MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77c8229ca84c4dcc76e71af9dfd376baeb9f45595989b5b24dfd57892f314900. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	77c8229ca84c4dcc76e71af9dfd376baeb9f45595989b5b24dfd57892f314900
SHA3-384 hash:	cefab7ee7c6da4aaac918cc3f53145258e5758829242aea63c1f386cacd4c1acded81eb524b45c43ee045d2bbe8fa52f
SHA1 hash:	bd26da45e1f073b27c5871dade5d370ed814b50c
MD5 hash:	6bcc3b4e6b2abe6857d04a61e6e430c6
humanhash:	indigo-potato-salami-echo
File name:	SecuriteInfo.com.Trojan.Olock.1.10428.22192
Download:	download sample
Signature	Formbook Create hunting rule
File size:	541'184 bytes
First seen:	2022-07-04 03:32:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:GFHHP/gHPi3jGevBLqwVSP3HS9B+ZZ/5mXdHw1CWjNTpl5kN:OlvBmHLZZhmXYpS
TLSH	T1B6B4122C7AF4AA35DA2F07BDC49780C04370E06C3943DB7EC615A1EA357737191A9AA7
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

230

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Olock.1.10428.22192.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62c25fac76fa5a59944058d6/reports/8a23e1bb-e75d-41ec-a8ed-e5a5684eac11/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cc39ea12-62c1-4d5d-a996-8f8321dde872

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1023834

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/77c8229ca84c4dcc76e71af9dfd376baeb9f45595989b5b24dfd57892f314900/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-07-04 03:33:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=o7ecfhfijrg4y5xhdl457u3wxlvz6rkzlge3lmsn7vlyslzrjeaa._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/220704-d362hagde2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Unpacked files

SH256 hash:

a4372c9f0ca44e74e194eb42fb4c3712a93cf5637b2c1c1413d4059beb01038c

MD5 hash:

1055fc4f6ff94a65f011f7450b276907

SHA1 hash:

fa53fd6ed7bea06f3bda76bc2c6cc7d31dc6f48c

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/42bc1c78-1ca0-4efb-ae6e-15080b4cecca/

SH256 hash:

ff330e14daf77e346a977a6422f2745c9e986e398c266ff044b9e3325717587a

MD5 hash:

2d6292eb73b102fc32595ca296bb35ea

SHA1 hash:

fa710cf420f00f78415c32369ed435fcca94a10c

Link:

https://www.unpac.me/results/42bc1c78-1ca0-4efb-ae6e-15080b4cecca/

SH256 hash:

2a1e0d08036c03ff2d9e1629ddc8cf8df26c811fcacaab9cf686490e8140105c

MD5 hash:

d10dc47d79ae94e6c0773983817ffaf1

SHA1 hash:

92333c2e3e8fdd283ec151d6f759aac54e8fec3d

Link:

https://www.unpac.me/results/42bc1c78-1ca0-4efb-ae6e-15080b4cecca/

SH256 hash:

5ccac65058d7bf41edcffd16a0c10ea35d5b37cf839562bed41becd6e4785eb8

MD5 hash:

34dd42bf2876fc18d3998df63e1ac819

SHA1 hash:

3767b4dc746a6db9ccfb5aeffeeaf3cc05a2b53c

Link:

https://www.unpac.me/results/42bc1c78-1ca0-4efb-ae6e-15080b4cecca/

SH256 hash:

ffceeee3077518f7896cea5b18eb0213b1b8b6704c11a319737240a36790ec8b

MD5 hash:

783e30f049e20ed3d5568de1952328b2

SHA1 hash:

2c9697c8cdfef42ef00a2d2b476cc721585b91a7

Link:

https://www.unpac.me/results/42bc1c78-1ca0-4efb-ae6e-15080b4cecca/

SH256 hash:

77c8229ca84c4dcc76e71af9dfd376baeb9f45595989b5b24dfd57892f314900

MD5 hash:

6bcc3b4e6b2abe6857d04a61e6e430c6

SHA1 hash:

bd26da45e1f073b27c5871dade5d370ed814b50c

Link:

https://www.unpac.me/results/42bc1c78-1ca0-4efb-ae6e-15080b4cecca/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/77c8229ca84c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample