MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2548272de2d930f99b953bf466d49d5f850f4f9105ff420937edfa9ae70aff7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	2548272de2d930f99b953bf466d49d5f850f4f9105ff420937edfa9ae70aff7d
SHA3-384 hash:	d91b242798d335d4e26d0efe9fdbdc00a3a604ac51121898052dc51c8b11f000faa2cb88fda152814240a8e6e0366e11
SHA1 hash:	bbfb025b9bec318637a65152903b0d7e10d010a0
MD5 hash:	a42d79b83218627b99942ed50649b8f2
humanhash:	muppet-pluto-uncle-stream
File name:	BF-DOC COPY20200804_pdf.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	495'616 bytes
First seen:	2020-04-08 05:24:05 UTC
Last seen:	2020-04-08 13:37:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b8e2c3699cdcb2cc60f4f0484f104f80 (2 x AgentTesla, 1 x AZORult, 1 x FormBook)
ssdeep	6144:603teM4+3za+N785i79T2y1/dieUVeOKqjtWXM9U49NJ0UPsAeZ:609l3zaV5i79SS/EeUVnKqvDJ0UPsA
Threatray	5'117 similar samples on MalwareBazaar
TLSH	86B4D0217A80C473D67621308962CEF54B767C31DF606B5B7BC6AB3F6E70282D618399
Reporter	jarumlus
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.LokiBot-7665516-0

PUA.Win.Downloader.Aiis-6803892-0

Gathering data

Threat name:

Win32.Trojan.Kryptik

Status:

Malicious

First seen:

2020-04-08 02:21:23 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 31 (93.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=evecolpc3eyptg4vhp2gnve5l6cq6t4rax7uecjx5x5jvzyk756q._file

Verdict:

malicious

Label(s):

netwirerc

FormBook

4dcaa189e4b595f7c2ea35bf30bcbee49f9f9c2a3bbe16d832a30c8df30c2a88

FormBook

7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6

FormBook

8606768cb758ba8379659f65220250ebc1c491dabd668e7f98663571419cadf2

FormBook

9fba6ffeb90dd242748718d8272a4942496e76a4f68bdb4dd42f93b044b5ed50

FormBook

a88caf11b01cea311aca13b6e757a8974d5033e1acb8749b9d1951ed0d93d44c

FormBook

b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893

FormBook

bd5ef5bbf0773410eb8b2dd81922a0323042e0aa19adf4a1a7778c8e2c6e115f

FormBook

ce860f3976ba5df3c4465a4b60d12980677dccc961a9fa91555c7b9de14c3dd8

FormBook

fdaa0ccf5d95605d17069cac59ee65372fb4af562cfcc330a6a4c82cc2838273

FormBook

+ 5'107 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample