MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73734608e9413c807c8f09f793b55b77425b328052b5fa4ff82d66d6d4c15a34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73734608e9413c807c8f09f793b55b77425b328052b5fa4ff82d66d6d4c15a34
SHA3-384 hash: 9d7d28e9fdc9481f69847635e50ba1dff03fe96b46fa03ffed4ba9b22e55671bf4750f5defe27fb099ab4ac29269a875
SHA1 hash: 251863798fa7ea99d20a4d2f15d246d6d09313e8
MD5 hash: 4fc9db992ff1a4d7a15b04cc537713d1
humanhash: harry-april-wolfram-california
File name:48639e1420ed32793e6e804a3ab997f9.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:126'976 bytes
First seen:2020-04-06 13:45:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f0c90c109d16124e83cb7a25caef54f (28 x RemcosRAT, 1 x FormBook, 1 x NetWire)
ssdeep 3072:m1h1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUVa:Sh1qn3IF9Obbj/a1cpcQjeHOzqhUV
Threatray 775 similar samples on MalwareBazaar
TLSH F1C3E867F24B80A3D863027056507B72EEBCBC321A5D5157E7E8D8811DF588E9026AFF
Reporter abuse_ch
Tags:exe FormBook GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=17Ukn6_AqHto9_Z7OEVYUQKbL2HBeMMvX

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Rescoms-6598304-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Rescoms
Create hunting rule
Status:
Malicious
First seen:
2020-04-06 14:35:29 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
30 of 31 (96.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=onzumchjie6ia7epbh3zhnk3o5bfwmuakk27ut7yfvtnnvgbli2a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0b8d469babc7b057403a1d7ca0f781c9a675523941cfcc8bb6eae582680746c4
FormBook
2ddbe8b9f04a4a672878c6b54b8a3440d2f7d89b2fe0c5949df21c997c5443f7
FormBook
40838317f53ebe7b37fab29e95826e44ffd7eb7b349e8bed0f5d7ae5db013df1
FormBook
4692d4716a224f54c928808d2d7ee7e9eaeb8531f1cd29b91886fa511a12f07a
FormBook
59b1b0e770b3b964f7ad3290b9ebfa845b828c7819cf8282b2b7aa89530cff78
FormBook
6307b6ffc48a88aeeff567c7a296ca6daf830f9b4eecf9f48352c489e5256fca
FormBook
936aa436f6a85762fe0fa8f9f14af43e5a53ba7bf398f279925f73dc511c09b4
FormBook
a500f27709fb009950d25abae11f25c6e8e0205d15931530467ecfb342a661ad
FormBook
a7d93e9c9bb80f0f8a271ae4a101f305bac535e197697b35f291794fa83ef538
FormBook
ac120fadb0fde46db30df42a52a0b65d34fa6621fa13f18c11b5fe93626dcf6d
FormBook
+ 765 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_remcos_g0
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

d07c84e1a76a33a51167ad5b8146c134186ddfd519866cc13932bea91eebfe42

FormBook

Executable exe 73734608e9413c807c8f09f793b55b77425b328052b5fa4ff82d66d6d4c15a34

(this sample)

  
Dropped by
MD5 48639e1420ed32793e6e804a3ab997f9
  
Dropped by
MD5 c7ca49decaf507c4042689c644ad19f0
  
Dropped by
GuLoader
  
Dropped by
SHA256 d07c84e1a76a33a51167ad5b8146c134186ddfd519866cc13932bea91eebfe42
  
Dropped by
SHA256 13c3779a9e9d0c6e4761a44f17e6ee8114e6f5db85aa82e07143cac705730f50
  
URLhaus
https://urlhaus.abuse.ch/url/333463/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdipGetImageEncoders
gdiplus.dll::GdipGetImageEncodersSize
gdiplus.dll::GdipAlloc
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringA
WINMM.dll::mciSendStringW
WINMM.dll::PlaySoundW
WINMM.dll::waveInAddBuffer
WINMM.dll::waveInClose
WINMM.dll::waveInOpen
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::ShellExecuteW
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileW
urlmon.dll::URLOpenBlockingStreamW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileMappingA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileA
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyA
ADVAPI32.dll::RegCreateKeyW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyExW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfigW
ADVAPI32.dll::ControlService
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenSCManagerA
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceConfigW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::CreateWindowExA

Comments