MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 5aae053099934e5dcdf40478c76422303721bcbae5ae1c2d3685c51229df36d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
FormBook
Vendor detections: 5
| SHA256 hash: | 5aae053099934e5dcdf40478c76422303721bcbae5ae1c2d3685c51229df36d8 |
|---|---|
| SHA3-384 hash: | 822615daa3b242fc57af3a91397e773e1ac19471d3f801f1e96269ee258d160c2c1cf6d16cccbbe04ce82532fb2cd818 |
| SHA1 hash: | e8d69e044f2a34c68edf17eeebd8d515e9e812fe |
| MD5 hash: | 80e760a31bcf8ea7dc200e148192e58f |
| humanhash: | table-white-jig-london |
| File name: | HPHA03586800.exe |
| Download: | download sample |
| Signature | FormBook |
| File size: | 902'656 bytes |
| First seen: | 2020-03-18 23:43:23 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 4587918448e9b9fe585b296033b3e2fc (1 x AgentTesla, 1 x FormBook) |
| ssdeep | 12288:DB30Yd7e4LC/AipEVMQJFKEymQFqmWqWR2VP4SYQRvF+u0Jks19Q6wH/afo:d1te4DiyVMZEiFB0R2Jpvrekx/ig |
| Threatray | 4'836 similar samples on MalwareBazaar |
| TLSH | A5159D32F2905837D9731A3D9D1B56ACA82ABE512D29B6463BF41C0C5F3978138293DF |
| Reporter |  Racco42 |
| Tags: | exe FormBook |
Intelligence
File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Injector
Status:
Malicious
First seen:
2020-03-16 16:10:00 UTC
AV detection:
28 of 31 (90.32%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
netwirerc
Similar samples:
+ 4'826 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| COM_BASE_API | Can Download & Execute components | ole32.dll::CoCreateInstance ole32.dll::CreateStreamOnHGlobal |
| SHELL_API | Manipulates System Shell | shell32.dll::ShellExecuteExA shell32.dll::ShellExecuteA shell32.dll::SHGetFileInfoA |
| WIN32_PROCESS_API | Can Create Process and Threads | kernel32.dll::CloseHandle kernel32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA |
| WIN_BASE_IO_API | Can Create Files | kernel32.dll::CreateFileA kernel32.dll::DeleteFileA kernel32.dll::FindFirstFileA kernel32.dll::GetTempPathA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA |
| WIN_BASE_USER_API | Retrieves Account Information | kernel32.dll::GetComputerNameA |
| WIN_REG_API | Can Manipulate Windows Registry | advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA |
| WIN_USER_API | Performs GUI Actions | user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.formbook