MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3817ce74e0428b78c0394a0f603fb30c01e30e3be4d93909ddd5397e43813881. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	3817ce74e0428b78c0394a0f603fb30c01e30e3be4d93909ddd5397e43813881
SHA3-384 hash:	098b21296096b1bbf6850b1b3eda80a5a34ac9da1a440579959891f31b3d3f7099ff7374b9c83b95cc6c5b62df73e7cb
SHA1 hash:	69aa896d19bf070bf0b2f86cd891a40e666ccb10
MD5 hash:	6ba58586cc82948e772f5f2d064c6e28
humanhash:	shade-helium-ten-don
File name:	SecuriteInfo.com.Suspicious.Win32.Save.a.2280.30601
Download:	download sample
Signature	Formbook Create hunting rule
File size:	548'864 bytes
First seen:	2021-11-01 04:15:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:878H1P++FTlA5gDfEpJrffQzJsyHOgFWf2lycdke:X+GTHLZzlOgUAycdke
Threatray	11'097 similar samples on MalwareBazaar
TLSH	T1A9C4BE26627CAF43D93463FC84213158ABB06621BC97DB4DDFC027DE8A367B16D60987
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Suspicious.Win32.Save.a.2280.30601

Verdict:

Malicious activity

Analysis date:

2021-11-01 04:18:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a3f838b4-456f-4072-8700-25682b78bc74

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Suspicious.Win32.Save.a.2280.30601.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/efaa3494-1b99-4292-8a95-d403c561cd88

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/880143

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/3817ce74e0428b78c0394a0f603fb30c01e30e3be4d93909ddd5397e43813881/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-11-01 04:16:07 UTC

AV detection:

8 of 45 (17.78%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hal445haikfxrqbzjihwap5tbqa6gdr34tmtsco52u4x4q4bhcaq._file

Verdict:

malicious

Label(s):

formbook

Formbook

260472d8397219a6a202a4168b806c0879be49c60cca08fda308adccdd5cb809

Formbook

3bd841c6957e9fdb7e9d4558fb417dca9d7317d087cdbbb270155d9a6698e657

Formbook

695b006f3b83048d47ea1fcae9d7cbacac8f82b4f3d2908ca20f06788e8b3b92

Formbook

877727126dd647bbd23c00721d01b1bbe752a01f1943f89a35f3ba7c908f1a48

Formbook

8e07ed824686ab14225bec681819b2844d512eb9d78b7884f30a79adef5bab43

Formbook

9136c283e5029c2f073b706014f6f73b67ead84450267cb5ce0dd26cbcecaa25

Formbook

bb8e1d48225b002a4da7d0c33051e7fc457e244ed610f536b87702439d978a46

Formbook

ca205b38e2ee729d40141563bbb4200970224f4e00b380d5108a3ae51fb7eada

Formbook

+ 11'087 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:huve loader rat

Link:

https://tria.ge/reports/211101-evta4shaa3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.thethomasgrouphomes.com/huve/

Unpacked files

SH256 hash:

8c625b5630814017aa4d9645c2af6697614e3ff1e87b122e88fb24a462bdc962

MD5 hash:

142b9b0c80bda86b4ae258a1799fd538

SHA1 hash:

e89261ca56a78959dffa41da3dda85b0d0433e6c

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/41d50ff2-9a34-4590-a52c-408f8da6f14f/

Parent samples :

8e07ed824686ab14225bec681819b2844d512eb9d78b7884f30a79adef5bab43
8c813fa41f5f1341dac70ff4c3473d6447c0bd0eb6c87cf77ab62a864dcd2674
260472d8397219a6a202a4168b806c0879be49c60cca08fda308adccdd5cb809
3817ce74e0428b78c0394a0f603fb30c01e30e3be4d93909ddd5397e43813881

SH256 hash:

7ec7c47de5927351c7035f8657a2dd91c42fd6ed6e4da309e34b87ef0b0ba785

MD5 hash:

171a2669225911b41301096cd9dcf19f

SHA1 hash:

dc25f1f69faec5174e489a0d1a18cf14cf7fd1b5

Link:

https://www.unpac.me/results/41d50ff2-9a34-4590-a52c-408f8da6f14f/

SH256 hash:

843a2dc61712646311c3e1acd70913d64036a1b68344440f2471f9c0b2d66478

MD5 hash:

cde59ff271f8438fd37bb30a57ddbe2a

SHA1 hash:

007febb586d9f022808f77e2912be11d4c29b03c

Link:

https://www.unpac.me/results/41d50ff2-9a34-4590-a52c-408f8da6f14f/

SH256 hash:

3817ce74e0428b78c0394a0f603fb30c01e30e3be4d93909ddd5397e43813881

MD5 hash:

6ba58586cc82948e772f5f2d064c6e28

SHA1 hash:

69aa896d19bf070bf0b2f86cd891a40e666ccb10

Link:

https://www.unpac.me/results/41d50ff2-9a34-4590-a52c-408f8da6f14f/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/3817ce74e042/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.95

Link:

https://yomi.yoroi.company/submissions/3817ce74e0428b78c0394a0f603fb30c01e30e3be4d93909ddd5397e43813881

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample