MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77579d66a9a588f82d409def94002c74fad7729abf83d63388ce897b66b50804. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77579d66a9a588f82d409def94002c74fad7729abf83d63388ce897b66b50804
SHA3-384 hash: e7e07643a19b275377a9bca87ed7041c4ae2cebc409ca7a025b291ea99de32fe176ff7fd3d79f3bfc6df6e226be2e4d1
SHA1 hash: b1bc299bb977c2732a93062903f70cb06c24a085
MD5 hash: 4bb77e30a2cea771b1bda6ac99c4e19e
humanhash: oregon-stairway-burger-johnny
File name:Payment Receipt.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:866'816 bytes
First seen:2023-11-07 19:00:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:JVpBmiET9+jRl7DQuq9hUYnHmVam1FtI7DrCnboL7Q++448NCUcYuS9:uy9QrhPGVFICnbZ+Xj8Uj9
Threatray 109 similar samples on MalwareBazaar
TLSH T1A8059C31226A5B96C9774FF4C50C754C43B26E59247EE219CCCEB3FA9AF5B400A42B27
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 125ad212e9cd3682 (40 x AgentTesla, 21 x Loki, 19 x Heodo)
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
CA CA
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.7144.21411.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/654a89702546bd423f13144c/reports/cc4e1e05-031d-4bee-9b62-086a81f9751c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/77579d66a9a588f82d409def94002c74fad7729abf83d63388ce897b66b50804
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2139b4fe-83b1-4144-8d65-9b198d2fe34f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1338469
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1338469 Sample: Payment_Receipt.exe Startdate: 07/11/2023 Architecture: WINDOWS Score: 100 32 www.kinoppi-ron.blog 2->32 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 4 other signatures 2->42 10 Payment_Receipt.exe 4 2->10         started        signatures3 process4 signatures5 52 Adds a directory exclusion to Windows Defender 10->52 54 Injects a PE file into a foreign processes 10->54 13 Payment_Receipt.exe 10->13         started        16 powershell.exe 23 10->16         started        18 Payment_Receipt.exe 10->18         started        process6 signatures7 56 Maps a DLL or memory area into another process 13->56 20 lWpxElIzgxwGlxNNZh.exe 13->20 injected 22 conhost.exe 16->22         started        process8 process9 24 ROUTE.EXE 13 20->24         started        signatures10 44 Tries to steal Mail credentials (via file / registry access) 24->44 46 Tries to harvest and steal browser information (history, passwords, etc) 24->46 48 Maps a DLL or memory area into another process 24->48 50 Queues an APC in another process (thread injection) 24->50 27 lWpxElIzgxwGlxNNZh.exe 24->27 injected 30 firefox.exe 24->30         started        process11 dnsIp12 34 www.kinoppi-ron.blog 160.251.148.126, 49740, 80 INTERQGMOInternetIncJP Japan 27->34
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/77579d66a9a588f82d409def94002c74fad7729abf83d63388ce897b66b50804
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77579d66a9a588f82d409def94002c74fad7729abf83d63388ce897b66b50804/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-07 19:01:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o5lz2zvjuwepqlkatxxziabmot5no4u2x6b5mm4iz2exwzvvbaca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3afc0028673ed61ad26ab1861b7afc3b60b3476995da0c8c647e98d0e1a09d8f
Formbook
40203565c21de2f3923f1c4bb185068706f0bf56366cb099e6483737020b2ae3
Formbook
4ecc427abbc3efbeae4fc42d383497728056a76951f5bad56a67002406eaca66
Formbook
5669840788d19dbb20f845d3beffd4ba401886023cb434fc944ad8c2c002b84c
Formbook
806fcbc57ef1ed9cf02a322dabaa21439e715fc6bc6c689384cd67addf21bd76
Formbook
93e67c89acf315406deaec6ad48437458dcc4a26a00d528777fad25ff4e431fc
Formbook
b5081a6bb5cd550a99f314c6dd7e76cd217473ddfec2f65c1b5ec13a000680b7
Formbook
dd6b0535110695ea9fe92bf6eac3e2b98c72b7bd9edbe3ae2ca6a1e4ac348c22
Formbook
e0793d63666fd27dd0132db7bd77c06ed6fb2d9dd919aa774886e9732e5db57d
Formbook
+ 99 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231107-xn7h9sfd43/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
584ddec7edcc39b1285c0d152fb95a56fb9944802425f6386740a519b1aead45
MD5 hash:
1c37cac25a5f76d851d2a39f2e7fe672
SHA1 hash:
56249dadf6624b6a609e8e33bd5d4962d05f3919
Link:
https://www.unpac.me/results/5e5b5091-931e-4194-a8a4-dc288bc235fd/
SH256 hash:
57d50a1ee3037b60106c4e7426574115254425b4b4ea9dbe77208155709dffda
MD5 hash:
8e6c71454a0bf955f39f3231d9fd3a6c
SHA1 hash:
a57eefc72d25e207c2cdd8fda9881213bb3e434b
Link:
https://www.unpac.me/results/5e5b5091-931e-4194-a8a4-dc288bc235fd/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/5e5b5091-931e-4194-a8a4-dc288bc235fd/
SH256 hash:
e28f65b28241ecff3889878d915e3e82b72557229c8411f2c9208841d7c5b9b4
MD5 hash:
cf3e2927363ad2c3748423af0a93db7c
SHA1 hash:
80c466c9a8fdbfe3175de09f3bf3928a931ade06
Link:
https://www.unpac.me/results/5e5b5091-931e-4194-a8a4-dc288bc235fd/
SH256 hash:
bfef9eac82e53e8d63bcb3b3022880eaf8f22cbbc6c69f3782b59c438f649f12
MD5 hash:
ddf81912128dd196140e9be656c3a212
SHA1 hash:
51221baf7115f7f2de03cd00b8b25cfde9241a35
Link:
https://www.unpac.me/results/5e5b5091-931e-4194-a8a4-dc288bc235fd/
SH256 hash:
77579d66a9a588f82d409def94002c74fad7729abf83d63388ce897b66b50804
MD5 hash:
4bb77e30a2cea771b1bda6ac99c4e19e
SHA1 hash:
b1bc299bb977c2732a93062903f70cb06c24a085
Link:
https://www.unpac.me/results/5e5b5091-931e-4194-a8a4-dc288bc235fd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/77579d66a9a5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77579d66a9a588f82d409def94002c74fad7729abf83d63388ce897b66b50804

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments