MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 5dd8b3d4a4968fecce4bdee9ef9a29df44fa7ce4ad73002ba4dfc5ac14fa9c41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
FormBook
Vendor detections: 5
| SHA256 hash: | 5dd8b3d4a4968fecce4bdee9ef9a29df44fa7ce4ad73002ba4dfc5ac14fa9c41 |
|---|---|
| SHA3-384 hash: | 9ade163bde2b20a8bca438f4d05415c4f5bd1a552ccec5c11469812d534651a1de15479e86fd327c0069d69964e35da6 |
| SHA1 hash: | 5b983cd56afbf3128fcd12f90865584005a3452b |
| MD5 hash: | 06acb35bb611ef2532b7d0afdcfd7da4 |
| humanhash: | princess-delaware-stairway-carolina |
| File name: | REVISED ORDER |
| Download: | download sample |
| Signature | FormBook |
| File size: | 1'110'312 bytes |
| First seen: | 2020-04-21 18:01:59 UTC |
| Last seen: | 2020-04-21 22:42:16 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 56da23509857300b597637e5411ab81e (3 x FormBook) |
| ssdeep | 24576:R/T9RJXcYTBbuQL4BTbHcZd2k0H/2sig3pGMZYXKS4pWGxcNC0xH/hNaTGN8jU:x9RJXcYTtuQURLc3WH/2s/VrSH0cNnt |
| Threatray | 5'109 similar samples on MalwareBazaar |
| TLSH | 2E3512426F1CA425F9E31678A81DACCD1F58FC6B1A1302077AFB7DC3F930355A266A16 |
| Reporter |  abuse_ch |
| Tags: | COVID-19 exe FormBook |
abuse_ch
COVID-19 themed malspam distributing FormBook:HELLO: pixel.hostlogic.sg
Sending IP: 103.255.250.151
From: Nassir Bechara <Enqui_ry@hotmail.com>
Subject: COVID 19 PENDIMG ORDER enquiry KH.O2333#
Attachment: REVISED ORDER1.zip (contains "REVISED ORDER")
Intelligence
File Origin
# of uploads :
3
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Gathering data
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2020-04-21 17:02:39 UTC
AV detection:
22 of 31 (70.97%)
Threat level:
2/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 5'099 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| COM_BASE_API | Can Download & Execute components | ole32.dll::CoCreateInstance ole32.dll::CreateStreamOnHGlobal |
| GDI_PLUS_API | Interfaces with Graphics | gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipDeleteGraphics gdiplus.dll::GdipAlloc |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CloseHandle |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::GetStartupInfoW |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CreateFileW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::CreateWindowExW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.