MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 c4cd89d489b7605791a6cbb36b373089c926972fe51b5ddaa584f0870febf58f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
FormBook
Vendor detections: 4
| SHA256 hash: | c4cd89d489b7605791a6cbb36b373089c926972fe51b5ddaa584f0870febf58f |
|---|---|
| SHA3-384 hash: | ef0705522c8974b9bf9a9e1cfc73064619097a804ede8b2e40ff20f6f35f37f483fe5b14965ce0481b46cd6f7efbd8a0 |
| SHA1 hash: | 055eb4688dd3d990b6aeb1d4c0602fff78f7b8d4 |
| MD5 hash: | 8fb9e42a0f3d38456fb8952a8b8ca2e4 |
| humanhash: | high-oxygen-cup-six |
| File name: | PO April.exe |
| Download: | download sample |
| Signature | FormBook |
| File size: | 957'328 bytes |
| First seen: | 2020-05-01 11:02:58 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f00d8dcb202a28bfc47f99ef51cb4107 (3 x FormBook) |
| ssdeep | 12288:4sy8aWbRpwMy5Ibee+mTH26jUFDLciBqAbc1tY1NhVNEwc:r0WTg1U/uZj4EDNEwc |
| Threatray | 5'099 similar samples on MalwareBazaar |
| TLSH | 4C159E82B14884DBE96B19B3983BEA301147BEEE90F1821D356E772544F3342156FE6F |
| Reporter |  abuse_ch |
| Tags: | exe FormBook |
Code Signing Certificate
| Organisation: | VeriSign Time Stamping Services Signer - G2 |
|---|---|
| Issuer: | VeriSign Time Stamping Services CA |
| Algorithm: | sha1WithRSAEncryption |
| Valid from: | Jun 15 00:00:00 2007 GMT |
| Valid to: | Jun 14 23:59:59 2012 GMT |
| Serial number: | 3825D7FAF861AF9EF490E726B5D65AD5 |
| Intelligence: | 44 malware samples on MalwareBazaar are signed with this code signing certificate |
| Thumbprint Algorithm: | SHA256 |
| Thumbprint: | 8815DFF787F21FA8106760CB89C5B4493F4BD45E2CE801D2A4FE1F61DEE0C039 |
| Source: | This information was brought to you by ReversingLabs A1000 Malware Analysis Platform |
abuse_ch
Malspam distributing FormBook:HELO: cathay-food.co
Sending IP: 111.90.140.123
From: Kelvin <info@marco-podesty.pl>
Reply-To: piusequip20@protonmail.com
Subject: FW: we need supplies urgently
Attachment: PO April.zip (contains "PO April.exe")
Intelligence
File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Gathering data
Threat name:
Win32.Trojan.Formbook
Status:
Malicious
First seen:
2020-05-01 04:51:19 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
24 of 30 (80.00%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
emotet
trickbot
Similar samples:
+ 5'089 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CloseHandle |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CreateFileW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.