MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eeec66084fc56b1e253dc3803ee3bf59a71e403a41f55fa6068428e15214ccaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 3


Intelligence 3 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eeec66084fc56b1e253dc3803ee3bf59a71e403a41f55fa6068428e15214ccaa
SHA3-384 hash: 95e4aaad68d5e7dffd77410acdc167026f4d8671a277716684d39721e76595f66bf90dd4dd7a2eb30a28d26bedb25a75
SHA1 hash: 04b2e4c951b4dbf33ae78d0ca125696484d2d533
MD5 hash: b36954cc7b62465a1351c26539cf003c
humanhash: moon-hydrogen-missouri-johnny
File name:eeec66084fc56b1e253dc3803ee3bf59a71e403a41f55fa6068428e15214ccaa
Download: download sample
Signature Formbook
Create hunting rule
File size:526'040 bytes
First seen:2020-03-23 15:57:58 UTC
Last seen:2020-03-23 16:17:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ab3eee3f739312f05f179daede7e3ff (1 x Formbook)
ssdeep 6144:C9Pc+kSY+uPA0Luruo+mgvlxIMahVl7gFiXeTU05U:UPcUwqrenik5+
Threatray 4'849 similar samples on MalwareBazaar
TLSH 21B43DC24FAC78A9F6B287FDBD3EC7935C46765088E27631345C22A1CC6BE274096971
Reporter Marco_Ramilli
Tags:exe FormBook

Code Signing Certificate

Organisation:France disticht
Issuer:France disticht
Algorithm:sha256WithRSAEncryption
Valid from:Apr 3 14:02:25 2019 GMT
Valid to:Apr 2 14:02:25 2022 GMT
Serial number: 01
Intelligence: 370 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 08C0A123640E19F158BC4D0EEF25F693A54C1C9E591B37256071F319E17B50A4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Swotter-6975546-0
Create hunting rule

Win.Malware.Noon-6975587-0
Create hunting rule

Win.Malware.Crypmod-6980686-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2019-04-04 13:03:41 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 30 (80.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
guloader
Create hunting rule
Similar samples:
043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42
Formbook
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
Formbook
17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f
Formbook
4a6187dd467be22cbd3eab6807d368c37535c488af22442498423da8124f35fa
Formbook
560c76df97fdc5816fa9310921082a04b44b781e60bc77f84b970df04a36d1f4
Formbook
65cd6807556189c85811f11fb91a981749e7d9760e5a72c0845dd6b8ff93a8f9
Formbook
6fc9f21abe34724c6ef2f0d08abe3aaef6f5dd4c18b365647787fe125626b91e
Formbook
8842ac3497c777517b2f18152eabaa0994a460d249773a5e89a4e16bca2bd741
Formbook
e42e9a9d0222fd8eecd5b406ceb2ab65a9c965d9f3d5d11043ea84a69349f432
Formbook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
Formbook
+ 4'839 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe eeec66084fc56b1e253dc3803ee3bf59a71e403a41f55fa6068428e15214ccaa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/172086/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::EVENT_SINK_AddRef

Comments