MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7ab877e18717c49a98531ba38f4a885384ac7432e74250b888ec436a4b91549. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	b7ab877e18717c49a98531ba38f4a885384ac7432e74250b888ec436a4b91549
SHA3-384 hash:	707d6eb8f6dc1282b38edcd49fd9865c1e8f596b50ff0980fcf484bae4751bacc1c7dc6815d7489c0d45a840ad633d96
SHA1 hash:	b2aca33ef873f05d3761572d33408c79f57ef707
MD5 hash:	77e3572af01c7a784cb49abc63dc3949
humanhash:	river-fish-mango-quebec
File name:	77e3572af01c7a784cb49abc63dc3949.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	98'304 bytes
First seen:	2023-06-01 05:45:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	1536:S043SSJshJixmFLZbIUfyVAEfUtv/69/d2rxzy7Fi/N7xxGDN6GtLF9pZO:JdhJVZbIUqVAN4/dAdyw/wN6AJ9pZO
Threatray	1'478 similar samples on MalwareBazaar
TLSH	T1AFA329AC67A86602C31D963683F08220533A96771B57D74B0AC720ED4F677C6A84DFDB
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

243

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

77e3572af01c7a784cb49abc63dc3949.exe

Verdict:

Malicious activity

Analysis date:

2023-06-01 05:52:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ed3b1b1c-55a5-42fd-9c93-dab94183c4c9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/394282/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67327746.20435.7845.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Sending an HTTP GET request

Launching a process

Creating a file

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/647830a00a98d88b592ab12a/reports/36a5cd3f-cb44-4111-babb-e0759669aa60/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/b7ab877e18717c49a98531ba38f4a885384ac7432e74250b888ec436a4b91549

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/eee9f2bc-aa40-4c6b-8166-2e3bde0c8388

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1246570

Signature

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b7ab877e18717c49a98531ba38f4a885384ac7432e74250b888ec436a4b91549/

Threat name:

ByteCode-MSIL.Trojan.Tnega

Status:

Malicious

First seen:

2023-05-31 22:23:54 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w6vyo7qyof6etkmfgg5dr5fiqu4evr2dfz2ckc4ir3cdnjfzcveq._file

Verdict:

malicious

Formbook

66f670897647771d09ce1aa90e62b72aaa02ef22461d1fae042a52520abad20d

Formbook

68e5677a864f229ef02194052ef540cd7b80695b10e5493edfc0d51a8d87874a

Formbook

726e443731f4005814fed05263c664cf47c64eaf2135a192fe1771e03ef42341

Formbook

836907bfb58ca905abe606873a4a8e761d6b2573fbe61d1289d8ddb4188fc238

Formbook

8d4e8edf683d42f1f5287ae5d25f57d93285fd6b32f2198a1a2545cd17b05a1e

Formbook

901112dd590ebf7bb0314c090a66522540e27d7ae769f2030ac47e3046f5d313

Formbook

a20a220725445c851fc3e2af8b37c363bd0c1f4fd30b84993ff7a838727156b4

Formbook

adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

Formbook

+ 1'468 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230601-ggayqadc6w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

b7ab877e18717c49a98531ba38f4a885384ac7432e74250b888ec436a4b91549

MD5 hash:

77e3572af01c7a784cb49abc63dc3949

SHA1 hash:

b2aca33ef873f05d3761572d33408c79f57ef707

Link:

https://www.unpac.me/results/c37f2def-f1fa-4424-8cdb-97895781aab3/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b7ab877e1871/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.91

Link:

https://yomi.yoroi.company/submissions/b7ab877e18717c49a98531ba38f4a885384ac7432e74250b888ec436a4b91549

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe b7ab877e18717c49a98531ba38f4a885384ac7432e74250b888ec436a4b91549

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2647796/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/394282/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample