MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e29e2d1a0dcaf0555bab1cbe36992a89271f4cd16cdba3d3e1f4d79e9e54fc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e29e2d1a0dcaf0555bab1cbe36992a89271f4cd16cdba3d3e1f4d79e9e54fc2
SHA3-384 hash: 8e1a01a57e128bbdb8f8f7cea7d8eed9cb7a88d58336c7b60610aeb9af1d883a8c15f6ef5be00c098a0b7711c6a75b59
SHA1 hash: fdd522653ee99101edad17ca2f98c4513f882b7e
MD5 hash: f97dd3dcc7e7d588f20a610fe154d9c7
humanhash: seven-charlie-massachusetts-mountain
File name:NEW PO-204202011.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:102'400 bytes
First seen:2020-04-03 04:59:13 UTC
Last seen:2020-04-03 05:31:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ef3a9eff89023588a631c40ff018feac (1 x FormBook)
ssdeep 768:YLAMnRzVbKWhZitSlD7yRpeUym9EijfEdYRpnh9v9XQ:/0bKWvikHyTfKYRpnzv6
Threatray 649 similar samples on MalwareBazaar
TLSH ECA3F522BE20FE10C4045EB18E7A96EC6039BC309E596F13BAD47B6E3D701D5B642B57
Reporter jarumlus
Tags:FormBook GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Generic-7647392-0
Create hunting rule

Win.Dropper.Noon-7647402-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-04-02 23:43:18 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=byu6funa3sxqkvn2whf6g2msvcjhd5gnc3g3upj6d5gxt2pfj7ba._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
14ab9ac5f254705d24bf42ac212827c4aebe6f64ba3a9331c8c153bd18195152
FormBook
4b5e08d727e3e43db31db4f514737a9ac90088bb581df44beb9c0ca2c0d9bb07
FormBook
4c1fe4c0f5d8d1277036802c83df3e083b31318dfc2c194ce93b7169d7ba6e3d
FormBook
65bd5f3bc433f60bfc5ea392aaa33539592d657cbe2d316b25b24c9e12c225cc
FormBook
8a3bc41cd895dfbb83b1f71dde6f25cec8d09f8506602433546a52f0e4565afe
FormBook
8f8ff17b512710722ead6b14aa0f6978b88bf62efb4e61db7c9b589c6f5ba7b8
FormBook
ac0df53e11fe25d8523b781869fc8dbb6c94ce98c3c68a3e25142aa07f583035
FormBook
b3a1b2c34631ea7174675f09e243ec00136cf9b7f585d97d1a85539ee7f279a3
FormBook
c906a842516c0b1b052768b573c44fc42d24e0abc4d89ca8e4afc2559adaea1d
FormBook
f59beda320367cafabde03dd3b8447f13afc115e66c2f0a6833bb84e64eb2017
FormBook
+ 639 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef

Comments