MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 09c8b2cb43b6f29d1dd7c642178ab2d89357005f7928dfb6ff5bdddba7be2891. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 4
| SHA256 hash: | 09c8b2cb43b6f29d1dd7c642178ab2d89357005f7928dfb6ff5bdddba7be2891 |
|---|---|
| SHA3-384 hash: | 5d094d8e028333068448d93d965c2f514d6567aa73a8387b3db6c4b75172f35b01770378599f4b03a02edca8f93d26d3 |
| SHA1 hash: | 99ff61e8df2e599bd1d323b9cbada5019f538794 |
| MD5 hash: | 00626db71c80a17597abf7499465a67b |
| humanhash: | carpet-river-oklahoma-alanine |
| File name: | Bank letter for SOA Payment pdf.exe |
| Download: | download sample |
| Signature | Formbook |
| File size: | 758'784 bytes |
| First seen: | 2020-04-20 14:24:22 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 4254a3a593379a647e2d5113790b82a2 (5 x AgentTesla, 1 x Formbook) |
| ssdeep | 12288:orBhtl7WwJqzmHbCn93en4QXrSefPGMzZWnDEOAoTjkIGnTo0:aP0w9Hm9e42L+AQn9AoTPGnTo0 |
| Threatray | 5'311 similar samples on MalwareBazaar |
| TLSH | 9DF49E23F3E04877D3671939CD1B56649839BE102E28AA476FE41F4C9F3878178662E7 |
| Reporter |  abuse_ch |
| Tags: | COVID-19 exe FormBook GuLoader |
abuse_ch
COVID-19 themed malspam distributing FormBook:HELO: dias.adhoc.gr
Sending IP: 188.40.170.194
From: Daeho Shipping Co., Ltd. <joanne@borneodream.com>
Subject: RE: Delayed SOA Payment Due To COVID-19 Situation,
Attachment: Bank letter for SOA Payment pdf.zip (contains "Bank letter for SOA Payment pdf.exe")
Intelligence
File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Injector
Status:
Malicious
First seen:
2020-04-20 00:08:39 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
28 of 31 (90.32%)
Threat level:
2/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
netwirerc
Similar samples:
+ 5'301 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| WIN32_PROCESS_API | Can Create Process and Threads | kernel32.dll::CloseHandle kernel32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA |
| WIN_BASE_IO_API | Can Create Files | kernel32.dll::CreateFileA kernel32.dll::DeleteFileA kernel32.dll::FindFirstFileA kernel32.dll::GetTempPathA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA |
| WIN_REG_API | Can Manipulate Windows Registry | advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA |
| WIN_USER_API | Performs GUI Actions | user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.