MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdadaa29cddfdc73c668258fea6614be64a933dcfa19072a6342024985a0a68b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs 2 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdadaa29cddfdc73c668258fea6614be64a933dcfa19072a6342024985a0a68b
SHA3-384 hash: 92cc0f71f819ba7de72375989ea6b8e21640835a38123f69e8b81d4d55e70fe04de021deb6fce222ce4fd1b5c55441c9
SHA1 hash: 236d096f35b8fb375f0604b723016e34d3ed186f
MD5 hash: d8ba690a888d144be39d35edbb8c1b0b
humanhash: jupiter-carpet-vermont-illinois
File name:d8ba690a888d144be39d35edbb8c1b0b.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:412'160 bytes
First seen:2021-10-30 09:16:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6256ca6fb1d33cce27dff272311e3072 (3 x Formbook, 2 x ArkeiStealer, 1 x DiamondFox)
ssdeep 6144:R0RfJe81HMMQT0/u0agOEv1pE0EAPMrGWsWDWidF0HQszCZ2Ftppb9Y81+k7pq7Z:RKxemHz/u0akS2z+
Threatray 193 similar samples on MalwareBazaar
TLSH T100948C2833D08C32C5AE467164A0D6728634ED2257728BDB27C46FBB3D773C48965BA7
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Formbook C2:
http://91.219.236.97/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.97/ https://threatfox.abuse.ch/ioc/239602/
138.124.186.58:48619 https://threatfox.abuse.ch/ioc/239802/

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d8ba690a888d144be39d35edbb8c1b0b.exe
Verdict:
No threats detected
Analysis date:
2021-10-30 09:17:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c49196b6-7bf5-45e4-95e3-e0a2d8a58904

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c19b07b-1f96-442f-a51e-67eab9b2038c
Result
Threat name:
FormBook RedLine SmokeLoader Socelars Vi
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879767
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Writes to foreign memory regions
Yara detected FormBook
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 512201 Sample: Lr564s8C52.exe Startdate: 30/10/2021 Architecture: WINDOWS Score: 100 121 Multi AV Scanner detection for domain / URL 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 Antivirus detection for URL or domain 2->125 127 19 other signatures 2->127 12 Lr564s8C52.exe 4 60 2->12         started        process3 dnsIp4 103 45.142.182.152 XSSERVERNL Germany 12->103 105 103.155.92.29 TWIDC-AS-APTWIDCLimitedHK unknown 12->105 107 8 other IPs or domains 12->107 75 C:\Users\...\jKX083CqtAX9TiWTLPWB89t6.exe, PE32 12->75 dropped 77 C:\Users\...\injxtfpO_KGk4FMRamHeA6xI.exe, PE32 12->77 dropped 79 C:\Users\...\hzDWpM5fYVRzK0nLAfkCggsw.exe, PE32 12->79 dropped 81 25 other files (13 malicious) 12->81 dropped 149 Creates HTML files with .exe extension (expired dropper behavior) 12->149 151 Disable Windows Defender real time protection (registry) 12->151 17 Gb_lbGJUa9K0nYZ8ZCTDPPho.exe 17 12->17         started        21 8NdvLv47zd3PLf57kmQO5DIm.exe 12->21         started        24 4SDi70AtNXCEsVGdJfYij7oU.exe 12->24         started        26 14 other processes 12->26 file5 signatures6 process7 dnsIp8 91 149.154.167.99 TELEGRAMRU United Kingdom 17->91 93 45.133.1.182 DEDIPATH-LLCUS Netherlands 17->93 95 162.159.130.233 CLOUDFLARENETUS United States 17->95 57 C:\Users\...\1UhwClnYRDOGfGla0DvYVWZq.exe, PE32 17->57 dropped 59 C:\Users\user\AppData\...\Cube_WW14[1].bmp, PE32 17->59 dropped 61 C:\...\PowerControl_Svc.exe, PE32 17->61 dropped 28 1UhwClnYRDOGfGla0DvYVWZq.exe 17->28         started        129 Query firmware table information (likely to detect VMs) 21->129 131 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 21->131 133 Writes to foreign memory regions 21->133 135 Allocates memory in foreign processes 21->135 33 AppLaunch.exe 21->33         started        137 Injects a PE file into a foreign processes 24->137 139 Tries to detect sandboxes / dynamic malware analysis system (registry check) 24->139 97 94.140.112.53 TELEMACHBroadbandAccessCarrierServicesSI Latvia 26->97 99 88.99.66.31 HETZNER-ASDE Germany 26->99 101 5 other IPs or domains 26->101 63 C:\Program Files (x86)\...\jg1_1faf.exe, PE32 26->63 dropped 65 C:\Program Files (x86)\Company\...\cutm3.exe, PE32+ 26->65 dropped 67 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 26->67 dropped 69 15 other files (none is malicious) 26->69 dropped 141 Tries to harvest and steal browser information (history, passwords, etc) 26->141 143 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 26->143 145 Hides threads from debuggers 26->145 147 Checks if the current machine is a virtual machine (disk enumeration) 26->147 35 explorer.exe 26->35 injected 37 mshta.exe 1 26->37         started        39 pmup6yUHo5b0CBH75oacExmN.exe 26->39         started        file9 signatures10 process11 dnsIp12 109 194.163.158.120 NEXINTO-DE Germany 28->109 111 45.136.113.13 ENZUINC-US Netherlands 28->111 117 2 other IPs or domains 28->117 83 C:\Users\...\c5DvZ9__TcctVx9_UOHfGmqo.exe, PE32 28->83 dropped 85 C:\Users\user\...\search_hyperfs_209[1].exe, PE32 28->85 dropped 87 C:\Users\user\AppData\Local\...\pub3[2].exe, PE32 28->87 dropped 89 10 other files (4 malicious) 28->89 dropped 153 Creates HTML files with .exe extension (expired dropper behavior) 28->153 155 Tries to harvest and steal browser information (history, passwords, etc) 28->155 113 209.99.40.222 CONFLUENCE-NETWORK-INCVG United States 35->113 115 172.65.227.72 CLOUDFLARENETUS United States 35->115 119 4 other IPs or domains 35->119 157 System process connects to network (likely due to code injection or exploit) 35->157 41 cmd.exe 37->41         started        file13 signatures14 process15 file16 71 C:\Users\user\AppData\Local\Temp\8pWB.eXE, PE32 41->71 dropped 44 8pWB.eXE 41->44         started        47 conhost.exe 41->47         started        49 taskkill.exe 41->49         started        process17 file18 73 C:\Users\user\AppData\Local\Temp\QZ5uW.aQ, COM 44->73 dropped 51 mshta.exe 44->51         started        process19 process20 53 cmd.exe 51->53         started        process21 55 conhost.exe 53->55         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fdadaa29cddfdc73c668258fea6614be64a933dcfa19072a6342024985a0a68b/
Threat name:
Win32.Downloader.Stralo
Create hunting rule
Status:
Malicious
First seen:
2021-10-16 15:52:36 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ww2ukon37ohhrtiewh6uzquxzsksm647imqoktdiibetbnau2fq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
Formbook
4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
Formbook
506c2f513d64242fcb20ccff8c26c0ed1755fe9120b984c29ba224b311d635c3
Formbook
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
Formbook
d7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a
Formbook
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
Formbook
ee96df216161f048ee9c50853b018f779d71bce1498f28a4d1b1bc3d797f14ac
Formbook
+ 183 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars family:vidar family:xloader botnet:8dec62c1db2959619dca43e02fa46ad7bd606400 botnet:933 botnet:937 botnet:@kugurtilzt botnet:ddddd4 campaign:s0iw backdoor discovery evasion infostealer loader rat spyware stealer themida trojan
Link:
https://tria.ge/reports/211030-k82gjaega8/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
Xloader Payload
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Xloader
Malware Config
C2 Extraction:
http://www.kyiejenner.com/s0iw/
185.215.113.79:41465
91.206.14.151:16764
https://mas.to/@lilocc
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
Unpacked files
SH256 hash:
fdadaa29cddfdc73c668258fea6614be64a933dcfa19072a6342024985a0a68b
MD5 hash:
d8ba690a888d144be39d35edbb8c1b0b
SHA1 hash:
236d096f35b8fb375f0604b723016e34d3ed186f
Link:
https://www.unpac.me/results/e2c690ab-ef67-4b00-8165-5a321e865a88/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fdadaa29cddf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fdadaa29cddfdc73c668258fea6614be64a933dcfa19072a6342024985a0a68b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments