MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6ff6d164a876c50bfc4a6f7b6397914f9656d0e4aef1ceba65f1e92ed1b6c69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 4

Intelligence 4 IOCs YARA 2 File information Comments

SHA256 hash:	e6ff6d164a876c50bfc4a6f7b6397914f9656d0e4aef1ceba65f1e92ed1b6c69
SHA3-384 hash:	d59de5eded7b63423171a4df770a93f77e9df5b7fb11629257a855924e3a1a17096e4c785dec1ae33fedee07519e905e
SHA1 hash:	c1c43f33068e689a3d8a64a5938aeb9e60563a29
MD5 hash:	6a588d5ce11e2585372d8f72aeaa8b2f
humanhash:	moon-six-pasta-massachusetts
File name:	PO154527.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	3'713'176 bytes
First seen:	2020-04-23 22:14:52 UTC
Last seen:	2020-04-23 22:43:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e72c3bfcbb77a361abf35cfdb2b95db2 (1 x Formbook, 1 x Mimikatz, 1 x BlackKingdom)
ssdeep	49152:lngTysDUb3sZ/qe6A+dH8FOq8f3ppoJ/VSa+Y95ZkM0TxW1cutRNcs2efV2/5gBF:lmIbclt6Asq8vpc2UZqTxQeRBg9bL
Threatray	5'091 similar samples on MalwareBazaar
TLSH	1F063314F8A08973E0772C3040FCCBBAA97E3C665F9D959B6335BB644E3039135BA919
Reporter	Racco42
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.33712850.29618.22283.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Noon

Status:

Malicious

First seen:

2020-04-23 14:29:00 UTC

File Type:

PE (Exe)

Extracted files:

217

AV detection:

26 of 31 (83.87%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=437w2fskq5wfbp6eu333molzct4wk3iojlxrz25gl4pjf3i3nruq._file

Verdict:

malicious

Formbook

223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a

Formbook

27faaaca4acb955010d7b8c16764a536c04149f2d332f99668d6ff6f292bfc20

Formbook

322427854deccec94e7331e8d3faa9f2701289b8e2faac322889c5b04d6b8f5e

Formbook

3259355435f9e6a9b041b93c2faa1ad8a3867de478a436606702593e4e130dd0

Formbook

3bd58e3b3fe712e8d7595cfbd576a96251c68a5dac230bd3e778640e8eb817ec

Formbook

5628310c6fe718d77dadbc5c8cb6238faa27942517b590c2a87c07aadca429d6

Formbook

8e4431d4a51d7fe22c1fba157abfbd47249cc0ef0abe980e099ff3002839c777

Formbook

ceec91127018aba0be51981277015baf08e3f0ef6fbd0a5efe5821fa698ba645

Formbook

f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c

Formbook

+ 5'081 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_File_pyinstaller Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)
Description:	Detect PE file produced by pyinstaller
Reference:	https://isc.sans.edu/diary/21057

Rule name:	win_pylocky_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe e6ff6d164a876c50bfc4a6f7b6397914f9656d0e4aef1ceba65f1e92ed1b6c69

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::RemoveDirectoryW KERNEL32.dll::SetDllDirectoryW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample