MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65bd5f3bc433f60bfc5ea392aaa33539592d657cbe2d316b25b24c9e12c225cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65bd5f3bc433f60bfc5ea392aaa33539592d657cbe2d316b25b24c9e12c225cc
SHA3-384 hash: fcff24577cbfde9036608f8084839c6ccf310b43c1cff0a38a892ea183e5076e8db2d64bc61a219dcfc8a7279d4024f2
SHA1 hash: bb8aff1a7a64c9b706d52bbf74360b6debdd79aa
MD5 hash: 74eb0bbdc7ebdd505ab11e57037092d5
humanhash: queen-music-one-london
File name:Company Statement.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:102'400 bytes
First seen:2020-04-01 14:06:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ee7159e299c03e5ee04693b902be556 (1 x FormBook)
ssdeep 1536:gfVBHMQZf1JoNNNGDQRcWln6ZYTtwYUBZT0:yLHMK1JkLRc1ZYTtwYUBZT0
Threatray 1'596 similar samples on MalwareBazaar
TLSH 3EA32931BA50D991C8044EB2DEA287FC5326BC35EE94AA4775C43FAF3EB15019452F8B
Reporter abuse_ch
Tags:COVID-19 exe FormBook GuLoader


Avatar
abuse_ch
COVID-19 themed malspam distributing GuLoader->FormBook:

HELO: novo.com
Sending IP: 89.38.149.103
From: Jake Johnson <Jake@pmj-interational.com>
Subject: COVID-19 Company Statement
Attachment: Company Statement.z (contains "Company Statement.exe")

GuLoader payload URL (FormBook):
https://drive.google.com/uc?export=download&id=1UrSVYWQVD5e0ZzOppGXUWH6fw6rygt9h

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Fareitvb-7646510-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-04-01 14:35:29 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mw6v6o6egp3ax7c6uojkvizvhfms2zl4xywtc2zfwjgj4ewcexga._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
guloader
Create hunting rule
Similar samples:
12b62af6539e46350a256cc22d72b17b2d005507ff7332390da2fc2ebe159bb1
FormBook
2bd30faef9e89799bc33f076afc8f3521bc84018c8e27829e8f475ee1c8dc13b
FormBook
4fb3528f5fc1a30b03cf69920e1db68cd4943c1c303a09cac0723a10abfcc378
FormBook
5cd5f57afb04ba3ce4e5aaee5a7fa7d10b24a334e30911a49a4cc4cb52982848
FormBook
d3aa9fd1ed4af3cc3a49e612b93a03f799ada340c1c086f7403448fe77115bb1
FormBook
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
FormBook
e7cf4a0d3f94afea480bf5e64a658029d02191330244697ba9afd81dd5b56386
FormBook
e943534d22e73e0d062b7917c007b744ce19014e0a0c90dfd37219281bcf204b
FormBook
f02253cc15ef8590d38f2c623609c3d462c2352da4aab698b3959c8ba4ced4e7
FormBook
fd70366a0abed417301e2a312927e5697e8ded01a50c830b408978fb61ff9241
FormBook
+ 1'586 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

z f54b8714e404d97f3bcb5dfdf75f7c961bb6a01def5fdd75060b57476fe0acfb

FormBook

Executable exe 65bd5f3bc433f60bfc5ea392aaa33539592d657cbe2d316b25b24c9e12c225cc

(this sample)

FormBook

Executable exe f9a4827b1355e83175a1ff06792046f8f81e7140748600743636a7725f9a79c5

  
URLhaus
https://urlhaus.abuse.ch/url/332781/
  
Dropped by
MD5 a3f9f9c0a6827ebe04195411754f0a70
  
Dropped by
SHA256 f54b8714e404d97f3bcb5dfdf75f7c961bb6a01def5fdd75060b57476fe0acfb
  
Dropping
MD5 fae1b4e5f56cc0624b29527a45a9206d
  
Dropping
SHA256 f9a4827b1355e83175a1ff06792046f8f81e7140748600743636a7725f9a79c5
  
Dropping
FormBook
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef

Comments