MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7114d11c6d2c64d78b736694630c8e46803133f914bad5458bf90855cfc8e30f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7114d11c6d2c64d78b736694630c8e46803133f914bad5458bf90855cfc8e30f
SHA3-384 hash: 557046ff91d28346fa4e54ea779da830fbc504b92dbab2df86dc9b2cb10924fb0f1ae72dd3bc8552181c675e3bf64574
SHA1 hash: 54decc38d3da01de245bbf1fcb17b27d49708938
MD5 hash: b3c802b75c3aa50eb57e276a046cbf11
humanhash: harry-pasta-finch-shade
File name:Shipment Document BL,INV and Packing list Attached.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:102'400 bytes
First seen:2020-03-31 07:40:47 UTC
Last seen:2020-03-31 07:51:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash eea08526d4d91495f8ea6cd9f3cb3d90 (1 x FormBook)
ssdeep 1536:PyoMrvn33zP1PMs9RSk4713jG4fPfHC2:U3DPas9SX3
Threatray 4'874 similar samples on MalwareBazaar
TLSH 8DA3C413FA00FD95D8280DB69B70979C92467E356E09AA4B35C83ECE7BF12547242EC7
Reporter jarumlus
Tags:FormBook GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Remcos-7647550-0
Create hunting rule

Win.Trojan.Ponystealer-7648176-0
Create hunting rule

Win.Dropper.Remcos-7683428-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-03-31 02:03:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oeknchdnfrsnpc3tm2kggdeoi2adcm7zcs5nkrml7eeflt6i4mhq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0fe7ea8749ad06ace6adf0d7ffa5f6f22ade0f9acafc4aac72b77f3b7c017ad9
FormBook
16de0aa2d02fae6460bb173c9104df4fa758343ab226aea79a3910dce19fa58e
FormBook
1b03fa4e56e70ad55ca0044382bf11a6e5a4dda8cd750fc1bd4c7198a505b365
FormBook
223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a
FormBook
322427854deccec94e7331e8d3faa9f2701289b8e2faac322889c5b04d6b8f5e
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
a91c5af7a94238bb1556b641b9f5bc7798133b3d699a9f3d5b88b8f8fc12f091
FormBook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
FormBook
ceec91127018aba0be51981277015baf08e3f0ef6fbd0a5efe5821fa698ba645
FormBook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
FormBook
+ 4'864 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

FormBook

Executable exe 7114d11c6d2c64d78b736694630c8e46803133f914bad5458bf90855cfc8e30f

(this sample)

FormBook

Executable exe 1b03fa4e56e70ad55ca0044382bf11a6e5a4dda8cd750fc1bd4c7198a505b365

  
Dropping
SHA256 1b03fa4e56e70ad55ca0044382bf11a6e5a4dda8cd750fc1bd4c7198a505b365
  
Dropping
MD5 958b052fd4467bc61e8f91fe27493735

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaErrorOverflow

Comments