MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ec11f04a12e5db826d13fdc5d764ba00145a60dbf89db107f1d1d176d680316. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ec11f04a12e5db826d13fdc5d764ba00145a60dbf89db107f1d1d176d680316
SHA3-384 hash: 05d5840a453357547ee61deb020b7ee17c9997194f1bcc28cc652abbbfc5d131cba104c6425c3b6cfe453d684931b487
SHA1 hash: 5db87704fed181ecd8fd77f0ac947d98456622cd
MD5 hash: 62aa8261e34167de7394d3e4f71d97e9
humanhash: emma-steak-batman-leopard
File name:1f72b237ac9dc5664bcb15e77f7c7f41.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:171'520 bytes
First seen:2020-03-26 20:40:10 UTC
Last seen:2020-03-31 06:49:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:sJ6aEP1ZtGf77+PyVlm8l6OS9cPKDpBPvoPZGB:ISE+aDmK6OSuPAHoB
Threatray 4'861 similar samples on MalwareBazaar
TLSH 5FF3AE32D641C035E27242B4FA7E0B7B883E0E35329495F5A3B41AE56FF44A5B52A31F
Reporter abuse_ch
Tags:exe FormBook GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1lHSVXB8aVTJ5eTg4EhlrrkYODHnazauY

Intelligence

File Origin
# of uploads :
6
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL
Create hunting rule

Win.Malware.Formbook-7399661-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Formbook
Create hunting rule
Status:
Malicious
First seen:
2020-03-26 21:35:32 UTC
File Type:
PE (Exe)
AV detection:
30 of 31 (96.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r3ar6bfbfzo3qjwrh7of25sluaauljqnx6e5wed7duoro3liamla._file
Verdict:
malicious
Similar samples:
223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a
FormBook
27faaaca4acb955010d7b8c16764a536c04149f2d332f99668d6ff6f292bfc20
FormBook
322427854deccec94e7331e8d3faa9f2701289b8e2faac322889c5b04d6b8f5e
FormBook
52b517b0e9be1efed3349ff5b7e7e4a392881437d7bc9ccd7b94bbc23e28a2f9
FormBook
5628310c6fe718d77dadbc5c8cb6238faa27942517b590c2a87c07aadca429d6
FormBook
916237116e09e4233846389b7410a8ccc7e7ef96c0ed97c3fdb19a08499504af
FormBook
9465c69c18144431c36b77e4b36534684c7717f1d9970eb522b8aef716dd2458
FormBook
a91c5af7a94238bb1556b641b9f5bc7798133b3d699a9f3d5b88b8f8fc12f091
FormBook
ceec91127018aba0be51981277015baf08e3f0ef6fbd0a5efe5821fa698ba645
FormBook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
FormBook
+ 4'851 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

58d3f184c2931513d43802dd700f3ca353abd80bb30d0e11a0104f6abe58a8ce

FormBook

Executable exe 8ec11f04a12e5db826d13fdc5d764ba00145a60dbf89db107f1d1d176d680316

(this sample)

  
Dropped by
MD5 1f72b237ac9dc5664bcb15e77f7c7f41
  
Dropped by
MD5 fbd48aeed0b4f11dc15d544a4d2c443d
  
Dropped by
GuLoader
  
Dropped by
SHA256 58d3f184c2931513d43802dd700f3ca353abd80bb30d0e11a0104f6abe58a8ce
  
Dropped by
SHA256 7bbb274cdeb9c186255de1f0025829a15f6066594d5d2bed41611132383c38e4
  
URLhaus
https://urlhaus.abuse.ch/url/330745/
  
Dropped by
SHA256 491afea427ab2e087853f552fc510577c77b5981a525f55a0cf4bec66d485a6e
  
Dropped by
MD5 dba4d996666a0446a151b04a5d0d07a1

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments


Avatar
commented on 2020-03-31 06:49:15 UTC

COVID-19 malspam distributing GuLoader->FormBook:

HELO: momo.com
Sending IP: 89.36.214.239
From: Dr Luis Jorge Perez (WHO) <mcclure@cedarpoint.com>
Subject: Corona-Virus Disease (COVID-19) Pandemic Vaccine Released
Attachment: COVID-19 VACCINE SAMPLES.arj (contains "COVID-19 VACCINE SAMPLES.exe")

GuLoader payload URL (FormBook):
https://drive.google.com/uc?export=download&id=1VF3m3hCA36Tj4qIvieLmWFwgJEHZycBB