MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3664c59f198b6e3ec2bc254b9758fe20046b4cddd0a35f3e9c8fbf631c5a8a50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3664c59f198b6e3ec2bc254b9758fe20046b4cddd0a35f3e9c8fbf631c5a8a50
SHA3-384 hash: 84420fe404a5f2ae308c802f82a4f046929ac508270ce0a7e8cbb2e552738c582bdc77628271599358ae21ffe77f923b
SHA1 hash: b108e94ca73005e9b21f210454fbe9899570bdd1
MD5 hash: 964e3365907ec861cb47c142680913da
humanhash: skylark-alabama-vermont-georgia
File name:DHL DELIVER..exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'674'240 bytes
First seen:2022-05-07 06:26:30 UTC
Last seen:2022-05-07 06:48:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:TRYMfy7ZtzM2cBQIvyMgYPJkGiPXmP7gQePMnv:VYZtNVcO5VXk7VePMn
Threatray 4'987 similar samples on MalwareBazaar
TLSH T1AF75290E774A8945C844E772EDB32F622BA5D7BA5C416307E3C53A3DD82B3A96D40783
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 182b4d5d84f0f0b2 (9 x Formbook, 8 x AgentTesla, 6 x RemcosRAT)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL DELIVER..exe
Verdict:
No threats detected
Analysis date:
2022-05-07 06:32:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c2acf10f-783b-4da6-8e04-686ac2cc102b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269218/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6276114c4b517e213c215290/reports/978713c2-f1b0-4e3e-a0e2-4a4ae40b943a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8962ef0c-565a-40c3-a245-abf525e6dbad
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/989429
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 621922 Sample: DHL DELIVER..exe Startdate: 07/05/2022 Architecture: WINDOWS Score: 64 23 Antivirus / Scanner detection for submitted sample 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 .NET source code contains potential unpacker 2->27 29 Machine Learning detection for sample 2->29 7 DHL DELIVER..exe 1 2->7         started        process3 process4 9 WerFault.exe 20 9 7->9         started        13 cmd.exe 1 7->13         started        dnsIp5 21 192.168.2.1 unknown unknown 9->21 19 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 9->19 dropped 15 conhost.exe 13->15         started        17 timeout.exe 1 13->17         started        file6 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3664c59f198b6e3ec2bc254b9758fe20046b4cddd0a35f3e9c8fbf631c5a8a50/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-05-06 21:57:22 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
10
AV detection:
18 of 26 (69.23%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gzsmlhyzrnxd5qv4evfzowh6eacgwtg52crv6pu4r67wghc2rjia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
089c37a0afa3e281d1784c54442e67572690496a7795f28d93fa9cc3284e93c4
Formbook
37e3a3e4a0b161fbfd16602bb993ceeb34a7f25f2fc6d36459cc35afbff92363
Formbook
526ccdf3725d73edaaf7115dab56fe804c409ae9ec955c9012f16cd63bdd1843
Formbook
791b2bf682699cf97e3925dee40ddd5c2cb728e80f798225a7fb0b713c1b1544
Formbook
9213771d3c5189ae487f47c552a34856d2298ed22aac305bc5f29c03212312ea
Formbook
eedd8e36fccdd66ba60d50f2c187b6600550332a3d377338f3641eb8cff7f1e3
Formbook
f366cb892570b264ce73bd7c818ee214f0e5f00dc008a4dac5fa5cdc095ddab7
Formbook
+ 4'977 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:64pf loader rat
Link:
https://tria.ge/reports/220507-g7rn6acag8/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Xloader Payload
Xloader
Unpacked files
SH256 hash:
3664c59f198b6e3ec2bc254b9758fe20046b4cddd0a35f3e9c8fbf631c5a8a50
MD5 hash:
964e3365907ec861cb47c142680913da
SHA1 hash:
b108e94ca73005e9b21f210454fbe9899570bdd1
Link:
https://www.unpac.me/results/fa131d0d-1ec7-456b-82f4-6c0513be55eb/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3664c59f198b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/3664c59f198b6e3ec2bc254b9758fe20046b4cddd0a35f3e9c8fbf631c5a8a50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip bbffff976d444db57bed39a3a8fd6b23ead78cee51a7c482ff5bcbdf12e6cb93

Formbook

Executable exe 3664c59f198b6e3ec2bc254b9758fe20046b4cddd0a35f3e9c8fbf631c5a8a50

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/269218/
  
Dropped by
SHA256 bbffff976d444db57bed39a3a8fd6b23ead78cee51a7c482ff5bcbdf12e6cb93
  
Dropped by
MD5 0b0378bf9c4aae223e196b1e7a1ee05b

Comments