MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d51d90494967e7f04fb03f0f0919afce4597860e34fa80bb116c8683dce0126c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d51d90494967e7f04fb03f0f0919afce4597860e34fa80bb116c8683dce0126c
SHA3-384 hash: 0731e96f45b8c4a666f4c9b5eba78ee1319fe9477e15a2e86bb4cdb31fa3ba08070d870fbd617b346fd06e4e8f5d6a93
SHA1 hash: 6d083e02afe43bed648d28048aaa5c8a46ce7e3f
MD5 hash: 856f155cecef28c4439cff299017ce3b
humanhash: cola-sad-pip-edward
File name:SecuriteInfo.com.BehavesLike.Win32.VBObfus.mz.30241
Download: download sample
Signature FormBook
Create hunting rule
File size:81'920 bytes
First seen:2020-04-21 06:27:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b4349e4f37839b10b7f36193a2a5e97d (1 x FormBook)
ssdeep 768:wxx9NO4W9VzpoTYlMnBz80dS48oNyIdyfYtd9:gbgSTmMnB78ojs
Threatray 5'098 similar samples on MalwareBazaar
TLSH BA8318A3B20530C3E8B8963177025AD1E72D7C668CC07B3E2E793E5999785A10EC9D5F
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.VBObfus.mz.30241.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-04-21 03:36:18 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2uozaskjm7t7at5qh4hqsgnpzzczpbqogt5iboyrnsdihxhacjwa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42
FormBook
1065bf93114e6fb223724f449bddbb2da33c07379055b8ef03b301c508b04f55
FormBook
17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f
FormBook
27faaaca4acb955010d7b8c16764a536c04149f2d332f99668d6ff6f292bfc20
FormBook
6367c3eb15039cb11576a7e325edb13877ffece95dff7cd096c6edc3eeefc834
FormBook
a91c5af7a94238bb1556b641b9f5bc7798133b3d699a9f3d5b88b8f8fc12f091
FormBook
ab22cc9817cfad165418fef902cfb760c2e6cbf2504cc7d4820aea846533d96a
FormBook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
FormBook
bfd5b7fed44ddcac2f08d101923547f1e034e1bc2a03aaf358c8925870718dd6
FormBook
d1e9ede488849faab5eb3e767704a4644cc79e6eaac8fe996d90fa164e68f620
FormBook
+ 5'088 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FormBook

Executable exe d51d90494967e7f04fb03f0f0919afce4597860e34fa80bb116c8683dce0126c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/347293/
  
URLhaus
https://urlhaus.abuse.ch/url/347294/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef

Comments