MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77bd5b8fde14dc292c27e9526ee5c4d33b557d936deae82fa7abb3e768a74c3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77bd5b8fde14dc292c27e9526ee5c4d33b557d936deae82fa7abb3e768a74c3b
SHA3-384 hash: b17d946c8febd8698216a46eaadc568c4b55fb74c7eb802d360e84cf5c0810275489e14beda8029b3a25d239edeba480
SHA1 hash: 562aeee42c55410fbc2935cc9879236390ee8944
MD5 hash: b4c5a379d38312666805d0d33e2801b7
humanhash: carolina-connecticut-saturn-timing
File name:SW_48912.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:811'528 bytes
First seen:2024-12-24 10:26:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:tuwWmcF55OHTDP19OsImqDqsL/dSdOjy0gIgfxt3VXP3T3d+0v3hBSzTCoMqSujq:t6FXOP1omGvAky0KxRlbdjfuTE+W
Threatray 4 similar samples on MalwareBazaar
TLSH T1A405029C2618E803C95527B44A71F2B92B75AEE9B802D3C35FD87DEFB5A6F644C05083
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon f04dcc8c8e9696e8 (3 x Formbook, 1 x njrat, 1 x RemcosRAT)
Reporter abuse_ch
Tags:exe FormBook scr

Intelligence

File Origin
# of uploads :
1
# of downloads :
532
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SW_48912.scr
Verdict:
Malicious activity
Analysis date:
2024-12-24 10:36:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8e7ef8f7-e5e9-49d7-b3b4-143b2fe67c1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Trojan.Agent.KCLRNP.9146.18277.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=676a8c7a8a4d48ee35fef62b
Tags:
shell virus micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/676a8c783bf0477cc1c0d0d3/reports/ade979e9-af1d-4297-82c5-2b8536c27583/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/77bd5b8fde14dc292c27e9526ee5c4d33b557d936deae82fa7abb3e768a74c3b
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b7e53f8-ae39-4269-ab1c-aa345179c372
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1580361
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580361 Sample: SW_48912.scr.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 100 37 www.letsbookcruise.xyz 2->37 39 www.sorket.tech 2->39 41 12 other IPs or domains 2->41 49 Suricata IDS alerts for network traffic 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected FormBook 2->53 57 5 other signatures 2->57 10 SW_48912.scr.exe 4 2->10         started        signatures3 55 Performs DNS queries to domains with low reputation 37->55 process4 file5 35 C:\Users\user\...\SW_48912.scr.exe.log, ASCII 10->35 dropped 69 Adds a directory exclusion to Windows Defender 10->69 71 Injects a PE file into a foreign processes 10->71 14 SW_48912.scr.exe 10->14         started        17 powershell.exe 23 10->17         started        signatures6 process7 signatures8 73 Maps a DLL or memory area into another process 14->73 19 kygSlzwdnMXWUy.exe 14->19 injected 75 Loading BitLocker PowerShell Module 17->75 22 WmiPrvSE.exe 17->22         started        24 conhost.exe 17->24         started        process9 signatures10 59 Found direct / indirect Syscall (likely to bypass EDR) 19->59 26 sdchange.exe 13 19->26         started        process11 signatures12 61 Tries to steal Mail credentials (via file / registry access) 26->61 63 Tries to harvest and steal browser information (history, passwords, etc) 26->63 65 Modifies the context of a thread in another process (thread injection) 26->65 67 3 other signatures 26->67 29 kygSlzwdnMXWUy.exe 26->29 injected 33 firefox.exe 26->33         started        process13 dnsIp14 43 techstarllc.cloud 45.41.206.57, 49761, 49766, 49775 WEB2OBJECTSUS Reserved 29->43 45 www.cruycq.info 47.83.1.90, 49950, 49959, 49965 VODANETInternationalIP-BackboneofVodafoneDE United States 29->45 47 5 other IPs or domains 29->47 77 Found direct / indirect Syscall (likely to bypass EDR) 29->77 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/77bd5b8fde14dc292c27e9526ee5c4d33b557d936deae82fa7abb3e768a74c3b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77bd5b8fde14dc292c27e9526ee5c4d33b557d936deae82fa7abb3e768a74c3b/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-12-24 04:28:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o66vxd66ctocslbh5fjg5zoe2m5vk7mtnxvoql5hvoz6o2fhjq5q._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
49c0758fbe23f3af9f5b0a4c61bf702af40054f83ee118af52c0c24421c9b227
Formbook
660559126a18c4f38218b2efda9bc42d439756afd82350c9d89f9f6749436148
Formbook
77bd5b8fde14dc292c27e9526ee5c4d33b557d936deae82fa7abb3e768a74c3b
Formbook
b940d689a933deb3cd5c8f233b0246d32906772c61b1280e61deba202c695297
Formbook
error
Formbook
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/241224-mg3xdsvpar/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/61c1b804-30a5-40d1-a6f6-b2c3dc511264
Unpacked files
SH256 hash:
ec17c20e808988bedcc850bd78043d11386e83fbca3abd217260478ba3882998
MD5 hash:
bad1c7309750214dccd121f41e714b47
SHA1 hash:
8d5faf36a0449d02b3fa05b4a9724687c765ad37
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/291d5e75-1968-46ce-a1f9-1989d8c47392/
Parent samples :
77bd5b8fde14dc292c27e9526ee5c4d33b557d936deae82fa7abb3e768a74c3b
ea2305b81698e84ea423f196cbea17b3eddc98c57d5f53342f5ba82fb5ea3856
125ec05200cbfcdfb774f734bcb6c32fbad9008f77feef9988fa9267e35e1ff4
SH256 hash:
a6dd709e993fc8fb46676f5480d32012eafac26f0e174c3314a047b06ea983cf
MD5 hash:
319ac410fb55b41bf09e602d101c1a7e
SHA1 hash:
d209ca8d7be0ef566f180405f585961c6f0db04a
Link:
https://www.unpac.me/results/291d5e75-1968-46ce-a1f9-1989d8c47392/
SH256 hash:
319be211ee62f3cbb25192c2d621e29d1e41e9fd76cf3bf5690ab309acccdc40
MD5 hash:
69c8921faa9a73f3ba3b48e1ed624679
SHA1 hash:
b1693ec2672e62769d5708948dfa4c964f36a785
Link:
https://www.unpac.me/results/291d5e75-1968-46ce-a1f9-1989d8c47392/
SH256 hash:
f69e099e86523f5131a2d2676f63850ba3c2f9b80029dc91c23f3db942e577df
MD5 hash:
9279c613a2d619f9e71643814b0298c3
SHA1 hash:
a881d26812580a77e77cccf77ee0e41bab48dc33
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/291d5e75-1968-46ce-a1f9-1989d8c47392/
SH256 hash:
77bd5b8fde14dc292c27e9526ee5c4d33b557d936deae82fa7abb3e768a74c3b
MD5 hash:
b4c5a379d38312666805d0d33e2801b7
SHA1 hash:
562aeee42c55410fbc2935cc9879236390ee8944
Link:
https://www.unpac.me/results/291d5e75-1968-46ce-a1f9-1989d8c47392/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/77bd5b8fde14/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77bd5b8fde14dc292c27e9526ee5c4d33b557d936deae82fa7abb3e768a74c3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments