02d4a546af8e63
MD5 hash:
dbc7be56e6e32349315170599c8b333f
SHA1 hash:
d8e5840e3574b87d435e55a65ac648e040871aee
Link:
https://www.unpac.me/results/1d00c3b3-8a3a-4505-a8fc-94a1a9b042c3/
SH256 hash:
74d5dec2a36425ee1d1b2b970b2d2e5050de5fcf6da9b894e532ebf3c498b510
MD5 hash:
1f5109cebe8d7d7197e4e0e38e896490
SHA1 hash:
b58c46f5b4cf08a7f00262aa9a02f43d2e204fc1
Link:
https://www.unpac.me/results/1d00c3b3-8a3a-4505-a8fc-94a1a9b042c3/
SH256 hash:
612de4f9fe0584f29ff349074ec98aac97abbbbe52ea39608c8f0cbb18f38a58
MD5 hash:
559999224ff3d74327195d58dacd2f6a
SHA1 hash:
37b1af6506d1feb775514454865e703e8497faa7
Link:
https://www.unpac.me/results/1d00c3b3-8a3a-4505-a8fc-94a1a9b042c3/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/1d00c3b3-8a3a-4505-a8fc-94a1a9b042c3/
SH256 hash:
ddb24ba8d91f511ca86554d35f16cb9ef5d6103f5275c90217bc8ddb35111616
MD5 hash:
a54895ee403246fc977b7ce6cf67ae3e
SHA1 hash:
63f002cdfcae672339792cd1bf48183e5ff7d182
Link:
https://www.unpac.me/results/1d00c3b3-8a3a-4505-a8fc-94a1a9b042c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ddb24ba8d91f511ca86554d35f16cb9ef5d6103f5275c90217bc8ddb35111616

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ddb24ba8d91f511ca86554d35f16cb9ef5d6103f5275c90217bc8ddb35111616

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/308835/

Comments