MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 154c8ad4fe041cb711c139005c210a63f15c3c030cab34e358256c4375a06aba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 154c8ad4fe041cb711c139005c210a63f15c3c030cab34e358256c4375a06aba
SHA3-384 hash: 8c69030b47958cd618941712a69507311f90cbf79356b171632df14956d256b9d7b75ff3bcf1036ee5891c5373672188
SHA1 hash: 42320cbab30a997244f3aa370f28ee8fb425efb5
MD5 hash: 04a2e456c4d65d43e9217eac7d90f9cb
humanhash: green-yellow-twelve-grey
File name:ArcelorMittal Trading - ARMT#4562198.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:122'880 bytes
First seen:2020-03-24 12:16:27 UTC
Last seen:2020-03-24 13:38:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a519de1572f2db086b0735716b806d64 (1 x FormBook)
ssdeep 768:u3YiUCYV5XSEN95IQtkvQhHv1TfXRjMWzeIBglpbmAFDEF2HnA8iyB:u3YiJYVlLIW5RjoTlpyAa8ArU
Threatray 4'860 similar samples on MalwareBazaar
TLSH B0C34A21F640E854C8892E3CAD86CBF41671AC214E30DA837F463F9E3CF96339DA9655
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Generic-7640419-0
Create hunting rule

Win.Dropper.Agent-7725907-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-03-24 20:10:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cvgivvh6aqoloeobheafyiikmpyvypadbsvtjy2yevweg5nank5a._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0232a1b1877a9e16f3e24ce5add9e3112597f67870fabc96ed63b1cfa978d4d1
FormBook
17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f
FormBook
2302aa79bb34eb683a91324995a9fb366bbbe55dffb53deee00b842e75ad19c0
FormBook
29247c960e16e376148704241453b7a008a62c050e9d11b2bba111452acb7fa3
FormBook
2a40a9e18303875b2db452783190820001c898e8374864fec29793bf43bbe401
FormBook
45dbdfee969f471810b5c4940e8bf57a5ce301467329ee9e6d220a93231892a7
FormBook
5628310c6fe718d77dadbc5c8cb6238faa27942517b590c2a87c07aadca429d6
FormBook
bcc826091ec71230947aa1916263434935a58ffe5977cf415b1d970633939652
FormBook
d1e9ede488849faab5eb3e767704a4644cc79e6eaac8fe996d90fa164e68f620
FormBook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
FormBook
+ 4'850 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

z 09631538f6dad33f7a400df7e0338b117c36031df2019576c314ee3e57e5b42f

FormBook

Executable exe 154c8ad4fe041cb711c139005c210a63f15c3c030cab34e358256c4375a06aba

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 09631538f6dad33f7a400df7e0338b117c36031df2019576c314ee3e57e5b42f

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::EVENT_SINK_AddRef

Comments