MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77d0637c23e62aacd06cdae1199620955f5ef36ccd6b7de96f49ea6637f18ed5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77d0637c23e62aacd06cdae1199620955f5ef36ccd6b7de96f49ea6637f18ed5
SHA3-384 hash: d25ec8be2f0db62929a2e72ec35061ab43076320dd6cb2b89929ca67eca21570e86b956ce5eacee242d19763ebc21de5
SHA1 hash: 64f99d05aca898872289fc7b1ccde4bb6f703bb9
MD5 hash: 5a2f3553f03bea972618a4fc780146ab
humanhash: xray-rugby-paris-earth
File name:5a2f3553f03bea972618a4fc780146ab
Download: download sample
Signature Formbook
Create hunting rule
File size:655'360 bytes
First seen:2023-09-07 09:41:39 UTC
Last seen:2023-09-07 12:34:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:F5fVsbR2ZLqq2h8zMm8qslD4QBi4LYbOvCpbie7K3RJdTfIQ90ZE7HKS/S:FtO2ZLRD8LlD4UYbXI6KBJJfIB
Threatray 51 similar samples on MalwareBazaar
TLSH T162D4EFF92465C7E2C7B483FF54AB84759A23BC02647486CC377C3A845EA5ED34826DB2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
265
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://80.76.51.248/keninv.exe
Verdict:
Suspicious activity
Analysis date:
2023-09-07 08:54:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5c2bcf2a-3924-426b-b536-63b6182e9471

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447005/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64f99af031c991f8dc0884d2/reports/38aa4fd2-b367-4974-a014-dcd9c95d4e14/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/77d0637c23e62aacd06cdae1199620955f5ef36ccd6b7de96f49ea6637f18ed5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5d8f3c6c-cfee-4801-a5a5-0ea3d882fdbb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1305734
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1305734 Sample: XdghEZF9GO.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 6 other signatures 2->41 9 XdghEZF9GO.exe 3 2->9         started        process3 process4 11 XdghEZF9GO.exe 9->11         started        14 XdghEZF9GO.exe 9->14         started        16 XdghEZF9GO.exe 9->16         started        signatures5 53 Maps a DLL or memory area into another process 11->53 55 Queues an APC in another process (thread injection) 11->55 18 VFzbybuechzOHycXzdpjrSriENV.exe 11->18 injected process6 process7 20 rundll32.exe 13 18->20         started        signatures8 43 Tries to steal Mail credentials (via file / registry access) 20->43 45 Tries to harvest and steal browser information (history, passwords, etc) 20->45 47 Modifies the context of a thread in another process (thread injection) 20->47 49 Maps a DLL or memory area into another process 20->49 23 explorer.exe 1 1 20->23 injected 27 VFzbybuechzOHycXzdpjrSriENV.exe 20->27 injected process9 dnsIp10 29 www.19726.cloud 156.236.68.134, 49730, 49731, 49732 YISUCLOUDLTD-AS-APYISUCLOUDLTDHK Seychelles 23->29 31 www.saipanrealtygroup.com 45.114.105.20, 49740, 49741, 49742 XIAOZHIYUN1-AS-APICIDCNETWORKUS China 23->31 33 9 other IPs or domains 23->33 51 System process connects to network (likely due to code injection or exploit) 23->51 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77d0637c23e62aacd06cdae1199620955f5ef36ccd6b7de96f49ea6637f18ed5/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-09-07 08:52:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7igg7bd4yvkzudm3lqrtfrasvpv543mzvvx32lpjhvgmn7rr3kq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19645ca60a20f1d79cfbb173d8c080a63ddb18db73498a8be7ecfae4d4d7e1d3
Formbook
347a49b7e5d032c2585811ec299182ec24139fd12d967aea4749e44cf0c6dc9a
Formbook
358659e950dae1b469fca25fb75167cae886174d21a9226fd8081fbd71d5abbc
Formbook
5765b61494d53c13cea4fa80a7aadd8bdf25d25690412ee3e809aaaca5c90924
Formbook
794b5731c293822cc916b19f0e7dd93d86b05a58afb7aff39255939953ae17d0
Formbook
8ac567bfb4be359b1136e1236bbdbac3e160077a89952f967467a345a23c0047
Formbook
98bce22d33a7e23bf5a32739d01c10443509da758e81b57d26bcc1fcfeb3861f
Formbook
993987746a70fa34efd8d7c5bdde02fea3d273bf10766ef49b7447a594b3b0c9
Formbook
fd39da24e0cecd5d485b4242854f6111a89b0a9359639a1c3c0abb87b75fffb1
Formbook
+ 41 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230907-lpb8zagc7v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
00da23f8a5b82d32c7469fda490c0f12184cd2018e937823127e9cfec761e639
MD5 hash:
1ce116bba3a87c0838c4a595fb6aec3b
SHA1 hash:
61737a4c3f2e0cb3a8806ad099e8eb1f327bbfb0
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/326cbe19-7937-46bb-96ff-f18c1789963e/
SH256 hash:
4922adf4ae64e99e4221060772903fee0dc5e950d2384da79b3164d449bc72f2
MD5 hash:
430fe0a134431c071fb247ff24242530
SHA1 hash:
f8a7f9a21e6ec2aaf7e7d716a32e5eeeedd6d5e1
Link:
https://www.unpac.me/results/326cbe19-7937-46bb-96ff-f18c1789963e/
SH256 hash:
784d4e0af30bcca58d54f86b6966e1c147bcc194a99126ebe79538e9084f6d80
MD5 hash:
5caf74e6818e40e82651781613a42425
SHA1 hash:
2a182b1552373e0907bfd03db31120596df994d0
Link:
https://www.unpac.me/results/326cbe19-7937-46bb-96ff-f18c1789963e/
SH256 hash:
43d64bdb904fdeb25f25928bb68dbd93a6304b50147b435c2e6446f1176b9b44
MD5 hash:
68fb0c7a8cda3cfc2fb6ef8eccb83f04
SHA1 hash:
22c0951f010c60a4a70e0d949818b7b88593e36f
Link:
https://www.unpac.me/results/326cbe19-7937-46bb-96ff-f18c1789963e/
SH256 hash:
ba6c7dbbcaac7de4165fd057a2051c88ee3efb57d449e7992242a7fc1ded1cc1
MD5 hash:
f1f681c8783dff99dd6aede6ae0965bf
SHA1 hash:
0a428d38a0eda39bc6106044a7f29a27745728eb
Link:
https://www.unpac.me/results/326cbe19-7937-46bb-96ff-f18c1789963e/
SH256 hash:
fca2aebfa8f472393ee7e0abb5ba30d254488d6663d1ebf115c72ce4a717d6d4
MD5 hash:
fccfeb80c0291bfc1f1b7d5c37322629
SHA1 hash:
e0ffa2eb255b352415cac6df5ef177c1172cab79
Link:
https://www.unpac.me/results/326cbe19-7937-46bb-96ff-f18c1789963e/
SH256 hash:
cc2c956ea307a8a8f9a05ece3fcf01cfd1dc74a38e4eee7a67b430991bd51e02
MD5 hash:
d319ceb648c32252583eeafe36eb6660
SHA1 hash:
df06ab9c2b41fcd2c9e7fd7f0d3b1d55b27dff81
Link:
https://www.unpac.me/results/326cbe19-7937-46bb-96ff-f18c1789963e/
SH256 hash:
567f6fc8d04aaed6d3a0204bb6bd10d13a0f526d0464779116d4fe744d72a50e
MD5 hash:
89d8526047adddb84a21782bd075535e
SHA1 hash:
c98903b185598204ad256edc5cd0293e2f97943d
Link:
https://www.unpac.me/results/326cbe19-7937-46bb-96ff-f18c1789963e/
SH256 hash:
272fa998b63e28cbdaf059489f215606d55a8c33a0fe3f9fe794974ebaaa49f6
MD5 hash:
64ac471c35848892401f272de8560897
SHA1 hash:
4ef96cbfd7e5c89fc41005b04bd02dc63bdae546
Link:
https://www.unpac.me/results/326cbe19-7937-46bb-96ff-f18c1789963e/
SH256 hash:
3148ccfcac25ea97a423afef232d3ab78c492c5e3c82939cfa9ed832f9944c4a
MD5 hash:
cb8d96cb79925122fa9f770a950d1652
SHA1 hash:
4dc35001b7567f68f3cd066038f4a36b5891d980
Link:
https://www.unpac.me/results/326cbe19-7937-46bb-96ff-f18c1789963e/
SH256 hash:
77d0637c23e62aacd06cdae1199620955f5ef36ccd6b7de96f49ea6637f18ed5
MD5 hash:
5a2f3553f03bea972618a4fc780146ab
SHA1 hash:
64f99d05aca898872289fc7b1ccde4bb6f703bb9
Link:
https://www.unpac.me/results/326cbe19-7937-46bb-96ff-f18c1789963e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77d0637c23e62aacd06cdae1199620955f5ef36ccd6b7de96f49ea6637f18ed5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 77d0637c23e62aacd06cdae1199620955f5ef36ccd6b7de96f49ea6637f18ed5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2710225/
Cape
Cape
https://www.capesandbox.com/analysis/447005/

Comments


Avatar
zbet commented on 2023-09-07 09:41:40 UTC

url : hxxp://80.76.51.248/keninv.exe