MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77ed29ab8aa9da3669874c3f49e81c581105a981e8537a78382dc69e043943a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77ed29ab8aa9da3669874c3f49e81c581105a981e8537a78382dc69e043943a6
SHA3-384 hash: 76f0d999e69dcfbaee34feb1a23d8cb6b4af07b5ef72aac3cf09515ca7848f3e34595429ee1bab1414f2f8d4ced015f7
SHA1 hash: 499c664b4170c484c661286d02135186ae5e77f8
MD5 hash: d0c1e2d3400adbc801fb564688620041
humanhash: sweet-leopard-maryland-muppet
File name:NEWCUSTOMER-PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:780'800 bytes
First seen:2023-03-15 09:39:59 UTC
Last seen:2023-03-15 11:27:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ZCvwk/wjZBHYBcLnCdP9+V7ywfxxM+fd6BVvhazSUQxHIugLrxhS/ESBoYXJGRTw:ZCvwIkBaf+RTG+fdifRFgLjS/7nJT
Threatray 2'447 similar samples on MalwareBazaar
TLSH T1BAF4120CB6BC2265C61E373F81B116489376ED0AD722EB2E1DC568730DF27C8E945D96
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
231
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
NEWCUSTOMER-PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-03-15 09:42:47 UTC
Tags:
formbook xloader trojan stealer
Link:
https://app.any.run/tasks/97c47f00-ab92-484b-a3b2-9e9c05c89cba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374498/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1889.25008.7123.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6411927406c49bd8b6b5eab5/reports/2394cb1c-2f58-4b0d-bd11-b0f6f40aa822/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/77ed29ab8aa9da3669874c3f49e81c581105a981e8537a78382dc69e043943a6
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a148f90-8f22-489b-be64-73fb15018659
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1194014
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 826915 Sample: NEWCUSTOMER-PDF.exe Startdate: 15/03/2023 Architecture: WINDOWS Score: 100 67 www.zkdwvtg.top 2->67 89 Snort IDS alert for network traffic 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 Sigma detected: Scheduled temp file as task from temp location 2->93 95 6 other signatures 2->95 11 NEWCUSTOMER-PDF.exe 7 2->11         started        15 UdaCiZJIbbVG.exe 5 2->15         started        signatures3 process4 file5 57 C:\Users\user\AppData\...\UdaCiZJIbbVG.exe, PE32 11->57 dropped 59 C:\Users\...\UdaCiZJIbbVG.exe:Zone.Identifier, ASCII 11->59 dropped 61 C:\Users\user\AppData\Local\...\tmpE079.tmp, XML 11->61 dropped 63 C:\Users\user\...63EWCUSTOMER-PDF.exe.log, ASCII 11->63 dropped 107 Uses schtasks.exe or at.exe to add and modify task schedules 11->107 109 Adds a directory exclusion to Windows Defender 11->109 111 Tries to detect virtualization through RDTSC time measurements 11->111 17 NEWCUSTOMER-PDF.exe 11->17         started        20 powershell.exe 21 11->20         started        22 schtasks.exe 1 11->22         started        28 2 other processes 11->28 113 Multi AV Scanner detection for dropped file 15->113 115 Machine Learning detection for dropped file 15->115 117 Injects a PE file into a foreign processes 15->117 24 UdaCiZJIbbVG.exe 15->24         started        26 schtasks.exe 1 15->26         started        signatures6 process7 signatures8 81 Modifies the context of a thread in another process (thread injection) 17->81 83 Maps a DLL or memory area into another process 17->83 85 Sample uses process hollowing technique 17->85 87 Queues an APC in another process (thread injection) 17->87 30 explorer.exe 3 1 17->30 injected 34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 26->38         started        process9 dnsIp10 73 www.customerservicesafesteptub.com 81.17.18.196, 49695, 49696, 80 PLI-ASCH Switzerland 30->73 75 prostockdirect.store 103.20.200.121, 80 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 30->75 77 www.prostockdirect.store 30->77 119 System process connects to network (likely due to code injection or exploit) 30->119 40 colorcpl.exe 18 30->40         started        45 cmstp.exe 30->45         started        signatures11 process12 dnsIp13 69 www.prostockdirect.store 40->69 71 prostockdirect.store 40->71 53 C:\Users\user\AppData\...\439logrv.ini, data 40->53 dropped 55 C:\Users\user\AppData\...\439logri.ini, data 40->55 dropped 97 Detected FormBook malware 40->97 99 Tries to steal Mail credentials (via file / registry access) 40->99 101 Tries to harvest and steal browser information (history, passwords, etc) 40->101 105 2 other signatures 40->105 47 cmd.exe 40->47         started        103 Tries to detect virtualization through RDTSC time measurements 45->103 file14 signatures15 process16 file17 65 C:\Users\user\AppData\Local\Temp\DB1, SQLite 47->65 dropped 79 Tries to harvest and steal browser information (history, passwords, etc) 47->79 51 conhost.exe 47->51         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77ed29ab8aa9da3669874c3f49e81c581105a981e8537a78382dc69e043943a6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-15 09:08:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7wstk4kvhndm2mhjq7ut2a4laiqlkmb5bjxu6byfxdj4bbziota._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4
Formbook
5dc78112397a04a6b3cef6f63aa0c817e641cb4cefb8fd91958cdfed48d57bbe
Formbook
60f8c4a0b8195562a53f3d4c8fbc885b606924a2a871185e13391f4a2e7cdec8
Formbook
6fb6a2160d5ceeef3420d09b7156d35e403ba7098bc0bdcadc9e721de1b3d5af
Formbook
9cd7ca54fc2b418d2f82093ed798cdd02478830c5b3fb956e59dd2d325e55682
Formbook
a442f82c38de8318198d6dd2415b2ff10eb9851e20687ba6d4105525d1e56f0b
Formbook
ced21302bfa069209473ff66c3511ee8530a11a5323db0b485acb12d6a88a188
Formbook
dbe3f374ece034f9fcfce5ea34796ca35fb13e1a6d929d708ea74a14357676df
Formbook
edf9df1a661fc13c4773ac176efe0381a60a04e829e338fdbcab37b5b45170e2
Formbook
fb1ccc21ef84112ec41d904546fa6e35c0ee0ff48626b68dd2d1839f77a4b508
Formbook
+ 2'437 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:h3sc rat spyware stealer trojan
Link:
https://tria.ge/reports/230315-lm7xvsce74/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Reads user/profile data of web browsers
Formbook payload
Formbook
Unpacked files
SH256 hash:
2932e187fac52319a537e2a79a9267e2f432edd9384a7dfc73ae8477aee9ada6
MD5 hash:
3f97a302fcab7f103f2f48c0cc34a4fc
SHA1 hash:
4eec7c8c6dae844eb206a90d4b9d4ddff97f1122
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/fdddf258-00de-4477-8462-915c7fffade3/
Parent samples :
6fb6a2160d5ceeef3420d09b7156d35e403ba7098bc0bdcadc9e721de1b3d5af
77ed29ab8aa9da3669874c3f49e81c581105a981e8537a78382dc69e043943a6
be67380a29f7a6441a097d6921cf5c7348bc0ed6d20844b7ec662c24d96c82a5
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/fdddf258-00de-4477-8462-915c7fffade3/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
7f721f4dc2f68550ffae9f8687029b882dc8bfacc766ad6e9e68d3a8c996f86f
MD5 hash:
3a8e53966aa3a5f8515b2aa4352c3666
SHA1 hash:
9080986d2b84346a86ee2b1ef1ba1c0a75a9bd3a
Link:
https://www.unpac.me/results/fdddf258-00de-4477-8462-915c7fffade3/
SH256 hash:
7f3fe94e25f0b405b6e8566b0a830703336318b099ade04e1fb24d43c9ec209c
MD5 hash:
a76cf0a5a42d586bfd2b3a53b62e9689
SHA1 hash:
6deb7c53fd0f5a44652f9b85f7021b162f936cf4
Link:
https://www.unpac.me/results/fdddf258-00de-4477-8462-915c7fffade3/
SH256 hash:
ab7ad325cc84f65ee3f33d0409a1be0e39b543dc88024c3961095e3b644e94ed
MD5 hash:
2fa2888b65bed209148aa3e1b32efbb6
SHA1 hash:
60753b00e0e189cb518644ec71c2fb8cacb8b462
Link:
https://www.unpac.me/results/fdddf258-00de-4477-8462-915c7fffade3/
SH256 hash:
77ed29ab8aa9da3669874c3f49e81c581105a981e8537a78382dc69e043943a6
MD5 hash:
d0c1e2d3400adbc801fb564688620041
SHA1 hash:
499c664b4170c484c661286d02135186ae5e77f8
Link:
https://www.unpac.me/results/fdddf258-00de-4477-8462-915c7fffade3/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/77ed29ab8aa9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77ed29ab8aa9da3669874c3f49e81c581105a981e8537a78382dc69e043943a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 77ed29ab8aa9da3669874c3f49e81c581105a981e8537a78382dc69e043943a6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/374498/

Comments