MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9a4827b1355e83175a1ff06792046f8f81e7140748600743636a7725f9a79c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9a4827b1355e83175a1ff06792046f8f81e7140748600743636a7725f9a79c5
SHA3-384 hash: 989353b8b1d4802f2248c9190fc68401f104137705beadc6f93c0ad91a330dece2b0c25a61fbe746df7145820ee15433
SHA1 hash: ea37aaffd1b20e7829bbb17511ccb4abf5cad1fa
MD5 hash: fae1b4e5f56cc0624b29527a45a9206d
humanhash: eight-skylark-fruit-paris
File name:748602b9156d21bad56b0258ac0233b2.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:172'032 bytes
First seen:2020-03-31 16:40:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:cDu73SPDoR1c1Jk+dA/ndiTODPmxksgFKRbaACGghV6Ir/HEuaM3a:WI+nJfsndnDPmxksRR9py6Ir8ul
Threatray 4'974 similar samples on MalwareBazaar
TLSH 58F3AE72DA41C431E2B241B5BB7D0B76883D0E35729561F6A3F429E06FB08A5B52E31F
Reporter abuse_ch
Tags:exe FormBook GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1UrSVYWQVD5e0ZzOppGXUWH6fw6rygt9h

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL
Create hunting rule

Win.Malware.Formbook-7399661-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Formbook
Create hunting rule
Status:
Malicious
First seen:
2020-03-31 17:55:54 UTC
AV detection:
28 of 30 (93.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7gsie6ytkxudc5nb74dhsicg7d4b44kaosdaa5bwg2txex42phcq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
02b10c6690bd0ed3e9b675553519df78a7ede63a398d68304043eacb691fd305
FormBook
145fe82f875fa5dffa93f13326c20badef3d69187f55ffb85bc0d89172c5ce11
FormBook
1db7fd03dd728cf21ada9d1bed2921bb70104a77935ad50aaa0851d4a6d3ccb5
FormBook
223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a
FormBook
27faaaca4acb955010d7b8c16764a536c04149f2d332f99668d6ff6f292bfc20
FormBook
3964739a8988be3dc3ffe71ce4fdd86bfef579f4cfdfac1c97d123805cd0ea2a
FormBook
5e09510e834b75413af64e013eda43df867fab6080facf4227a08ca64861a244
FormBook
68739817fe82121fcedf1092eca699f59941678ddd9622062c8d40c200bef82f
FormBook
6b1c79f707bb3089e1568373e8751022e8fc6cf14a318f58041a247c97ccf317
FormBook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
FormBook
+ 4'964 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar dfc463b9f6217a2c3375e0bd7da6796feb7b29b7b7975586bc14f3c1a5c11c2f

GuLoader

Executable exe 145fe82f875fa5dffa93f13326c20badef3d69187f55ffb85bc0d89172c5ce11

FormBook

Executable exe f9a4827b1355e83175a1ff06792046f8f81e7140748600743636a7725f9a79c5

(this sample)

  
Dropped by
MD5 748602b9156d21bad56b0258ac0233b2
  
Dropped by
MD5 3cdd0ff62ad4c7b7d271fba4406ddf9f
  
Dropped by
GuLoader
  
Dropped by
SHA256 145fe82f875fa5dffa93f13326c20badef3d69187f55ffb85bc0d89172c5ce11
  
Dropped by
SHA256 03c68b3cbd27c18857a35ac050184653a493a3ae55c51772f1120acb13a3a3e4
  
URLhaus
https://urlhaus.abuse.ch/url/332781/
  
Dropped by
SHA256 65bd5f3bc433f60bfc5ea392aaa33539592d657cbe2d316b25b24c9e12c225cc
  
Dropped by
MD5 74eb0bbdc7ebdd505ab11e57037092d5

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments


Avatar
commented on 2020-04-01 14:05:56 UTC

COVID-19 themed malspam distributing GuLoader->FormBook:

HELO: novo.com
Sending IP: 89.38.149.103
From: Jake Johnson <Jake@pmj-interational.com>
Subject: COVID-19 Company Statement
Attachment: Company Statement.z (contains "Company Statement.exe")

GuLoader payload URL (FormBook):
https://drive.google.com/uc?export=download&id=1UrSVYWQVD5e0ZzOppGXUWH6fw6rygt9h