MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a690f7baed1b42a2a1503838fd5ef1e0c231ed85036e77180cdc6aabc19615e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a690f7baed1b42a2a1503838fd5ef1e0c231ed85036e77180cdc6aabc19615e
SHA3-384 hash: 691cf9d09e5efa90aa266b6b46229cb55d28432013b501b826380c746887275810e62831506c7b124545032641bb8b2e
SHA1 hash: 4600bbed731c161262ba4cde6ce77bd63531f445
MD5 hash: 70ef854fa71f15f16acf492d4eef3714
humanhash: music-berlin-bluebird-robin
File name:booking order,doc.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:102'400 bytes
First seen:2020-03-31 05:33:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash db5ade8024e6dbe895ec1dd01d29bdb3 (1 x FormBook)
ssdeep 768:keAkyTNqb2juxTbbItkxxVGyjNxSuG1GHWAbspYvsluw8SHWBUlGgQC:kLrTUbyuNbbb9NxSl1GHWAbJsKSHWst
Threatray 4'864 similar samples on MalwareBazaar
TLSH 4CA3E612FA60FCA5D4280DB19B71879C53517E35AE19BE4730C83ECEBFB51987102A9B
Reporter jarumlus
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Rogue.0hr.20200331-0306.UNOFFICIAL
Create hunting rule

Win.Dropper.Remcos-7647550-0
Create hunting rule

Win.Trojan.Ponystealer-7648176-0
Create hunting rule

Win.Dropper.Remcos-7683428-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-03-31 07:32:52 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=njuq665o2g2cukqvaoby7vppdygcghwyka3oo4mazxdkvpazmfpa._file
Verdict:
malicious
Similar samples:
043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42
FormBook
1e997f4144eb94f184308c7ebe6dbad709cf7151721c563e43a92d52539d4e1d
FormBook
223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a
FormBook
27faaaca4acb955010d7b8c16764a536c04149f2d332f99668d6ff6f292bfc20
FormBook
895e7e85e398a6bd3615a8453c1ed21979a2676fa84af0e53077635f812b64fc
FormBook
a88caf11b01cea311aca13b6e757a8974d5033e1acb8749b9d1951ed0d93d44c
FormBook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
FormBook
bf58aecacc268c49d707512236a42c80cf096b24850c3096eb056f662ecbe2e3
FormBook
ceec91127018aba0be51981277015baf08e3f0ef6fbd0a5efe5821fa698ba645
FormBook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
FormBook
+ 4'854 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaErrorOverflow

Comments