MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c11c15902d64e4b5ad06df07af329cb59a9626dae68a25fc9fc87dd4db9e6a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c11c15902d64e4b5ad06df07af329cb59a9626dae68a25fc9fc87dd4db9e6a2
SHA3-384 hash: 22cc601f02041e0253fde4d8091c48f832becf3e176747dc5e689a769bf5476ccd8d9eaee81bdc345b8d47138ce0b736
SHA1 hash: c83b2b9559bd7b4e27dcd8e433bc85a455067ec3
MD5 hash: 199e33977658213a50e3b77caafca889
humanhash: indigo-london-shade-three
File name:Attached Specification..exe
Download: download sample
Signature FormBook
Create hunting rule
File size:135'168 bytes
First seen:2020-03-25 06:11:01 UTC
Last seen:2020-03-25 08:12:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5c5cbd517001154ebf6506b09e8f2ec8 (1 x FormBook)
ssdeep 1536:talVbiPU7R8C6AYeyJBttivYuZPtSQRk:tQbiPWR8NNrjultSQC
Threatray 4'859 similar samples on MalwareBazaar
TLSH BBD35C72FA10D8D6DA464E7C0D42CAEC0923BD34AD20CE8779057F8E2CF63429574B9A
Reporter jarumlus
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.VBGeneric-7640623-0
Create hunting rule

Win.Dropper.Agent-7725907-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-03-25 14:58:12 UTC
AV detection:
24 of 30 (80.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hqi4cwic2zhewwwqnxyhv4zjznm2sytnvzukex6j7sd52tnz42ra._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
guloader
Create hunting rule
Similar samples:
043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42
FormBook
223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a
FormBook
27faaaca4acb955010d7b8c16764a536c04149f2d332f99668d6ff6f292bfc20
FormBook
3bd58e3b3fe712e8d7595cfbd576a96251c68a5dac230bd3e778640e8eb817ec
FormBook
8842ac3497c777517b2f18152eabaa0994a460d249773a5e89a4e16bca2bd741
FormBook
a91c5af7a94238bb1556b641b9f5bc7798133b3d699a9f3d5b88b8f8fc12f091
FormBook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
FormBook
bf58aecacc268c49d707512236a42c80cf096b24850c3096eb056f662ecbe2e3
FormBook
cb79e22a86732bd8ccbb3d73dcc9ef716e305c85dfed8872851c273d1eaacaf4
FormBook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
FormBook
+ 4'849 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaLateMemCallLd

Comments