MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37708373f6b4deb76e61c7a9c65200bba9f9d7ca7ebcd82d09242dd9231fa072. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37708373f6b4deb76e61c7a9c65200bba9f9d7ca7ebcd82d09242dd9231fa072
SHA3-384 hash: 25b95620f0ff863ecb79061ccc07518b3cd1763fe31fdc4486baf6476a497436ee4c436b409bfe037ca49f9c51825dc9
SHA1 hash: 56280d53bd4c977debbc0e36ff0b7a3f3b3e3786
MD5 hash: 79c46056fb002fcd31fba21bae0d9221
humanhash: nineteen-foxtrot-lion-earth
File name:SecuriteInfo.com.Variant.MSILHeracles.37963.6224.26571
Download: download sample
Signature Formbook
Create hunting rule
File size:577'536 bytes
First seen:2022-05-11 18:00:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:XAmeu0m2jup+6QL8WuVfNUjEaF+Bqgbvy9GZQNk88UWIgRf/GzFB2ORvJ:10mwuUpQWuEgFBq6vy9EPKg1/EB2ORv
Threatray 15'440 similar samples on MalwareBazaar
TLSH T128C4231636FD4B12EA7A0BFA5482422003B9BFEB7130E74E4F4258DA6B93B115613F57
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269757/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/627bf9b3be0219041a94134b/reports/e43860bf-e689-4095-ab18-ef91ec7b09f7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/28748734-b688-46a7-b0eb-cc350d904443
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/992102
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/37708373f6b4deb76e61c7a9c65200bba9f9d7ca7ebcd82d09242dd9231fa072/
Threat name:
ByteCode-MSIL.Trojan.XLoader
Create hunting rule
Status:
Malicious
First seen:
2022-05-11 18:00:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g5yig47wwtplo3tby6u4muqaxou7tv6kp26nqlijeqw5siy7ubza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01222693e4698149f19d31ac66567a9815f89509bac13d690de8a5afda2bee08
Formbook
58f65684890c1ec3e63d010defd5f3c48f963865d2fa1d468d5a5f44b7026164
Formbook
6a3848cae066ae561f1d72908524838d32ad7c95bc18eb155d44211b2fac44fd
Formbook
6fafca0825dbdedf739d4f57ea1b09563eed9834a54f2998b712891baeef4839
Formbook
786698eab83f77c1fdc3d37daf49966befe788b0e85167083726354225176d1f
Formbook
87bc99f92dd1d5344195aed847c8ed3af8e0aea954133a97fb65834e81278645
Formbook
93da913f4b899003071cf8743f4a06f14464397cdb135638e2e76072a283f970
Formbook
e932695b2e7c04d9e57d7e5e0f3e928898621bcc8657c9d3203b9383c640a325
Formbook
fff77f3852a66a56bad4ec5bc1c1bc2afb0b08b8ea65393384a1ee6917dcb355
Formbook
+ 15'430 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:snjq loader rat
Link:
https://tria.ge/reports/220511-wlawvaehc8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
7143f0e1a8b3db1ca89b3589378eb51ed13288bae5eed34bc9cab6c3bc62f432
MD5 hash:
4d87340217abb88559be3ec195c7fda4
SHA1 hash:
6b4082316853fd02f489153ec2a5070027cfbf26
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/cf5953e1-ba75-43b3-a9fe-a6f592358058/
SH256 hash:
4b4464cd9ceb89249c9b34baf51469f31ce9901d1a5eec2c1893f3c2a9445cb7
MD5 hash:
c5945bb9f722e6805de3c40b46461042
SHA1 hash:
d2ed759f2a405830e9a05ae206d881ee0746e5c3
Link:
https://www.unpac.me/results/cf5953e1-ba75-43b3-a9fe-a6f592358058/
SH256 hash:
74e07656cbc1143d9a597963eb9e622b0b21f4d55f8e8634eb43e2874ecf51d0
MD5 hash:
76b8b7f1a1e59bb424798b64c6055deb
SHA1 hash:
7637116526b0b8e9139991ae6e3ff8d477cd91f6
Link:
https://www.unpac.me/results/cf5953e1-ba75-43b3-a9fe-a6f592358058/
SH256 hash:
57c285d72b7aa82a656c403d85e466018abe3f1ae84ff840a076ef6b73ac3c0e
MD5 hash:
10e39400fc368e64b1e4ba024c5223d6
SHA1 hash:
2cfda343182e9a5b810f77fe3e3df34fb94908f6
Link:
https://www.unpac.me/results/cf5953e1-ba75-43b3-a9fe-a6f592358058/
SH256 hash:
37708373f6b4deb76e61c7a9c65200bba9f9d7ca7ebcd82d09242dd9231fa072
MD5 hash:
79c46056fb002fcd31fba21bae0d9221
SHA1 hash:
56280d53bd4c977debbc0e36ff0b7a3f3b3e3786
Link:
https://www.unpac.me/results/cf5953e1-ba75-43b3-a9fe-a6f592358058/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/37708373f6b4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/37708373f6b4deb76e61c7a9c65200bba9f9d7ca7ebcd82d09242dd9231fa072

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269757/

Comments