MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 ffda6d2c03b4e8cf19a1e2624498c3dfd30270f4cb0efeee908d9ca37cf0e1ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 12
| SHA256 hash: | ffda6d2c03b4e8cf19a1e2624498c3dfd30270f4cb0efeee908d9ca37cf0e1ca |
|---|---|
| SHA3-384 hash: | 79b7dc9f7eab517eedbed46fddc0a42f577930767e1b7240315dd03b6a2a0a5ff1e265517eecb0e697cf79c9b1f058f9 |
| SHA1 hash: | 05dc92afedab7b7d7a49cc8e7428c5e3f8c59579 |
| MD5 hash: | 89c685c0c13cbd4df04e1a17202fe37e |
| humanhash: | white-wisconsin-magnesium-maryland |
| File name: | Scan180624.exe |
| Download: | download sample |
| Signature | Formbook |
| File size: | 1'217'536 bytes |
| First seen: | 2024-06-24 11:51:59 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | bd3825b6e0410966f0c31f64b6c7644a (36 x AgentTesla, 15 x Formbook, 6 x RemcosRAT) |
| ssdeep | 24576:LAHnh+eWsN3skA4RV1Hom2KXcmtcuqulD/+ktDrSXpvNl:mh+ZkldoPKsacuqulToXpV |
| TLSH | T16C45BD0273D1C036FFABA2739B6AE24556BC7D254133852F13982D79BD701B2263E762 |
| TrID | 49.2% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 22.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win16 NE executable (generic) (5038/12/1) |
| File icon (PE): |  |
| dhash icon | aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla) |
| Reporter |  adrian__luca |
| Tags: | exe FormBook |
Intelligence
File Origin
# of uploads :
1
# of downloads :
338
Origin country :
HUVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ffda6d2c03b4e8cf19a1e2624498c3dfd30270f4cb0efeee908d9ca37cf0e1ca.exe
Verdict:
No threats detected
Analysis date:
2024-06-24 12:00:37 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.1%
Link:
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
autoit epmicrosoft_visual_cc fingerprint keylogger lolbin microsoft_visual_cc packed shell32
Verdict:
Malicious
Labled as:
AIT:Trojan.Nymeria
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Signature
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Threat name:
Win32.Trojan.Nymeria
Status:
Malicious
First seen:
2024-06-24 11:53:04 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
20 of 38 (52.63%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
unknown
Result
Malware family:
n/a
Score:
5/10
Tags:
n/a
Behaviour
Suspicious use of WriteProcessMemory
Program crash
AutoIT Executable
Unpacked files
SH256 hash:
fbc684b9f271d7181520b209e056c1716ba7b4978a2f16436f9bd70a092d9a70
MD5 hash:
d1c5b0c93c60dadd5c6407b6b008114f
SHA1 hash:
88bdaed82d9772d06d2e86f0b6b3b08d16e155e7
Detections:
win_formbook_g0
win_formbook_w0
Parent samples :
6803a04a376df6f873fe53b3b79bf12534b8c1b74d037a01f537e74bac994f88
ffda6d2c03b4e8cf19a1e2624498c3dfd30270f4cb0efeee908d9ca37cf0e1ca
58e89e120ead41c59e9554efbeb6844d42c55990660aeed8f71b0375f29c6f1f
1f66505224b6b1669db0864482bdbd457da983e886ed943c59834eae5e5c32f2
00f1fb00fbb9ce5d850680876407d82a520230bc09ffa540d5321fb5ecb1d0c8
ffda6d2c03b4e8cf19a1e2624498c3dfd30270f4cb0efeee908d9ca37cf0e1ca
58e89e120ead41c59e9554efbeb6844d42c55990660aeed8f71b0375f29c6f1f
1f66505224b6b1669db0864482bdbd457da983e886ed943c59834eae5e5c32f2
00f1fb00fbb9ce5d850680876407d82a520230bc09ffa540d5321fb5ecb1d0c8
SH256 hash:
80a405771746ba16d6cbee64bd480b6fa8e2ae49fcc0075ed9358ba1c4727dfe
MD5 hash:
77e88fbec9d9c24aef7284c21dd27e0e
SHA1 hash:
56142271a45747e78c36b18cae59282f8f6fe58d
SH256 hash:
54c2552a42305d023a450581d352236df4dbe837f51f4ce796ce0b5273d78208
MD5 hash:
baae814676fafc937a063b4d973a3129
SHA1 hash:
f1070b6762ce9a1b0e0719be58708ed875fbb4c0
SH256 hash:
e51cc5b741e508f915cd693a2f5a3fb4ee6bbf6b34c87d342a474192f81cddd6
MD5 hash:
c7e6969b2e6096db6f684250b513eeb3
SHA1 hash:
983e997055184c90aec7eb130e2bf8b776618c31
SH256 hash:
65ca91bfeb346236895b89dd487d79d389075c9f53a3cdf973b293d583960432
MD5 hash:
1acdf339c209320722ac7ba194effa87
SHA1 hash:
647013e1e976af9f15e94cfde1588b666ebc8fb8
SH256 hash:
432e406a678bcca9af0ffc92474b2b38125b9bf01ed338268aeefdc5633e6b17
MD5 hash:
469288379a1b7c7a254bfe2f6d42df38
SHA1 hash:
5baf40d640da62b02569934fe040d4fb05044df7
SH256 hash:
3d5c3df37374ff6912c161363da5731d6e119e4f74cc411aeae52cb816a7cb3b
MD5 hash:
9b32fdd47f6ab805305b5000e97ff748
SHA1 hash:
58da267b8e36ed431842d808460155029620a65e
SH256 hash:
18ae683be3a39973578c0d2b9074bcb1625151edeaf7eeba9a00ca425da6e3fc
MD5 hash:
2e5ddd5f1d1ed11b6eb89d3ba3989567
SHA1 hash:
4b2a1caa28a10719137c1b65baa912cc590fc2df
SH256 hash:
ffda6d2c03b4e8cf19a1e2624498c3dfd30270f4cb0efeee908d9ca37cf0e1ca
MD5 hash:
89c685c0c13cbd4df04e1a17202fe37e
SHA1 hash:
05dc92afedab7b7d7a49cc8e7428c5e3f8c59579
Detections:
AutoIT_Compiled
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AutoIT_Compiled |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious. |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce |
| COM_BASE_API | Can Download & Execute components | ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal |
| MULTIMEDIA_API | Can Play Multimedia | WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW |
| WIN32_PROCESS_API | Can Create Process and Threads | ADVAPI32.dll::CreateProcessAsUserW KERNEL32.DLL::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.DLL::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken |
| WIN_BASE_API | Uses Win Base API | KERNEL32.DLL::TerminateProcess KERNEL32.DLL::SetSystemPowerState KERNEL32.DLL::LoadLibraryA KERNEL32.DLL::LoadLibraryExW KERNEL32.DLL::LoadLibraryW KERNEL32.DLL::GetDriveTypeW |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.DLL::WriteConsoleW KERNEL32.DLL::ReadConsoleW KERNEL32.DLL::SetStdHandle KERNEL32.DLL::GetConsoleCP KERNEL32.DLL::GetConsoleMode |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.DLL::CopyFileExW KERNEL32.DLL::CopyFileW KERNEL32.DLL::CreateDirectoryW KERNEL32.DLL::CreateHardLinkW KERNEL32.DLL::CreateFileW IPHLPAPI.DLL::IcmpCreateFile |
| WIN_BASE_USER_API | Retrieves Account Information | KERNEL32.DLL::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW |
| WIN_NETWORK_API | Supports Windows Networking | MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.