MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 977efd6cd3a376be30cfac84af59290e83ea5b816d12a932dfeb361478eeb877. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 977efd6cd3a376be30cfac84af59290e83ea5b816d12a932dfeb361478eeb877
SHA3-384 hash: 31b3fa29d498962687372b7d361f10624162b3cca71b80e6aa4ba21ca76352e383887708cd511135622fb1f6e3265f95
SHA1 hash: 33d2284636fa19f52091425631d1b4d32a77d703
MD5 hash: 9a4c87f9536e4b274e01572b263fd4d7
humanhash: saturn-apart-grey-freddie
File name:SHIPPING DOCUMENT.7z
Download: download sample
Signature Formbook
Create hunting rule
File size:541'709 bytes
First seen:2025-10-09 09:02:38 UTC
Last seen:Never
File type: 7z
MIME type:application/x-7z-compressed
ssdeep 12288:NeqkL+jE501wYyVxVu3Ug5yy7+Fyg9pg9R/+rq7mTIu:NYL301wYyVWUg3spfrBTIu
TLSH T1C7B42395DAD9D9DE746311007645804AD117C4F3F968DC282F37937AEBEE8EE8E0810B
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Magika sevenzip
Reporter cocaman
Tags:7z FormBook Shipping


Avatar
cocaman
Malicious email (T1566.001)
From: "ash.zhang@ugslogistics.com" (likely spoofed)
Received: "from [45.144.212.234] (unknown [45.144.212.234]) "
Date: "8 Oct 2025 15:42:11 -0700"
Subject: "RE:SHIPPING DOCUMENTS"
Attachment: "SHIPPING DOCUMENT.7z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:jZstjbQAbz089D3.exe
File size:583'680 bytes
SHA256 hash: 26daaa0d086c4ef2f8da2970ffcb9a5a7f7a83d9d9214fa9b8480058e55c7863
MD5 hash: be11fc4c470483bff5394b377067f278
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e77a707f305fa2545de1d1
Tags:
spawn shell micro
Result
Verdict:
Malicious
File Type:
PE File
Link:
https://app.docguard.net/977efd6cd3a376be30cfac84af59290e83ea5b816d12a932dfeb361478eeb877/results/dashboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint packed vbnet
Link:
https://www.filescan.io/uploads/68e77a695a3bccf09ebedd1b/reports/90b094ae-ec4f-4850-84a5-d729e10aed43/overview
Verdict:
Suspicious
Labled as:
Trojan.Packed
Link:
https://www.hybrid-analysis.com/sample/977efd6cd3a376be30cfac84af59290e83ea5b816d12a932dfeb361478eeb877
Verdict:
Malicious
File Type:
7z
First seen:
2025-10-08T17:39:00Z UTC
Last seen:
2025-10-08T17:55:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/977efd6cd3a376be30cfac84af59290e83ea5b816d12a932dfeb361478eeb877/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/977efd6cd3a376be30cfac84af59290e83ea5b816d12a932dfeb361478eeb877
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
.Net 7z Archive Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SFX 7z SOS: 0.43
Link:
https://app.malva.re/file/9a4c87f9536e4b274e01572b263fd4d7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/977efd6cd3a376be30cfac84af59290e83ea5b816d12a932dfeb361478eeb877/
Threat name:
ByteCode-MSIL.Trojan.XWorm
Create hunting rule
Status:
Malicious
First seen:
2025-10-08 22:15:10 UTC
File Type:
Binary (Archive)
Extracted files:
9
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s57p23gtun3l4mgpvsck6wjjb2b6uw4bnujksmw75m3bi6hoxb3q._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:hi23 discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251009-lplgmscp3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/977efd6cd3a376be30cfac84af59290e83ea5b816d12a932dfeb361478eeb877

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win32_dotnet_form_obfuscate
Create hunting rule
Author:Reedus0
Description:Rule for detecting .NET form obfuscate malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z 977efd6cd3a376be30cfac84af59290e83ea5b816d12a932dfeb361478eeb877

(this sample)

Formbook

Executable exe 26daaa0d086c4ef2f8da2970ffcb9a5a7f7a83d9d9214fa9b8480058e55c7863

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 26daaa0d086c4ef2f8da2970ffcb9a5a7f7a83d9d9214fa9b8480058e55c7863
  
Dropping
Formbook
  
Dropping
MD5 be11fc4c470483bff5394b377067f278

Comments