MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a979bc05628a8a31ba4e8b2a476b2741ff53c278e0b6eb14a179486e26ee8e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 3

Intelligence 3 IOCs YARA 3 File information Comments

SHA256 hash:	5a979bc05628a8a31ba4e8b2a476b2741ff53c278e0b6eb14a179486e26ee8e8
SHA3-384 hash:	dd2238279aec6f58131f164f0c4b63de2e3e527aa97fb5e072cae9eb55c7a999860eb1eef29d478612d878f26335811a
SHA1 hash:	d87ec8f07f5d74f21bcd63c7b89850e310160be7
MD5 hash:	d346f9f3aa4e24153331bfe0fd81594e
humanhash:	twenty-washington-papa-seventeen
File name:	Br_facilities_purchase_Order.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	524'288 bytes
First seen:	2020-04-30 07:34:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0471d9f3d9f142373524705d6a5cb951 (1 x Formbook)
ssdeep	6144:2gvDokP2z99ASK2XEC5UMySd9/CA/E1Rx3zZsQrJqHdYlfm+p7sYD:HvcAM93VEaUMySv/ChR3+Qs9Yleo
Threatray	5'100 similar samples on MalwareBazaar
TLSH	7FB4BE8FE40AE0A9D0C672B5A49C6B574348F365D2520FAE3BA3CB369361740719C7E3
Reporter	jarumlus
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Remcos-6959375-0

Gathering data

Threat name:

Win32.Trojan.Noon

Status:

Malicious

First seen:

2019-05-01 00:02:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Verdict:

malicious

Label(s):

netwirerc

Formbook

2bde030373678bb2df1223cd3e3c4e7f2992e30739dcc63b688368f02a100067

Formbook

5ad78a69716725c819bc307eb9627bea7479db03cbdc17d5930aa72341fabe73

Formbook

9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412

Formbook

a91c5af7a94238bb1556b641b9f5bc7798133b3d699a9f3d5b88b8f8fc12f091

Formbook

b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663

Formbook

bcdfc779372272941a86132fe14ef811d9d0faa47e5430175122b0bc2a215dcb

Formbook

d1e9ede488849faab5eb3e767704a4644cc79e6eaac8fe996d90fa164e68f620

Formbook

e42e9a9d0222fd8eecd5b406ceb2ab65a9c965d9f3d5d11043ea84a69349f432

Formbook

eb3e94888d5e945faf0b570acc1b2a4652f1b92940e8ac1cd62ff756d39aa1a0

Formbook

+ 5'090 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_formbook_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::EVENT_SINK_AddRef

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample