MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d994985a0e58672d0274aa6d90e7c420858e61ba9a42f1d8650a793de687714a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d994985a0e58672d0274aa6d90e7c420858e61ba9a42f1d8650a793de687714a
SHA3-384 hash: b5ccaaad91d7055e9483c5d3d4eed76e5451a0a62a23dd80f00ca9c660cfdb09ef47798c05579b119c47e55c0b80fe49
SHA1 hash: 98810053ef32a8d3c8b5653fd4676f6d9bcbf0c2
MD5 hash: 34500dd88357d5ef2b6109b959c81e7f
humanhash: moon-carpet-carolina-kilo
File name:PO-STI2503200011.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:135'168 bytes
First seen:2020-03-25 05:22:48 UTC
Last seen:2020-03-25 06:44:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e15dec3daac9130e34f8542deb0e7326 (1 x FormBook)
ssdeep 768:t5rH8demUGIG5YXlLxt5GtjwW2I1Ut0CenKPmxBYMpIksqnsILuuHHJbJ+W0DK:tVWemUZeWIGSEdPMYksms3abQW0W
Threatray 4'848 similar samples on MalwareBazaar
TLSH 37D34A22F510E856DC560EBC8C51CAFC491BAC207C24DF873952BF9D2CF638299697AD
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Generic-7640578-0
Create hunting rule

Win.Malware.Generic-7640581-0
Create hunting rule

Win.Dropper.Agent-7725907-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-03-25 03:03:47 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 30 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3gkjqwqolbts2atuvjwzbz6eeccy4yn2tjbpdwdfbj4t3zuhoffa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
2bde030373678bb2df1223cd3e3c4e7f2992e30739dcc63b688368f02a100067
FormBook
2f771c3a96ef9ec780781a8082aa6aa1f0d885224e6feef33f3cd7bf5e847a48
FormBook
3a0804b5ee36b66aa44341d7f9397cb93291fd788517e632b2b6a00678a5ebe3
FormBook
62629c366ee55b4376c03a63e8f94e121a3ff7cbecfcf22d0158515446a9457e
FormBook
6e67f9295d091f8c9fc762c738712a3516c295b3e22bc8f41465c8633cda5114
FormBook
76d45ff13654988781428940dab2825a158e15679d0f1faf9615b76a2cbff4a7
FormBook
7d59dfed8b95da94664078ba62cc2b0eb6d1a346b6d4d480aef47800680c74a5
FormBook
8f71441f8e9db24dceee698de265dab77bda6298ceb4b9bc8cb1d77a54d7229d
FormBook
e5d4600354cad7a882caac33f0e18bc6702a269dab9315ef71835fbbad747626
FormBook
ee886ad4641b398a0c45a2e4395d031727c8caf0054962d0ecb868a0112758a0
FormBook
+ 4'838 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 816ea7352bd5db05253d85c404c71e28145a384b65a97b4d4086de95109405da

FormBook

Executable exe d994985a0e58672d0274aa6d90e7c420858e61ba9a42f1d8650a793de687714a

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 816ea7352bd5db05253d85c404c71e28145a384b65a97b4d4086de95109405da
anyrun
any.run
https://app.any.run/tasks/3f06eb3c-e0c9-4bb6-b234-aa6a674b88ed

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaLateMemCallLd

Comments