MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77e14caae3daf05c1f5a6a3d10e4936cc58944d6ae9ec6943b1be6d995e94b5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 19 File information Comments 1

SHA256 hash:	77e14caae3daf05c1f5a6a3d10e4936cc58944d6ae9ec6943b1be6d995e94b5c
SHA3-384 hash:	f001117c4038418d23134e6f72ebb782daa3b022338fe3282fd5c28ceabb91e783a6ae58cddb28aefe72673eb28d55e7
SHA1 hash:	9de500775811f65415266689cbdfd035e167f148
MD5 hash:	1dcce19e1a6306424d073487af821ff0
humanhash:	uncle-bluebird-romeo-lactose
File name:	1dcce19e1a6306424d073487af821ff0
Download:	download sample
Signature	Formbook Create hunting rule
File size:	270'848 bytes
First seen:	2024-05-23 18:52:16 UTC
Last seen:	2025-02-21 11:37:23 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:ZhKO/bBUzpHw6Zw4KKmnZlypy0s1LNbDlLJkEU:ZhKYd8HthKKNy0sX1HU
Threatray	30 similar samples on MalwareBazaar
TLSH	T1214423FF7784B40FE25D26BB175F3729A0888D0E192E63B0B9BD2C421C9916D136816F
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

421

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

59f149ffc55554ce0aac7072bba999b5abb83b023486e017f407883f8a27e4e2.lnk

Verdict:

Malicious activity

Analysis date:

2024-05-23 18:40:51 UTC

Tags:

cve-2017-0199 exploit opendir loader formbook stealer spyware xloader

Link:

https://app.any.run/tasks/d43a91d0-3b81-4f6a-8aab-7b02acf3cc87

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=664f915602cf134c1c7f87efwin7simulatehigh_evasion

Tags:

Encryption Formbook

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook infostealer mikey overlay packed

Link:

https://www.filescan.io/uploads/664f909932eca5b280fc3321/reports/79cc1a8f-3ffd-4d61-94db-ffa954463aa6/overview

Verdict:

Malicious

Labled as:

Trojan.Formbook

Link:

https://www.hybrid-analysis.com/sample/77e14caae3daf05c1f5a6a3d10e4936cc58944d6ae9ec6943b1be6d995e94b5c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/27eb2685-7bf6-4b24-979c-4722972d634b

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1446800

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/77e14caae3daf05c1f5a6a3d10e4936cc58944d6ae9ec6943b1be6d995e94b5c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/77e14caae3daf05c1f5a6a3d10e4936cc58944d6ae9ec6943b1be6d995e94b5c/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2024-05-22 06:21:56 UTC

File Type:

PE (Exe)

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=o7quzkxd3lyfyh22ni6rbzetntcysrgwv2pmnfb3dptntfpjjnoa._file

Verdict:

malicious

Label(s):

formbook

Formbook

0cb284abb63cf61b070bfa0a5250ff536f92907bbf5eec07070b9aeafa4ac2bd

Formbook

19b86526b9c8b33ee230bba95c8a02fc47db4d230933c3ebcb6888e0dd344f77

Formbook

37fd7b8035bd49b8dfad405a793428dda8cbf623de0133818756d05a1191d8b7

Formbook

54c9ab39f879d1c9f3fc61e3cb1ffb06ac237bb20647c1f521d09b2dbb4964d2

Formbook

59f149ffc55554ce0aac7072bba999b5abb83b023486e017f407883f8a27e4e2

Formbook

77e14caae3daf05c1f5a6a3d10e4936cc58944d6ae9ec6943b1be6d995e94b5c

Formbook

d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0

Formbook

f7decb942c4d2f001d2f810978463780697403597ed4f5102a19c27edd649ce3

Formbook

+ 20 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240523-xjmcjacd61/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/793a34c7-2490-414f-81fb-9349f8e3c35b

Unpacked files

SH256 hash:

c819481488ebdb02a4a5f859ccbf00f11b12f4a65639f3edca5864281f7b3385

MD5 hash:

5ec1f797ade0250fbb029fbf4b59b22e

SHA1 hash:

c5d8a2ea3bbcc6f7d61e188fad5fee3f00d50312

Link:

https://www.unpac.me/results/a454cef6-6250-416d-a377-685cc7da10d5/

SH256 hash:

77e14caae3daf05c1f5a6a3d10e4936cc58944d6ae9ec6943b1be6d995e94b5c

MD5 hash:

1dcce19e1a6306424d073487af821ff0

SHA1 hash:

9de500775811f65415266689cbdfd035e167f148

Link:

https://www.unpac.me/results/a454cef6-6250-416d-a377-685cc7da10d5/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/77e14caae3da/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/77e14caae3daf05c1f5a6a3d10e4936cc58944d6ae9ec6943b1be6d995e94b5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 77e14caae3daf05c1f5a6a3d10e4936cc58944d6ae9ec6943b1be6d995e94b5c

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2860869/

URLhaus

https://urlhaus.abuse.ch/url/2862058/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2024-05-23 18:52:17 UTC

url : hxxp://20.86.128.223/room/rooma.exe