MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce860f3976ba5df3c4465a4b60d12980677dccc961a9fa91555c7b9de14c3dd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce860f3976ba5df3c4465a4b60d12980677dccc961a9fa91555c7b9de14c3dd8
SHA3-384 hash: 3c412a398118cf89cfad22ae42ef294a1a971fa1bb56091273767146d0cfa78b5ba8ca8de9bfbd929236849dc5caeab4
SHA1 hash: 28570cb6116c0b81797d18ad82b1295f22b9f190
MD5 hash: 4ad2d7b6f0d4bf0cad6094b02c836f9b
humanhash: burger-minnesota-romeo-oregon
File name:46ed637f1480905b94113f87211cbd38.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:171'520 bytes
First seen:2020-04-02 04:30:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:hHKjGzP1BNWB3WJR9uaVT82xVdacTxG1+KZZY7hFrhwt:WqiWnTT82d/GgKPY7h9i
Threatray 5'052 similar samples on MalwareBazaar
TLSH 29F3AF32D641C431E2B241B5F67D0B7B883E0D35369964EAE3A41AE06EF44A5F52E31F
Reporter abuse_ch
Tags:exe FormBook GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1OTx0IxAGluWa0AFZHdGXDmmw1G_lgtKZ

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL
Create hunting rule

Win.Malware.Formbook-7399661-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Formbook
Create hunting rule
Status:
Malicious
First seen:
2020-04-02 04:35:49 UTC
File Type:
PE (Exe)
AV detection:
42 of 47 (89.36%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z2da6olwxjo7hrcgljfwbujjqbtx3tgjmgu7vekvlr5z3ykmhxma._file
Verdict:
malicious
Similar samples:
223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a
Formbook
322427854deccec94e7331e8d3faa9f2701289b8e2faac322889c5b04d6b8f5e
Formbook
52b517b0e9be1efed3349ff5b7e7e4a392881437d7bc9ccd7b94bbc23e28a2f9
Formbook
5628310c6fe718d77dadbc5c8cb6238faa27942517b590c2a87c07aadca429d6
Formbook
916237116e09e4233846389b7410a8ccc7e7ef96c0ed97c3fdb19a08499504af
Formbook
9465c69c18144431c36b77e4b36534684c7717f1d9970eb522b8aef716dd2458
Formbook
a91c5af7a94238bb1556b641b9f5bc7798133b3d699a9f3d5b88b8f8fc12f091
Formbook
bf58aecacc268c49d707512236a42c80cf096b24850c3096eb056f662ecbe2e3
Formbook
ceec91127018aba0be51981277015baf08e3f0ef6fbd0a5efe5821fa698ba645
Formbook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
Formbook
+ 5'042 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

arj 83ba9d7bcfba422fd9f4e801d8f61901c56473d287d952a41530f6a49c59c905

FormBook

Executable exe 52bca6a14b850bcd73ab0dd52a8f5be9e00ccb9ca7743a42bb44f236dc4d5a45

Formbook

Executable exe ce860f3976ba5df3c4465a4b60d12980677dccc961a9fa91555c7b9de14c3dd8

(this sample)

  
Dropped by
MD5 46ed637f1480905b94113f87211cbd38
  
Dropped by
MD5 9dc582cbdb31a04e57db82cd8a062941
  
Dropped by
GuLoader
  
Dropped by
SHA256 52bca6a14b850bcd73ab0dd52a8f5be9e00ccb9ca7743a42bb44f236dc4d5a45
  
Dropped by
SHA256 4fa0af374acec1b8eaade9ff8f51f52b4d7b75e17c8408c77b04d664c82621b7
  
URLhaus
https://urlhaus.abuse.ch/url/333818/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments


Avatar
commented on 2020-04-02 06:52:18 UTC

COVID-19 themed malspam distributing GuLoader->FormBook:

HELO: lalo.com
Sending IP: 94.177.242.156
From: Dr. Kim Jung <monique@kitsaptransit.com>
Subject: Latest vaccine release for Corona-virus(COVID-19)
Attachment: Covid-19 vaccines samples.arj (contains "Covid-19 vaccines samples.exe")

GuLoader payload URL (FormBook):
https://drive.google.com/uc?export=download&id=1OTx0IxAGluWa0AFZHdGXDmmw1G_lgtKZ