MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f4bb4bd0cff9da6a0aee3e0204732840f045fab3ae23020385646fc47aae9f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 3 Comments

SHA256 hash: 8f4bb4bd0cff9da6a0aee3e0204732840f045fab3ae23020385646fc47aae9f4
SHA3-384 hash: f37777597e8c1cbc9cf2ba314c4ce934dc7fd3ecb1c84ef6b300ae9b702c03f24c15e05542340aff72df6b7e1ebc4028
SHA1 hash: b451c5667a1491a99e7c54e549fa89049beba10f
MD5 hash: 724b0343f5f55aab914f610c1164cdcd
humanhash: angel-tennis-earth-ceiling
File name:Payment Slip_GS2004011507 & GS2005014760_pdf.exe
Download: download sample
Signature FormBook
File size:312'081 bytes
First seen:2020-06-30 06:03:17 UTC
Last seen:2020-06-30 11:41:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0
ssdeep 6144:VPCganNRStrVpXem5+ZbEcfqyR0IhuNyMDhSj02FfE/3TscQolEJ8:7anatrVpXZANF08MDhSRKDsc0i
TLSH F164131522F0A4E3D46E49F015BE3B66B6B56F0AD2821747EBC43A143DB3A834F1F159
Reporter @abuse_ch
Tags:exe FormBook


Twitter
@abuse_ch
Malspam distributing FormBook:

HELO: mail.emsbd.com
Sending IP: 202.40.181.229
From: ChinPhil Marine Services <s.juaniza@chinphil-marine.com>
Reply-To: s.juaniza@chinphil-marine.com
Subject: PAYMENT for Invoice GS2004011507 & GS2005014760 100% Deposit(OVERDUE DATE-06 MAY 2018)
Attachment: Payment Slip_GS2004011507 _ GS2005014760.pdf.arj (contains "Payment Slip_GS2004011507 & GS2005014760_pdf.exe")

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 2
# of downloads 35
Origin country FR FR
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/16791/
ClamAV PUA.Win.Downloader.Soft32downloader-6691270-0
SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
CERT.PL MWDB Detection:n/a
Link: https://mwdb.cert.pl/sample/8f4bb4bd0cff9da6a0aee3e0204732840f045fab3ae23020385646fc47aae9f4/
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Injexa
First seen:2020-06-30 01:21:02 UTC
AV detection:22 of 31 (70.97%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   7/10
Malware Family:n/a
Link: https://tria.ge/reports/200630-nl4g8kgp7e/
Tags:evasion trojan
VirusTotal:Virustotal results 16.67%

Yara Signatures


Rule name:Formbook
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Author:Slavo Greminger, SWITCH-CERT

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe 8f4bb4bd0cff9da6a0aee3e0204732840f045fab3ae23020385646fc47aae9f4

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments