MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77debd27c7e821a3a2c480f7b91377dd2706a2a19975132a5141f92d87160363. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77debd27c7e821a3a2c480f7b91377dd2706a2a19975132a5141f92d87160363
SHA3-384 hash: fb45f11e667899de01bc641318553212d57ca4fd012b370c8c2df928010c3d0cbf909a42ddf48e0bc7e470f60bb4c483
SHA1 hash: 8a825ea35dc30e117e62dc768a0d56ce98d7f2a3
MD5 hash: 716704ffe2145a72d2fba734acbd8ff0
humanhash: north-bakerloo-winter-double
File name:Online Doc901.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:325'120 bytes
First seen:2021-06-18 07:35:25 UTC
Last seen:2021-06-18 08:49:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:iCMZFojxeKGZ519bvNgoiG/ewiI/Oe0tjjXpH9CyeK97Na:soj8j5nlgo52q0tnrN7
Threatray 4'850 similar samples on MalwareBazaar
TLSH 9664127876D2C363ED16033BAE52294013A5E4356EA5DA6D6C40C3259D3BFF48D02BAF
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Online Doc901.scr
Verdict:
Malicious activity
Analysis date:
2021-06-18 07:39:52 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/49dad81c-4182-493d-80a7-f085cf591df7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166782/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.48175.10179.30029.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e7ddb72-c68f-436f-a55c-5c7cadeb0d9e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804191
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 436616 Sample: Online Doc901.scr Startdate: 18/06/2021 Architecture: WINDOWS Score: 100 29 www.dijuyi.com 2->29 31 prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com 2->31 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 8 other signatures 2->53 9 Online Doc901.exe 3 2->9         started        13 explorer.exe 2->13         started        16 Online Doc901.exe 2->16         started        signatures3 process4 dnsIp5 27 C:\Users\user\...\Online Doc901.exe.log, ASCII 9->27 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->55 57 Injects a PE file into a foreign processes 9->57 18 Online Doc901.exe 9->18         started        33 www.suachuaotoquan8.com 210.211.119.42, 49754, 80 VTDC-AS-VNVietel-CHTCompamyLtdVN Viet Nam 13->33 35 www.southwestsoaring.com 13->35 59 System process connects to network (likely due to code injection or exploit) 13->59 21 control.exe 13->21         started        file6 signatures7 process8 signatures9 37 Modifies the context of a thread in another process (thread injection) 18->37 39 Maps a DLL or memory area into another process 18->39 41 Sample uses process hollowing technique 18->41 43 Queues an APC in another process (thread injection) 18->43 45 Tries to detect virtualization through RDTSC time measurements 21->45 23 cmd.exe 1 21->23         started        process10 process11 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/77debd27c7e821a3a2c480f7b91377dd2706a2a19975132a5141f92d87160363/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-06-17 19:07:20 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7pl2j6h5aq2hiweqd33se3x3utqnivbtf2rgksrih4s3bywanrq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
40877c93388c9ea545a95760ecd8fe9f7e9909b4cb96a906a3ab90408cf6c6cf
Formbook
411e56b415d4c23a741958c3f1ada72b3e958c078d27c339678bb690b7a895c3
Formbook
4f9d8536fa4475655dd14db7d472399f2b7214ddb16d3483f9a2a673e4fc1543
Formbook
5d4c17f9ea28e3df3efa9d9c7ba40444abeee049fe999eb2d579c6cf4ccc3231
Formbook
74743d6468cedf3e66f1171ef32981dca4fb211b3fd7be519045fc42b077ced2
Formbook
779eeda6d0720fba8df941954d1bd4c04d4b60e1488b562ec2a77c37c72796c4
Formbook
78b11874a66b80ec78962b27c352a643d1a11c7f5cf9273f0db06df3f4f7e76c
Formbook
9dac57302e2261a1a3c6a665d3960525b27fb70a1fd6b1e135a3e72f11c6f3e6
Formbook
e3ccade6f4b9accc6cffa813b88862d68f78f0f1c601a57d0573e60deea6a370
Formbook
f83b9181caf9fca96aa780504a6b8aeeb30ebde24c32e2943969586a75c4a70e
Formbook
+ 4'840 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210618-2jsvbkwng2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.celinehair.com/e7hf/
Unpacked files
SH256 hash:
c708a72654e2ffad6cc07b17b604eff2b657f31edb0134af9f613ffdb1c7b3e2
MD5 hash:
fa657047b570bbb286abcd7fadbbca93
SHA1 hash:
74edf7c869a8f717972a406f9b739be5d01dccdb
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6234c602-14ee-4f6c-ada6-553de326572d/
Parent samples :
96f3a3030eeb072ca1872f376968f3d0515af0c3aba21a1a1f77625ee1af1632
77debd27c7e821a3a2c480f7b91377dd2706a2a19975132a5141f92d87160363
2c838cbeadc11938892397831181338333ce8c2baace411aad528d5081e976fa
84de052507d92575b15db6e247696f77f71b02902a15319baa83dacaa333a775
c2874fa8a593d805c31340651b9ebf7308e6db8e2c33baca8a33188d91ef8605
2e6a479b31c154cdeea1f9502d6a9d820369c1b4b6c91d756ec8011054628f10
777099a02f34b28dc78e4f5aebe54f19ee391449b8648f611c6cf3c0352f9ee8
c327a9bad9c1f25d9da900eb60b3ef7a0387d232c30bebb4d8b4b1bb62e257fb
03e5bebad534a6061452af4f7b266bf214e8ad97f6d51d683378360f1351da30
26563dccfc02bb19e03b7c0ed406bf1a8b55dabdd44148fe04e35ea00bd6f138
d835bb8d896d0a858feecf968258bc9d5d53e8013e01463db68ae2b5bae8fedf
SH256 hash:
cefe87a0de015dc44dc1086458460be07edba8d9f7211c4bed8a11809d520a72
MD5 hash:
0403b7f4765e08a2f74690caf1a82990
SHA1 hash:
b0e9f69b8c337b605edecdcc3345c6f0045ee04e
Link:
https://www.unpac.me/results/6234c602-14ee-4f6c-ada6-553de326572d/
SH256 hash:
6af76eb9d01a078547d993b6c43072c8df3cf07d432412fbfde3428122e2649b
MD5 hash:
951f5eea3341dad92ffc75dec83b1f65
SHA1 hash:
0256428a7bd6aa241ac169ef0c8b5bfd8d99e61d
Link:
https://www.unpac.me/results/6234c602-14ee-4f6c-ada6-553de326572d/
SH256 hash:
77debd27c7e821a3a2c480f7b91377dd2706a2a19975132a5141f92d87160363
MD5 hash:
716704ffe2145a72d2fba734acbd8ff0
SHA1 hash:
8a825ea35dc30e117e62dc768a0d56ce98d7f2a3
Link:
https://www.unpac.me/results/6234c602-14ee-4f6c-ada6-553de326572d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/77debd27c7e821a3a2c480f7b91377dd2706a2a19975132a5141f92d87160363

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 77debd27c7e821a3a2c480f7b91377dd2706a2a19975132a5141f92d87160363

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/166782/

Comments