MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e69b8fd60587c96889281d8d227d73f3e3f279c7b40902489a4359277ae9f727. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 3

Intelligence 3 IOCs YARA 3 File information Comments

SHA256 hash:	e69b8fd60587c96889281d8d227d73f3e3f279c7b40902489a4359277ae9f727
SHA3-384 hash:	6f40f201cba37bf91cca70856efdfd1b0aad75828c8b1cfdc70caad7fb47f2f0d10bebb34aeae233e9f2c54800f97b5a
SHA1 hash:	2e2d1af9c009b0f5ac29400274eb995fff974d4b
MD5 hash:	ac47cb7c0f0a8d64a4a5fb699c3cec2a
humanhash:	april-video-hamper-two
File name:	e69b8fd60587c96889281d8d227d73f3e3f279c7b40902489a4359277ae9f727
Download:	download sample
Signature	Formbook Create hunting rule
File size:	524'464 bytes
First seen:	2020-03-23 16:27:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	92bcda43100ed42f68b2810de4f73641 (1 x Formbook)
ssdeep	12288:N8NZXZYi0brJD7aw/FfiGK3mRUBeN9fbc/O8r2Qu3TA2gG33jAXqPj:N8Xi97awdfM3/A1j
Threatray	4'822 similar samples on MalwareBazaar
TLSH	95B4DF836E80C5E8D2B72939B3C59911B7A0BF82B7CFE55B1059369A72B13074B5D02F
Reporter	Marco_Ramilli
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Midie-6856577-0

Gathering data

Threat name:

Win32.Trojan.Fareit

Status:

Malicious

First seen:

2019-02-12 19:59:00 UTC

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Verdict:

malicious

Label(s):

netwirerc

guloader

Formbook

08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f

Formbook

6cfae9fac2b59c2520f8911a66bd16899886170ff2a5f17f40161ac47f66b0ff

Formbook

7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6

Formbook

8842ac3497c777517b2f18152eabaa0994a460d249773a5e89a4e16bca2bd741

Formbook

a91c5af7a94238bb1556b641b9f5bc7798133b3d699a9f3d5b88b8f8fc12f091

Formbook

c4e474e869076cbf955d57568015fe56732e0b3af1592f03e023063ac2875030

Formbook

ceec91127018aba0be51981277015baf08e3f0ef6fbd0a5efe5821fa698ba645

Formbook

e30934706120cb94fa1b52ff9d64ae43a3ea73b51efeaf50a936a982a9a7d5e2

Formbook

e3a2d9d8eef268fafbeaeaf36b05c94ce9a4cf725c77dcf49d8c42d0fe012014

Formbook

+ 4'812 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_formbook_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe e69b8fd60587c96889281d8d227d73f3e3f279c7b40902489a4359277ae9f727

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/122477/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::EVENT_SINK_AddRef

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample