MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddfdab103d34dfc6ddd6518745c101342e9953e6c2e049576e15ea570fb16e3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddfdab103d34dfc6ddd6518745c101342e9953e6c2e049576e15ea570fb16e3a
SHA3-384 hash: 91f691650c23185c2d7db4c5a72e6ec1672fc9f916bc1315953bc4e93d07088c0b46bbfc1d41366c36dc57c793b0d54a
SHA1 hash: 9f9b7f895fba201cbd7f7c784c9c840ceab5a491
MD5 hash: 9c4eafada8143a2b4cdf8c37650421a3
humanhash: minnesota-juliet-emma-connecticut
File name:IRQ2107797_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:407'058 bytes
First seen:2022-04-04 12:19:56 UTC
Last seen:2022-04-04 15:29:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:YNeZwiPCdjgbbvISbI92znlRHuG6oLI+KNkyUVY8Jh3nODUx7v:YNXICdobI9G7HunoIf6yGJh3nO4x7v
Threatray 14'594 similar samples on MalwareBazaar
TLSH T1E184129535A1C8B2D6F245316E72D07B1B7EBE2018215A0B77C0BF4E7472A10F91FBA9
File icon (PE):PE icon
dhash icon 3cc4dadc9cc24060 (1 x Formbook)
Reporter cocaman
Tags:exe FormBook QUOTATION

Intelligence

File Origin
# of uploads :
3
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/260562/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.2757.22995.26437.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Sending a custom TCP request
DNS request
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12550/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/624ae275db9ca5cf841b6da3/reports/182fa1ed-e724-486c-aaaf-cb7d4d0244ae/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f1f55eb1-bf6b-4bbc-9253-63a15c2bc42e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/970144
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 602627 Sample: IRQ2107797_pdf.exe Startdate: 04/04/2022 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 5 other signatures 2->51 10 IRQ2107797_pdf.exe 18 2->10         started        process3 file4 29 C:\Users\user\AppData\Local\...\lxqitxn.exe, PE32 10->29 dropped 13 lxqitxn.exe 10->13         started        process5 signatures6 63 Multi AV Scanner detection for dropped file 13->63 65 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->65 67 Tries to detect virtualization through RDTSC time measurements 13->67 69 Injects a PE file into a foreign processes 13->69 16 lxqitxn.exe 13->16         started        process7 signatures8 37 Modifies the context of a thread in another process (thread injection) 16->37 39 Maps a DLL or memory area into another process 16->39 41 Sample uses process hollowing technique 16->41 43 Queues an APC in another process (thread injection) 16->43 19 systray.exe 16->19         started        22 explorer.exe 16->22 injected process9 dnsIp10 53 Modifies the context of a thread in another process (thread injection) 19->53 55 Maps a DLL or memory area into another process 19->55 57 Tries to detect virtualization through RDTSC time measurements 19->57 25 cmd.exe 1 19->25         started        31 www.someenginething.com 217.160.0.84, 49787, 80 ONEANDONE-ASBrauerstrasse48DE Germany 22->31 33 www.com-sh.xyz 22->33 35 192.168.2.1 unknown unknown 22->35 59 System process connects to network (likely due to code injection or exploit) 22->59 61 Performs DNS queries to domains with low reputation 22->61 signatures11 process12 process13 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ddfdab103d34dfc6ddd6518745c101342e9953e6c2e049576e15ea570fb16e3a/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 12:20:08 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3x62web5gtp4nxowkgdulqibgqxjsu7gylqesv3ocxvfod5rny5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
253f3e1ffc17c3ef73f007378392b6b18c856f03175e978572bc3f105b3754a2
Formbook
2ed8aeaf73ee1a3caf7eb0be7814868c4100efbe1b021e2d964db3b638dc7f3c
Formbook
51ca9a86ecb638b2805cd27a752159a05d4a3317c11ea43fb0f0cca78601c8dc
Formbook
5d73c1ce4d0c8beea33b6eaef76d82e389d139d8e6caa17c2767c70889697c3b
Formbook
682eeaccd2f75abe35a1f7163b8c7d00138a7882b0fbf3ec7e5c39846802f37e
Formbook
7c0eb4f6e8a6c770581fc781394e91ab7410cec4ae02e6c9399a52be3f16f6e6
Formbook
ce7e5c68cfe5d7e602c698d10280cd44280e78dfa8ba0b549b90a4ba906ba84b
Formbook
d3173c18c350a7fa99867f3ef7c9bf5375a4e1ca7f5706c60d883cb17322491f
Formbook
de9fdb344c542595de3ddf65357a6982f0085d0f7b42c1de534c3963134c2cb3
Formbook
+ 14'584 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:s09m rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220404-phra4aaafn/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
63babb250653c967089ff446fe153ade6ea4c6b893d1ef22733b25122d00b1e9
MD5 hash:
5b42595445d092db8cbdb88fb7ba02ae
SHA1 hash:
cdaf8cfb0a0edf56f7e689610e268873ca1fcb65
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/71949f2d-1c9c-477f-9af4-9ce308f3ff50/
Parent samples :
83bfb1bf3d445b86e4aa3c753c9f3f80cd00dabcd51993f67aa4ba36df71eb16
682eeaccd2f75abe35a1f7163b8c7d00138a7882b0fbf3ec7e5c39846802f37e
ddfdab103d34dfc6ddd6518745c101342e9953e6c2e049576e15ea570fb16e3a
ec6cb0a51fe3d020e3989762f1b449f45413695c9ea7db67d3a2cf31c9e26ef1
SH256 hash:
55432dc75dd9eaf4e96d9f5eb031d9c8d77dc63febf2e0e56ce305ff5098d19c
MD5 hash:
f302f40cbdcfcc2c417d1e9830d9b958
SHA1 hash:
25df30b101dcb7c5f47f4b8b5c2632a1edb8c6d8
Link:
https://www.unpac.me/results/71949f2d-1c9c-477f-9af4-9ce308f3ff50/
SH256 hash:
b5597db0ec1eaa80de0fcec5e9a8ecac6119de93bef50152e9b2642a35f292ed
MD5 hash:
5e5e461d8cf47eb974aed946222080dc
SHA1 hash:
d1a42b9ddda649b788aca2923a3544d3b8f3b772
Link:
https://www.unpac.me/results/71949f2d-1c9c-477f-9af4-9ce308f3ff50/
SH256 hash:
ddfdab103d34dfc6ddd6518745c101342e9953e6c2e049576e15ea570fb16e3a
MD5 hash:
9c4eafada8143a2b4cdf8c37650421a3
SHA1 hash:
9f9b7f895fba201cbd7f7c784c9c840ceab5a491
Link:
https://www.unpac.me/results/71949f2d-1c9c-477f-9af4-9ce308f3ff50/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ddfdab103d34/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ddfdab103d34dfc6ddd6518745c101342e9953e6c2e049576e15ea570fb16e3a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar c79d18cbcb3d8173a566953d17d6b9de45677be87bc580e234e6767488f096a5

Formbook

Executable exe ddfdab103d34dfc6ddd6518745c101342e9953e6c2e049576e15ea570fb16e3a

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c79d18cbcb3d8173a566953d17d6b9de45677be87bc580e234e6767488f096a5
Cape
Cape
https://www.capesandbox.com/analysis/260562/

Comments