MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
SHA3-384 hash: 2ce2ef959ef49e80b781ea9ec48a84daf9b1d6c72986e6fb8caf1b3042e5947b2113094d21c9c93f9e87e66e727563e2
SHA1 hash: b1056e092c871bab1095882d873e01fe5650f32c
MD5 hash: 7bf1a9ce32851c40625730a89f1b32a3
humanhash: october-may-eighteen-tennis
File name:DDEEBC8CCCC58E25CE1709B0E9A519B2BD46472E92860.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:3'485'531 bytes
First seen:2021-10-26 23:26:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:y4nWezC8Al3QB5lDD7NKsOLUjSB1ORb8CGE6C8aFoYJB:yhcki/cfgj+ORb8Cf8i9B
Threatray 202 similar samples on MalwareBazaar
TLSH T16DF5338C31A4EAF5F7E21F7A315848ED26B491D4B63637D41E743648F882790B4C6B8E
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Formbook C2:
http://gcl-gb.biz/stats/save.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://gcl-gb.biz/stats/save.php https://threatfox.abuse.ch/ioc/237940/

Intelligence

File Origin
# of uploads :
1
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200354/
Detection(s):
Win.Dropper.Pswtool-9857487-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Tiny-9901377-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit overlay packed
Link:
https://www.filescan.io/uploads/61788ec79a5a1e91c5d5c994/reports/8d55f53b-a997-40d4-8aaf-e94fe5500d90/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce835e01-7ff7-470a-ac97-28e407206d65
Result
Threat name:
FormBook SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877405
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Disable Windows Defender real time protection (registry)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected FormBook
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 509838 Sample: DDEEBC8CCCC58E25CE1709B0E9A... Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 68 37.123.118.150 UK2NET-ASGB United Kingdom 2->68 70 103.224.182.242 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 2->70 72 14 other IPs or domains 2->72 90 Multi AV Scanner detection for domain / URL 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus detection for URL or domain 2->94 96 15 other signatures 2->96 10 DDEEBC8CCCC58E25CE1709B0E9A519B2BD46472E92860.exe 10 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->46 dropped 13 setup_installer.exe 17 10->13         started        process6 file7 48 C:\Users\user\AppData\...\setup_install.exe, PE32 13->48 dropped 50 C:\Users\user\...\Fri18d05c97c01e95.exe, PE32 13->50 dropped 52 C:\Users\user\AppData\...\Fri18cf307208.exe, PE32 13->52 dropped 54 12 other files (4 malicious) 13->54 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 66 127.0.0.1 unknown unknown 16->66 88 Adds a directory exclusion to Windows Defender 16->88 20 cmd.exe 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 16->24         started        26 7 other processes 16->26 signatures10 process11 signatures12 29 Fri18825ad84e9504ea.exe 20->29         started        34 Fri189579efbd2fca.exe 22->34         started        36 Fri180a0df656e3e4c.exe 24->36         started        98 Adds a directory exclusion to Windows Defender 26->98 38 Fri18133b25e6ab2.exe 26->38         started        40 Fri18cf307208.exe 26->40         started        42 Fri18ecc6dd36cc5a.exe 1 26->42         started        44 powershell.exe 25 26->44         started        process13 dnsIp14 74 45.142.182.152 XSSERVERNL Germany 29->74 76 37.0.10.214 WKD-ASIE Netherlands 29->76 86 11 other IPs or domains 29->86 56 C:\Users\...\j0Q2EgVPz6mwoIWHrMCrZGmB.exe, PE32 29->56 dropped 58 C:\Users\...\Fw2AN2NrNFonWhVJcdxLNLw3.exe, PE32 29->58 dropped 60 C:\Users\...\10ShEvDBxy3tp4zxsR6VXPNi.exe, PE32 29->60 dropped 64 24 other files (8 malicious) 29->64 dropped 100 Machine Learning detection for dropped file 29->100 102 Tries to harvest and steal browser information (history, passwords, etc) 29->102 104 Disable Windows Defender real time protection (registry) 29->104 106 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->106 108 Maps a DLL or memory area into another process 34->108 110 Checks if the current machine is a virtual machine (disk enumeration) 34->110 78 74.114.154.18 AUTOMATTICUS Canada 36->78 112 Multi AV Scanner detection for dropped file 36->112 80 104.21.17.130 CLOUDFLARENETUS United States 38->80 62 C:\Users\user\AppData\...\Fri18cf307208.tmp, PE32 40->62 dropped 114 Antivirus detection for dropped file 40->114 82 8.8.8.8 GOOGLEUS United States 42->82 84 192.168.2.1 unknown unknown 42->84 file15 signatures16
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-28 07:47:28 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3xxlzdgmywhcltqxbgyotjizwk6umrzoskdanpclb3xckuzqgibq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
1169aa40b39712cd78f3bba1509b3a5864752c534497431180eb752015d2d482
Formbook
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
Formbook
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
Formbook
4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
Formbook
aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
Formbook
bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7
Formbook
c9371cc485825207fe107e6600c14cfd9049c34f74c8c7332f16a20afea88164
Formbook
ccfd37710068b3998537ac325e29555ba9375ebf1230cf90e9dcf133e06bcdf3
Formbook
d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc
Formbook
ebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0
Formbook
+ 192 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:smokeloader family:socelars family:vidar family:xloader botnet:706 botnet:8dec62c1db2959619dca43e02fa46ad7bd606400 botnet:933 botnet:937 campaign:s0iw aspackv2 backdoor discovery evasion loader rat spyware stealer themida trojan
Link:
https://tria.ge/reports/211026-3fefeaade8/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Xloader Payload
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Xloader
Malware Config
C2 Extraction:
https://eduarroma.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
http://gejajoo7.top/
http://sysaheu9.top/
http://www.kyiejenner.com/s0iw/
https://mas.to/@lilocc
Unpacked files
SH256 hash:
f40df33696579c8b1e52905f3d11c970dc78440ee5842b9f4af3753d3310aa74
MD5 hash:
38ee89c417d30822717a95accf741d39
SHA1 hash:
1f22dc2b1f3057ac96ec6bae92381a0a9449eaf3
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
SH256 hash:
a1ddfbfd57f1be2917412cdb9f446d857010eeb8288b566d9bf517bd8969debc
MD5 hash:
ea25aead82f23a113a8bcf16141d7f04
SHA1 hash:
edc6b6759049a0d806cd84b0d9d545814b43d49e
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
SH256 hash:
a2e7da3a4a1be91d19fe1b28515c2401c5200d3d88e7c8319cf22fc94342c133
MD5 hash:
180d36ebbd22866be67a6054d0511b1f
SHA1 hash:
dd21c42ea055da2a3e0f6bc839a867ad80c14e7e
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
SH256 hash:
4487199e447dcaefdc78102a493ae8af6f950794f54602bb5b1cfbb9fe67762f
MD5 hash:
49740650d79f2caf41711b4d473a41ff
SHA1 hash:
8f92d0d03ae3e34d77120676b90088e872cfd464
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
SH256 hash:
32b053fc6f4f5f3e984edef1d4665288151ff6a07393763145b24f55586e43a4
MD5 hash:
3a8d83f4847c3c2f8f4f146a6641ba54
SHA1 hash:
8ee12c93f62418c619e4b9b2d04e7beaf10260c4
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
SH256 hash:
a865e7f45f6fa9e783ab52cd1e041b7005cb7470a3e160b72057073c44b6f099
MD5 hash:
f28e8d29e54836d1a031df6f49b4cc7b
SHA1 hash:
89e5728f39ad935241ffb48c1b2fa31624d00957
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
SH256 hash:
7daf36d875ebfec17831e5eb827b4666caf20e3832231e263890d76c6db58d42
MD5 hash:
7a1e20a8dfea3709d5eba174d4463ebc
SHA1 hash:
1ac32d04a995dbe5ec06e6656219b87baae65437
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
SH256 hash:
49c9ee6d0f3f8cec23bbd65d7803ab23e63b16aeb98bfdf62daf07390d51bbe2
MD5 hash:
1cbaf57259b7371e9d245bc99b2abc35
SHA1 hash:
02ec286748f46704c4c111c85fe7770a130e0037
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
SH256 hash:
c8e90971980b554b118de10978e9ce8073a9e8db375054529b4d10d8e08f7bd1
MD5 hash:
2b4beafcb613cc4e9aa12b576d486a9a
SHA1 hash:
7069c21e8a0807ff6880d830e129f050eab96665
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
SH256 hash:
399cacd33b53459befc836248c5c81b8b7b044fdb49ca4bb9143a30671b628fd
MD5 hash:
3adc404475d58477e17ea9dfeeb147a3
SHA1 hash:
0766118effd216777d822eb351531cb5714e07ee
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
SH256 hash:
a618d3784c2c3b8fffb3b860555dec55467efac33109aead6f6d36ec6f58e25d
MD5 hash:
ef19c89b11c51b302211b4f000126b98
SHA1 hash:
45345531e265c0a443c44f649c7ef649d9dc0d05
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
SH256 hash:
617335f81c86c62984589017b6b384688af4d382309f74e15e8cfdf02ffd4823
MD5 hash:
d65de6b17e68b4fdec03b64404852a60
SHA1 hash:
21ff16f659312cd655b3486eaf3d62d9dbb1ff9e
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
SH256 hash:
d1230d5edd8247006fe44aebead750b2e3b6d0fb56afa66c46260191f4f24efa
MD5 hash:
4f286cea84fa2f8fb45ae19c093a20ad
SHA1 hash:
c686b7c928cdff13be9530037529d95c8aaf36c4
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
SH256 hash:
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
MD5 hash:
7bf1a9ce32851c40625730a89f1b32a3
SHA1 hash:
b1056e092c871bab1095882d873e01fe5650f32c
Link:
https://www.unpac.me/results/b37ba05a-09de-4d3c-b0f7-a19389ee6d96/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/200354/

Comments