MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddcfb1ba424e8b10bc83301942845f50a4e5ada39250ba706a9ecbc7ee9e63e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 18

Intelligence 18 IOCs YARA 1 File information Comments 1

SHA256 hash:	ddcfb1ba424e8b10bc83301942845f50a4e5ada39250ba706a9ecbc7ee9e63e3
SHA3-384 hash:	c52dfb3abd09eb61b7ae2a85c97431e42c6668bea97137e188f298d6377410cadf5558757137914288fef2c73ad2da82
SHA1 hash:	13ca31e5a9af8e3200f0f7b4a75b6e87450bed1b
MD5 hash:	8001fc3355e347ebeb82daf3170e884e
humanhash:	missouri-three-five-arizona
File name:	8001fc3355e347ebeb82daf3170e884e
Download:	download sample
Signature	Formbook Create hunting rule
File size:	245'307 bytes
First seen:	2023-06-27 06:28:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 429 x GuLoader)
ssdeep	3072:HfY/TU9fE9PEtuMbMDLzhZnItT0oQ/Uaz2Tc+D5whNWoW9lPNn644T2fU36/c1+G:/Ya64MzhVI+h9S4Da9lsK8N+u4uL
Threatray	2'263 similar samples on MalwareBazaar
TLSH	T1FE3412502AE0E037CAD281305B7B2B9D97E6ED2754B4671F13A0866F3D37291BD1D3A2
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

284

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

INVOICE No. KTSPHI-AUDIO.docx

Verdict:

Malicious activity

Analysis date:

2023-06-27 05:27:55 UTC

Tags:

exploit cve-2017-11882 loader formbook xloader

Link:

https://app.any.run/tasks/a249c610-ecc8-41e3-9c33-a578fc3e0f33

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/403117/

Detection(s):

SecuriteInfo.com.Win32.InjectorX-gen.10246.29869.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a file

Creating a file in the %AppData% subdirectories

Unauthorized injection to a recently created process

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/92816/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/649a81ae07c2007b16e6eccd/reports/fd7e9795-314d-4e8a-a0b9-b6baea76bf5d/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ddcfb1ba424e8b10bc83301942845f50a4e5ada39250ba706a9ecbc7ee9e63e3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d7025b10-2a2d-42af-befb-c34dbc37332b

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1261841

Signature

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Uses ipconfig to lookup or modify the Windows network settings

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/ddcfb1ba424e8b10bc83301942845f50a4e5ada39250ba706a9ecbc7ee9e63e3/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-06-26 18:36:59 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3xh3doscj2frbpedgamufbc7kcsollndsjilu4dkt3f4p3u6mprq._file

Verdict:

malicious

Label(s):

formbook

Formbook

2e1feacb6a3980b6fe801af73c3eb68a60295d75e7a72fd0948091ba34a8d7d7

Formbook

35e8f730fa386dfecfb616ff20246d9eec1d6ec4d2b18f9d2e0d53032bff6b7f

Formbook

4431648599d5c8d9ed6324d5cfaccf83daaecf91b9637b1cf308b8004ca43757

Formbook

4a85949b7ffe19e22e4191b55b225cb3ac8b59246785144f585006b94e9ba574

Formbook

6147af8263840617beb21652bb8db0fc7683a9e62a084254e548a884c8fa9a31

Formbook

6f9e6daba8384e0535415277476d0bc21a6943ed2cd1483b18259280fab5e2fc

Formbook

99ec8b8e93e7a91dab1a16b9353333fa340d52569de4b88f5703bbc5a666211c

Formbook

bf6a195481cb4cba11f09c03c4fca9be90f011fc883dad09b8b79a4b94e3aafc

Formbook

cfe9062e6bd88ae993c3e8b295386c2e5e9aa7d8b9ceb168f56ccd3e0e5cbe36

Formbook

+ 2'253 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:m42i persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/230627-g8wphadc56/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Formbook payload

Formbook

Unpacked files

SH256 hash:

41b93d6be7b46e7d5b20ecfb2007ecba04349b0c1749252b29120b44107457b8

MD5 hash:

245f124925a294fcf99e982ce5332143

SHA1 hash:

e6130629152aeb5becb37b67372c7cf436e543ae

Link:

https://www.unpac.me/results/98a751c4-bba2-4bdc-aab6-99ba524112f1/

SH256 hash:

ddcfb1ba424e8b10bc83301942845f50a4e5ada39250ba706a9ecbc7ee9e63e3

MD5 hash:

8001fc3355e347ebeb82daf3170e884e

SHA1 hash:

13ca31e5a9af8e3200f0f7b4a75b6e87450bed1b

Link:

https://www.unpac.me/results/98a751c4-bba2-4bdc-aab6-99ba524112f1/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ddcfb1ba424e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ddcfb1ba424e8b10bc83301942845f50a4e5ada39250ba706a9ecbc7ee9e63e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.