MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddd9ead73e818770fe8bc81da65f863e2ed6d20a6a32c60817d3edc8c4aa38d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddd9ead73e818770fe8bc81da65f863e2ed6d20a6a32c60817d3edc8c4aa38d4
SHA3-384 hash: 1b9903b4cf40ef98398d89a2adfdf2cb05fcf842c2b20d29f50310c5c5a505b8648c5adeb0432cd2e89c482130cba3f4
SHA1 hash: f954bd1bd2250d4eb9249f3d9ca5a464b55ee44c
MD5 hash: 91bc4999ed5740509f8eceeed0638400
humanhash: kilo-triple-queen-india
File name:Quotation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:920'576 bytes
First seen:2023-06-29 11:29:25 UTC
Last seen:2023-06-29 11:34:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0N8Ne5oHOEQeeZwHyLop6bZFJdj3Kk24ppQRNvSmr5:0CzMwHp6lkk7ppmJj
Threatray 3'321 similar samples on MalwareBazaar
TLSH T14C15183828FC5AE2C078C7F94ED1B063F3A4953E3825DD255C8267D90666B9215F3A2F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f2ceaca6b2968e8a (10 x AgentTesla, 7 x Formbook, 2 x SnakeKeylogger)
Reporter cocaman
Tags:exe FormBook QUOTATION

Intelligence

File Origin
# of uploads :
3
# of downloads :
271
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Quotation.exe
Verdict:
Malicious activity
Analysis date:
2023-06-29 11:30:49 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/5ce53cd8-15eb-4650-a35d-eb525ad082cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/403743/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.30359.14514.4887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Restart of the analyzed sample
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/649d6b3c2aeaabaa7b77c9a0/reports/8fba020f-991b-43bc-924f-bf260600dae8/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ddd9ead73e818770fe8bc81da65f863e2ed6d20a6a32c60817d3edc8c4aa38d4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7e5a377-5a04-4057-b9e4-6efb4972ccaa
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1263207
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 896238 Sample: Quotation.exe Startdate: 29/06/2023 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 9 other signatures 2->42 10 Quotation.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\Quotation.exe.log, ASCII 10->28 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 14 Quotation.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 2 1 14->17 injected process8 dnsIp9 30 www.lan26.ru 185.114.245.124, 49707, 80 TIMEWEB-ASRU Russian Federation 17->30 32 www.humanlongevity.xyz 13.248.169.48, 49705, 80 AMAZON-02US United States 17->32 34 4 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Performs DNS queries to domains with low reputation 17->46 21 wlanext.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ddd9ead73e818770fe8bc81da65f863e2ed6d20a6a32c60817d3edc8c4aa38d4/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-28 08:30:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
77
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3xm6vvz6qgdxb7ulzao2mx4ghyxnnuqknizmmcax2pw4rrfkhdka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0daf37a7f327ddc858e1c6c4a02974012fb9434de66256402c8091561ae16fd4
Formbook
1a7cb176a2a06673ab935e620b6931eb7d2ffc2af157ae9cfbedb6b7f3bde072
Formbook
29558d0c124ef9f0b3b801e37c0b2c652930158fc94d110444b3f0d43be8329f
Formbook
2f8e9facdf104aa0a763dd40689e81b21b6664fb3b737e8d391d111e2bb38087
Formbook
44ca2fb5336865c635d0c1f4c75cfecec1b4fad8fe3de812c048c223cc06fba3
Formbook
5291498ba10bc71f5bb08fe5c67d085c24008589c09c6c28faf4dbf222ef5a3a
Formbook
a70b171c28645f51d9405f8429ae74f28d27ddb48786545bc21f35810f9501e4
Formbook
b0302231ae277b08e383cef527b093307edf552a1777b5c9a088e2e1c61ad6fe
Formbook
e957b57dd7065ae616356eab294d987a85de63b5cfdd5cdc4f7fa630c34293ca
Formbook
e9c78b2128b2954b72c71bbea4d0d64c2be08cbad2d2806033845a657494eb91
Formbook
+ 3'311 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:cs94 rat spyware stealer trojan
Link:
https://tria.ge/reports/230629-nl46pacg99/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
df1fd4d5ad36ef13bf308c96c10f218fba65f3b07fa0f685c9400e554a16e964
MD5 hash:
8a8b0eec2d0d029bf9d3ec5a1be0cfb6
SHA1 hash:
5ecb66557a224421e5208e5bb6f7c7723acade0d
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/75bd0c2f-154a-40de-a2b2-a83de5432c88/
Parent samples :
5291498ba10bc71f5bb08fe5c67d085c24008589c09c6c28faf4dbf222ef5a3a
1a7cb176a2a06673ab935e620b6931eb7d2ffc2af157ae9cfbedb6b7f3bde072
0daf37a7f327ddc858e1c6c4a02974012fb9434de66256402c8091561ae16fd4
e9c78b2128b2954b72c71bbea4d0d64c2be08cbad2d2806033845a657494eb91
e957b57dd7065ae616356eab294d987a85de63b5cfdd5cdc4f7fa630c34293ca
44ca2fb5336865c635d0c1f4c75cfecec1b4fad8fe3de812c048c223cc06fba3
2f8e9facdf104aa0a763dd40689e81b21b6664fb3b737e8d391d111e2bb38087
ddd9ead73e818770fe8bc81da65f863e2ed6d20a6a32c60817d3edc8c4aa38d4
d2906d9945a58df92abb912c1932d44533d174118522982a2fa36adb592a7801
SH256 hash:
f345dc2619cf1654262bbc2d0d5a78d5b58bda2bfb0238a3ff49f1e40a3a210f
MD5 hash:
cd621e04412820a1b7837252b80b6dda
SHA1 hash:
fdc39de2f08b69461385f153046e267a5f847ce1
Link:
https://www.unpac.me/results/75bd0c2f-154a-40de-a2b2-a83de5432c88/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/75bd0c2f-154a-40de-a2b2-a83de5432c88/
SH256 hash:
1f200045f86de3140542a3a3b6a37af195776e7810e5d60998f7db16e46ce658
MD5 hash:
b34f28bf32f91dee66f8763f6c4bb034
SHA1 hash:
1ede4c95f33d7c79d182a567c2d1795be9ad91cd
Link:
https://www.unpac.me/results/75bd0c2f-154a-40de-a2b2-a83de5432c88/
SH256 hash:
df1fd4d5ad36ef13bf308c96c10f218fba65f3b07fa0f685c9400e554a16e964
MD5 hash:
8a8b0eec2d0d029bf9d3ec5a1be0cfb6
SHA1 hash:
5ecb66557a224421e5208e5bb6f7c7723acade0d
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/75bd0c2f-154a-40de-a2b2-a83de5432c88/
Parent samples :
5291498ba10bc71f5bb08fe5c67d085c24008589c09c6c28faf4dbf222ef5a3a
1a7cb176a2a06673ab935e620b6931eb7d2ffc2af157ae9cfbedb6b7f3bde072
0daf37a7f327ddc858e1c6c4a02974012fb9434de66256402c8091561ae16fd4
e9c78b2128b2954b72c71bbea4d0d64c2be08cbad2d2806033845a657494eb91
e957b57dd7065ae616356eab294d987a85de63b5cfdd5cdc4f7fa630c34293ca
44ca2fb5336865c635d0c1f4c75cfecec1b4fad8fe3de812c048c223cc06fba3
2f8e9facdf104aa0a763dd40689e81b21b6664fb3b737e8d391d111e2bb38087
ddd9ead73e818770fe8bc81da65f863e2ed6d20a6a32c60817d3edc8c4aa38d4
d2906d9945a58df92abb912c1932d44533d174118522982a2fa36adb592a7801
SH256 hash:
f345dc2619cf1654262bbc2d0d5a78d5b58bda2bfb0238a3ff49f1e40a3a210f
MD5 hash:
cd621e04412820a1b7837252b80b6dda
SHA1 hash:
fdc39de2f08b69461385f153046e267a5f847ce1
Link:
https://www.unpac.me/results/75bd0c2f-154a-40de-a2b2-a83de5432c88/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/75bd0c2f-154a-40de-a2b2-a83de5432c88/
SH256 hash:
1f200045f86de3140542a3a3b6a37af195776e7810e5d60998f7db16e46ce658
MD5 hash:
b34f28bf32f91dee66f8763f6c4bb034
SHA1 hash:
1ede4c95f33d7c79d182a567c2d1795be9ad91cd
Link:
https://www.unpac.me/results/75bd0c2f-154a-40de-a2b2-a83de5432c88/
SH256 hash:
df1fd4d5ad36ef13bf308c96c10f218fba65f3b07fa0f685c9400e554a16e964
MD5 hash:
8a8b0eec2d0d029bf9d3ec5a1be0cfb6
SHA1 hash:
5ecb66557a224421e5208e5bb6f7c7723acade0d
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/75bd0c2f-154a-40de-a2b2-a83de5432c88/
Parent samples :
5291498ba10bc71f5bb08fe5c67d085c24008589c09c6c28faf4dbf222ef5a3a
1a7cb176a2a06673ab935e620b6931eb7d2ffc2af157ae9cfbedb6b7f3bde072
0daf37a7f327ddc858e1c6c4a02974012fb9434de66256402c8091561ae16fd4
e9c78b2128b2954b72c71bbea4d0d64c2be08cbad2d2806033845a657494eb91
e957b57dd7065ae616356eab294d987a85de63b5cfdd5cdc4f7fa630c34293ca
44ca2fb5336865c635d0c1f4c75cfecec1b4fad8fe3de812c048c223cc06fba3
2f8e9facdf104aa0a763dd40689e81b21b6664fb3b737e8d391d111e2bb38087
ddd9ead73e818770fe8bc81da65f863e2ed6d20a6a32c60817d3edc8c4aa38d4
d2906d9945a58df92abb912c1932d44533d174118522982a2fa36adb592a7801
SH256 hash:
f345dc2619cf1654262bbc2d0d5a78d5b58bda2bfb0238a3ff49f1e40a3a210f
MD5 hash:
cd621e04412820a1b7837252b80b6dda
SHA1 hash:
fdc39de2f08b69461385f153046e267a5f847ce1
Link:
https://www.unpac.me/results/75bd0c2f-154a-40de-a2b2-a83de5432c88/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/75bd0c2f-154a-40de-a2b2-a83de5432c88/
SH256 hash:
1f200045f86de3140542a3a3b6a37af195776e7810e5d60998f7db16e46ce658
MD5 hash:
b34f28bf32f91dee66f8763f6c4bb034
SHA1 hash:
1ede4c95f33d7c79d182a567c2d1795be9ad91cd
Link:
https://www.unpac.me/results/75bd0c2f-154a-40de-a2b2-a83de5432c88/
SH256 hash:
df1fd4d5ad36ef13bf308c96c10f218fba65f3b07fa0f685c9400e554a16e964
MD5 hash:
8a8b0eec2d0d029bf9d3ec5a1be0cfb6
SHA1 hash:
5ecb66557a224421e5208e5bb6f7c7723acade0d
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/75bd0c2f-154a-40de-a2b2-a83de5432c88/
Parent samples :
5291498ba10bc71f5bb08fe5c67d085c24008589c09c6c28faf4dbf222ef5a3a
1a7cb176a2a06673ab935e620b6931eb7d2ffc2af157ae9cfbedb6b7f3bde072
0daf37a7f327ddc858e1c6c4a02974012fb9434de66256402c8091561ae16fd4
e9c78b2128b2954b72c71bbea4d0d64c2be08cbad2d2806033845a657494eb91
e957b57dd7065ae616356eab294d987a85de63b5cfdd5cdc4f7fa630c34293ca
44ca2fb5336865c635d0c1f4c75cfecec1b4fad8fe3de812c048c223cc06fba3
2f8e9facdf104aa0a763dd40689e81b21b6664fb3b737e8d391d111e2bb38087
ddd9ead73e818770fe8bc81da65f863e2ed6d20a6a32c60817d3edc8c4aa38d4
d2906d9945a58df92abb912c1932d44533d174118522982a2fa36adb592a7801
SH256 hash:
f345dc2619cf1654262bbc2d0d5a78d5b58bda2bfb0238a3ff49f1e40a3a210f
MD5 hash:
cd621e04412820a1b7837252b80b6dda
SHA1 hash:
fdc39de2f08b69461385f153046e267a5f847ce1
Link:
https://www.unpac.me/results/75bd0c2f-154a-40de-a2b2-a83de5432c88/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/75bd0c2f-154a-40de-a2b2-a83de5432c88/
SH256 hash:
1f200045f86de3140542a3a3b6a37af195776e7810e5d60998f7db16e46ce658
MD5 hash:
b34f28bf32f91dee66f8763f6c4bb034
SHA1 hash:
1ede4c95f33d7c79d182a567c2d1795be9ad91cd
Link:
https://www.unpac.me/results/75bd0c2f-154a-40de-a2b2-a83de5432c88/
SH256 hash:
ddd9ead73e818770fe8bc81da65f863e2ed6d20a6a32c60817d3edc8c4aa38d4
MD5 hash:
91bc4999ed5740509f8eceeed0638400
SHA1 hash:
f954bd1bd2250d4eb9249f3d9ca5a464b55ee44c
Link:
https://www.unpac.me/results/75bd0c2f-154a-40de-a2b2-a83de5432c88/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ddd9ead73e81/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ddd9ead73e818770fe8bc81da65f863e2ed6d20a6a32c60817d3edc8c4aa38d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 2ee6fb6a93174c53b1de3fb881ff50f06ff33a03337b6cb8d37bd562b18eda13

Formbook

Executable exe ddd9ead73e818770fe8bc81da65f863e2ed6d20a6a32c60817d3edc8c4aa38d4

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 2ee6fb6a93174c53b1de3fb881ff50f06ff33a03337b6cb8d37bd562b18eda13
Cape
Cape
https://www.capesandbox.com/analysis/403743/
  
Dropped by
MD5 6fcffe0cce8f42a10d348e41cf397d6e

Comments