MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4d2c82cdc75f723e08d6139593a5a651e75e74b885acf480fe41c239d99e548. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4d2c82cdc75f723e08d6139593a5a651e75e74b885acf480fe41c239d99e548
SHA3-384 hash: 454fec8b0fce6bc8e66c252e9a860d536cd8f98c34ac0123618a6e34c82f2653087969a6f7a0af6c9804250f5d7e4755
SHA1 hash: 772623d94be6d130ae9bb0597c47c3875406401c
MD5 hash: cf579f5d8318b9c2ca764d482388b512
humanhash: november-jersey-montana-louisiana
File name:PI.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:77'824 bytes
First seen:2020-04-29 17:12:10 UTC
Last seen:2020-04-29 18:12:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56c337f4292e0967ac82cfc53704f796 (1 x FormBook)
ssdeep 768:qy65gOrfRDRBFJ7gHTn0c0cGhFOhG7DB049OwyNfMhfL6:zOvB37oArLOWRY5NfX
Threatray 5'103 similar samples on MalwareBazaar
TLSH 24735C1370A9D6BDE7114AF04F25EF9801C2ACB40E558E1F3405F7AE2A39E41AF166E6
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: gateway34.websitewelcome.com
Sending IP: 192.185.148.142
From: cr7@refineryhouse.com
Subject: PI2020178B chacha new york -balance
Attachment: PI.rar (contains "PI.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Ursu.846817.27409.25426.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-29 17:35:40 UTC
AV detection:
20 of 31 (64.52%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2tjmqlg4ox3shyenme4vsos2muphlz2lrbnm6sap4qochhmz4vea._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a
FormBook
27faaaca4acb955010d7b8c16764a536c04149f2d332f99668d6ff6f292bfc20
FormBook
4e0e1ee117544cc9cb6784d36db3d349624ef1c888267b1e266a03ddb17d33a1
FormBook
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
FormBook
9da0df6eb709cee7468a850c0b59914ca84eeace25bea74ed6d393e0e5e84737
FormBook
a7cfc6a8e508a244063a4190921f1c91e30712838282fb20b8bcdb24b138bb9e
FormBook
a85f53a7ad2f536d245e47535007f2bceacfa10f08d7f3f6568781dd1794caa0
FormBook
a88caf11b01cea311aca13b6e757a8974d5033e1acb8749b9d1951ed0d93d44c
FormBook
a91c5af7a94238bb1556b641b9f5bc7798133b3d699a9f3d5b88b8f8fc12f091
FormBook
d1e9ede488849faab5eb3e767704a4644cc79e6eaac8fe996d90fa164e68f620
FormBook
+ 5'093 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

f63bf174b9c3d3187ae4588e05dec07b

FormBook

Executable exe d4d2c82cdc75f723e08d6139593a5a651e75e74b885acf480fe41c239d99e548

(this sample)

  
Dropped by
MD5 f63bf174b9c3d3187ae4588e05dec07b
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::EVENT_SINK_AddRef

Comments