MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac8087b133a1022287bb8aad082e1fd0b669509289a5ef5f2e17714de7acfb5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 1 File information 5 Yara 2 Comments

SHA256 hash: ac8087b133a1022287bb8aad082e1fd0b669509289a5ef5f2e17714de7acfb5b
SHA3-384 hash: 30725101ae57d66151a2d95ec578be3072da1f8487a91ac2f6a2379f489f69feaa25611e140d200e19351e23b1c047e7
SHA1 hash: 58060b2ab7c2441aeb29a034c48fc190c9789281
MD5 hash: c66f665b6e12b556e6c90b52af988edc
humanhash: oscar-west-maine-video
File name:vbc.exe
Download: download sample
Signature Formbook
File size:454'656 bytes
First seen:2020-06-30 06:47:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:RoKS5+HFnqBs8fgm/W/uHzg1TtQ/VMIRXLlHqS5mBXPW13HQ3v:qeFnqBscg/IMtQ9MIJLl3yXPW13HQ3
TLSH A8A43A277D41F12CC0165A3380EE1D56A37569E12333C70FAB4F67A85E4529B7E2A22F
Reporter @abuse_ch
Tags:exe FormBook


Twitter
@abuse_ch
Malspam distributing Formbook:

HELO: slot0.winnwinnllc.ga
Sending IP: 68.183.98.32
From: "Maersk Line " <info@winnwinnllc.ga>
Subject: Scan Bill of Lading
Attachment: Scan Bill of Lading.xlsm

FormBook payload uRL:
https://kyivremont.com/vbc.exe

Intelligence


Mail intelligence No data
# of uploads 1
# of downloads 31
Origin country CH CH
CAPE Sandbox Detection:Formbook
Link: https://www.capesandbox.com/analysis/16841/
ClamAV SecuriteInfo.com.Formbook.28358.14663.UNOFFICIAL
CERT.PL MWDB Detection:formbook
Link: https://mwdb.cert.pl/sample/ac8087b133a1022287bb8aad082e1fd0b669509289a5ef5f2e17714de7acfb5b/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Occamy
First seen:2020-06-30 06:49:03 UTC
AV detection:21 of 31 (67.74%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   8/10
Malware Family:n/a
Link: https://tria.ge/reports/200630-nypwphzh9s/
Tags:evasion trojan persistence spyware
VirusTotal:Virustotal results 36.62%

Yara Signatures


Rule name:Formbook
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ac8087b133a1022287bb8aad082e1fd0b669509289a5ef5f2e17714de7acfb5b

(this sample)

Comments