MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcd9aa0b18caf74a7d771c9802cdbb4f05a810c29c2d093252f004564fe4ed2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcd9aa0b18caf74a7d771c9802cdbb4f05a810c29c2d093252f004564fe4ed2b
SHA3-384 hash: 95ad2eb26acc416204466117b5a0ac283c363f94c30aefaf8eb8ac406bce31100c473461a14698de1b35dda62f87d099
SHA1 hash: 98cb4d658ac1f16412c0255477b73586061a57c2
MD5 hash: 2c1fe24e7b0abe668a26653a8077f9a1
humanhash: papa-quebec-william-nitrogen
File name:invoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:655'872 bytes
First seen:2020-04-15 11:03:26 UTC
Last seen:2020-04-15 11:59:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1a6aeac54320258ec433d218798aa4e9 (1 x Formbook)
ssdeep 12288:K+LW6n5UJCEJBeaGpqVFQpJRevrLuTKXd+NznSmFE4XTRvRqr:rLWkuJp4awqVFQpJR+rLuGXd+NznnFE1
Threatray 2'093 similar samples on MalwareBazaar
TLSH BCD412DBA5FDC5A0D4DC86311D0E76A02EC4FC93A40713390889F6A9B1B7B28A4B7775
Reporter abuse_ch
Tags:COVID-19 exe FormBook


Avatar
abuse_ch
COVID-19 themed malspam distributing FormBook:

RAR->IMG->EXE

HELO: salo.com
Sending IP: 94.177.240.142
From: Chu Lam Yiu <tskiba@besser.com>
Subject: COVID 19 PENDIMG ORDER
Attachment: KH.O2333.rar (contains "KH.O2333#.img" -> "invoice.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/1272/
Detection(s):
SecuriteInfo.com.LuheFihaAL.12297.23711.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-04-15 13:01:18 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xtm2ucyyzl3uu7lxdsmaftn3j4c2qegctqwqsmss6acfmt7e5uvq._file
Verdict:
malicious
Similar samples:
00983a8176276beea115d21fef7919c49b29b96d78dbc2151cc04cc7d8c95b35
Formbook
0cd1ca47d2e04de65562e1ba4d8ce4545ee486999f8f0eb7adc880c7fb7fc9b8
Formbook
1a96662a743a681756e4ae5ed7a3d259cca5a50725413698c1769939a950b455
Formbook
2ad145ebeae4ff20eeb893b16658fe43d7557f30c746edc355a5dceb393bf8bb
Formbook
872c6f0c21cc04decb1b21636a3c5bf3f128dff7d4c43500cd56dd8f24d8a54a
Formbook
aeccef59002b851b685cf54307f906c06adb065b68c3eff112f4b0f1442d1349
Formbook
c8bdfc9eea22464897b3dae7829464348f27a1ff1989cf33d1de95bc0a99527f
Formbook
c921c868103f592befe1f7c0787c6389b914d8f09ffd8cccac514b610dfc1975
Formbook
e65997e20f521c8eee713623c45c9600a7a05629c85d73c9dd2bdf696f43e5de
Formbook
f646b35153e14b1c060f94dfa4e3467165946dd9720b8ed63c2e8b144f132f22
Formbook
+ 2'083 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 418fc8f93bfeab75d54ea3b9bf1d91292f6aa1f858dfbf95b03dac82b0c1a4b5

Formbook

img 37f65d5e014785e5485a0e030b4256e946bf2cd6cff7aae59199382346d2daeb

Formbook

Executable exe bcd9aa0b18caf74a7d771c9802cdbb4f05a810c29c2d093252f004564fe4ed2b

(this sample)

  
Dropped by
MD5 78ad1b79a6335a870b1cf9060480c073
  
Dropped by
SHA256 37f65d5e014785e5485a0e030b4256e946bf2cd6cff7aae59199382346d2daeb
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/1272/
Cape
Cape
https://www.capesandbox.com/analysis/1271/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::GetStartupInfoW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments