MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 491afea427ab2e087853f552fc510577c77b5981a525f55a0cf4bec66d485a6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 491afea427ab2e087853f552fc510577c77b5981a525f55a0cf4bec66d485a6e
SHA3-384 hash: c9e95749e2538857772e07e080ad09a1b95586a23a456a0244351bcef4a69f86ff74752147a0f3232c47842b31d49219
SHA1 hash: 94ac94f4f30823888ebf0947189027fa62725f2d
MD5 hash: dba4d996666a0446a151b04a5d0d07a1
humanhash: oklahoma-georgia-football-monkey
File name:COVID-19 VACCINE SAMPLES.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:102'400 bytes
First seen:2020-03-31 06:49:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 82605fa40c5606b1c5ce16b33825f71f (1 x FormBook)
ssdeep 1536:nUVNoaN5N2tDH6//Jpdgo1bcaeMFWTkMaea:niNKtrIqm7x
Threatray 1'149 similar samples on MalwareBazaar
TLSH 56A3E712FA11BCA4D1384D768B71CB8C23417E256E09BE4335C83ECE7AF51597543E9A
Reporter abuse_ch
Tags:COVID-19 exe FormBook GuLoader


Avatar
abuse_ch
COVID-19 malspam distributing GuLoader->FormBook:

HELO: momo.com
Sending IP: 89.36.214.239
From: Dr Luis Jorge Perez (WHO) <mcclure@cedarpoint.com>
Subject: Corona-Virus Disease (COVID-19) Pandemic Vaccine Released
Attachment: COVID-19 VACCINE SAMPLES.arj (contains "COVID-19 VACCINE SAMPLES.exe")

GuLoader payload URL (FormBook):
https://drive.google.com/uc?export=download&id=1VF3m3hCA36Tj4qIvieLmWFwgJEHZycBB

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.VBGeneric-7643821-0
Create hunting rule

Win.Dropper.Remcos-7647550-0
Create hunting rule

Win.Trojan.Ponystealer-7648176-0
Create hunting rule

Win.Trojan.Generic-7648215-0
Create hunting rule

Win.Dropper.Remcos-7683428-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-03-30 16:17:42 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jenp5jbhvmxaq6ct6vjpyuifo7dxwwmbuus7kwqm6s7mm3kiljxa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
006bb451c7207fa375e67a1684a97136a46beea1ff74e193eb4bbf6665a0ec9b
FormBook
02f2999240877abff06ad4728307dd9069b5ecf8a862b8fc786343f83553a3db
FormBook
13393c26e42a0d09bbd796f3f9b5109dc0d2e7ff7bd7f4aac0aa0c879c5c123c
FormBook
15c365dfb62dc041e46ede5ae90f2e0966d1000b5936f0ed5d68f5d10e813171
FormBook
6f47b4825836d58654b05deac55c892825a83e479c406b9b027a0dc6bd8e3938
FormBook
7f634109798c4160a15a6cc810fe2d8670f419008ec6a12d36a537ad4de7fccc
FormBook
9bebd6b8400a02ec36958c8cf06d3abc659b462d482fca3df8a3a64e42b3e234
FormBook
a570592bf5a21c1f55712fcec60a0536fedabe28b409d9a48fdc499185e154ff
FormBook
abc26a4dae06f9fa3a58be8ae001afa9b529384fd22814469cd4e7bc5b8c1255
FormBook
d7162b14867eff2ee6b1c0506f91c4e8c1a1cea0ddae632bd49156a179549772
FormBook
+ 1'139 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

arj 6d08228ca74544dba73ef3933c3ff5174ab4e61e258cca6d5569893bc6e259fc

FormBook

Executable exe 491afea427ab2e087853f552fc510577c77b5981a525f55a0cf4bec66d485a6e

(this sample)

FormBook

Executable exe 8ec11f04a12e5db826d13fdc5d764ba00145a60dbf89db107f1d1d176d680316

  
URLhaus
https://urlhaus.abuse.ch/url/331992/
  
Dropped by
MD5 a2c10dd3edfd781c9094ae032f875ccc
  
Dropped by
SHA256 6d08228ca74544dba73ef3933c3ff5174ab4e61e258cca6d5569893bc6e259fc
  
Dropping
MD5 62aa8261e34167de7394d3e4f71d97e9
  
Dropping
SHA256 8ec11f04a12e5db826d13fdc5d764ba00145a60dbf89db107f1d1d176d680316
  
Dropping
FormBook
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::EVENT_SINK_AddRef

Comments