MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1f162de16e870488790a44add3a4b746b1791d0f7969c441cce3a19a43a1651. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1f162de16e870488790a44add3a4b746b1791d0f7969c441cce3a19a43a1651
SHA3-384 hash: f9ce7705a6c9223dfbb7473a6b7a3dddeec4bec92d2538850c67e0d9efe1a23b38dbd3be924dfadba3e335421ab72ab1
SHA1 hash: 4625d77b5a46550eeafa2df9d369008a9e5ee6f9
MD5 hash: 32f7705ec1779f661b0df15aaa14ceb9
humanhash: colorado-carolina-mars-cola
File name:SecuriteInfo.com.Win32.Injector.ELKE.4172
Download: download sample
Signature FormBook
Create hunting rule
File size:159'744 bytes
First seen:2020-04-08 10:49:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 529b27ced721d2f983b0761189498a13 (1 x FormBook)
ssdeep 1536:01aMA+BcN3HgJp0wa/pKQpIH9YxvHx0ddy8yRAV/bC37FkXm3h80:HMA+mN3HgJpra/TpIH9YxvR09zCri4
Threatray 501 similar samples on MalwareBazaar
TLSH 87F3A4A577A0FAE5F00208F5B939BE7824F43C352A08640FFBC2736565BA649F934653
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Noon-7653549-0
Create hunting rule

Win.Packed.Generic-7663293-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-08 09:38:12 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uhywfxqw5byerb4qurfn2oslorvrpeoq66ljyra4zy5btjb2cziq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
10481c8ab9d363251e4d1aab4805df6d245621a5f10302fe5ed8cdd9f20bdc14
FormBook
1cd2e3b696656354859e0ffdb5bca866fadf42f59c9e2da1c228e0b52fa5f368
FormBook
1f3c0cb514e5c47627a6f0947deec29e824dfb0d13121021ea6115d3f09db9ee
FormBook
443bc33e9d28fddd4229367cde23085b8d57549093ce8e991eb4753ce58c85fe
FormBook
4576347a3a9ee138b98c0e500c1a0c1f662fbadc6629b9bba0c855016c97a1ef
FormBook
549d741341e63a5b461b0244c3ecb5377d8d8c95fa9a2bfe9bb096950b7993e2
FormBook
85c90523ee7cf832993784c6a6b0c6aef6f42ed71d670cef3b11e1673708d8a3
FormBook
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
FormBook
dda25996ab5b78fa63ab71aa304360374fe2eb6ded670c778b2c69d9fa1f1e40
FormBook
ef8f03a25087eeab581d8439a0a19ba7148270d2210d479c1d6867fac69dc813
FormBook
+ 491 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FormBook

Executable exe a1f162de16e870488790a44add3a4b746b1791d0f7969c441cce3a19a43a1651

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/336657/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaLateMemCallLd

Comments