MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea03bddaf3ee776f78eb33a3ff355cc2ffdc9a610ab086d49f28dffce00d8c99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea03bddaf3ee776f78eb33a3ff355cc2ffdc9a610ab086d49f28dffce00d8c99
SHA3-384 hash: 1cc364710becaa4e77a21795627bf1de1434210ed3c63971f5be1f48bcc10d2f5418e2e12c4824bcef34ae446b0d4799
SHA1 hash: d8fbd5d7da7785c5011e93c1e2f642fd21f29543
MD5 hash: 67266005c2ad6efb534732a0c040ca97
humanhash: minnesota-grey-december-juliet
File name:ea03bddaf3ee776f78eb33a3ff355cc2ffdc9a610ab086d49f28dffce00d8c99
Download: download sample
Signature FormBook
Create hunting rule
File size:512'000 bytes
First seen:2020-03-23 18:49:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c790cb9fbd6092339c7eb72df03ddd14 (1 x FormBook)
ssdeep 6144:houUnZksZWWLaZwwYJwsEgwG80MfHWjRa5UzHYFOFXEfrqaKvUsRa:houUndgqwunEN03Ra5MHQdGa0a
Threatray 4'841 similar samples on MalwareBazaar
TLSH C4B4F170693E9148D808AE36DE73CDC5193A4C78EDA36C55A723B16D2C77AE0E4063ED
Reporter Marco_Ramilli
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Generic-6993918-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Noon
Create hunting rule
Status:
Malicious
First seen:
2019-06-13 13:31:57 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
27 of 30 (90.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
guloader
Create hunting rule
Similar samples:
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
FormBook
2a40a9e18303875b2db452783190820001c898e8374864fec29793bf43bbe401
FormBook
2bde030373678bb2df1223cd3e3c4e7f2992e30739dcc63b688368f02a100067
FormBook
322427854deccec94e7331e8d3faa9f2701289b8e2faac322889c5b04d6b8f5e
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
8606768cb758ba8379659f65220250ebc1c491dabd668e7f98663571419cadf2
FormBook
9a1bbd02f1dc5ae62f13a00f38067354bf8a754e72e3ebee49a8b6aaa7b7e41f
FormBook
9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412
FormBook
ce860f3976ba5df3c4465a4b60d12980677dccc961a9fa91555c7b9de14c3dd8
FormBook
fad4f5a49b06971b1e9f09356dd43bf47cdeddc1b4af2d6cda4369c73a352cc7
FormBook
+ 4'831 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FormBook

Executable exe ea03bddaf3ee776f78eb33a3ff355cc2ffdc9a610ab086d49f28dffce00d8c99

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/208302/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::EVENT_SINK_AddRef

Comments