MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 052e19392c73c979c31554983a4aed5589c4ece553083dddfb4fe14ee55c440a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 052e19392c73c979c31554983a4aed5589c4ece553083dddfb4fe14ee55c440a
SHA3-384 hash: c59f96bd94d1054f5568a42adbff438505a192c565830f6ee42c6495cb5b367b048b85af176a271a85c1fc44b2022701
SHA1 hash: cfc50d80c8ffbd8247b2adab400301103e73e886
MD5 hash: 7a6f42d25a4798aa6213103e9ce9a650
humanhash: two-spring-zulu-vermont
File name:Corona-virus(COVID-19)vaccine.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:733'696 bytes
First seen:2020-04-01 11:53:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a17563c04d15b724e8cf090518294c73 (5 x Loki, 1 x AZORult, 1 x 404Keylogger)
ssdeep 12288:nKzVIr2VadKEcOhKj/EZhhxqhe4g1euWUtl95sfDrOx8gRo:gmJdKKKjmhyVg1euXZ5ErOx8C
Threatray 3'388 similar samples on MalwareBazaar
TLSH 60F4BF36B3E1C473D1272A389D1BA7B4AC26FE101F186566EBF90C0C9F3969139391D6
Reporter abuse_ch
Tags:COVID-19 exe FormBook


Avatar
abuse_ch
COVID-19 themed malspam distributing FormBook:

HELO: ps.hostingenlaweb.com
Sending IP: 108.170.35.67
From: Dr. Stella WHO Asst <noreply@WHO.com>
Subject: Latest vaccine release for Corona-virus(COVID-19)
Attachment: Corona-virusCOVID-19vaccine.arj (contains "Corona-virus(COVID-19)vaccine.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject3.37110.1628.7858.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-04-01 01:22:31 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=auxbsojmopextqyvksmdusxnkwe4j3hfkmed3xp3j7qu5zk4iqfa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0e0472b3b50c46eff5b4529b1bb8dd54f60db45f4bc772d3bef3666a72e15898
Formbook
27faaaca4acb955010d7b8c16764a536c04149f2d332f99668d6ff6f292bfc20
Formbook
2ea5a4fb25528051254f255dc64913ca7d4faa1ecba2f40a55b536f871624fb9
Formbook
6b307cbe4f1e8d769af95142d574e77a50654e25cce234f48da6c5e7a7aa4b99
Formbook
6f95416c1006a499c7012c6cde49a27f83223c665cf9b28764030afeb04bf697
Formbook
a91c5af7a94238bb1556b641b9f5bc7798133b3d699a9f3d5b88b8f8fc12f091
Formbook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
Formbook
bf58aecacc268c49d707512236a42c80cf096b24850c3096eb056f662ecbe2e3
Formbook
ceec91127018aba0be51981277015baf08e3f0ef6fbd0a5efe5821fa698ba645
Formbook
e69790e910b1817bcfb714f20fda02b6e024babd3dfcea8fa982192928a5df93
Formbook
+ 3'378 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

arj 7e765af2d1bf7c139df8fb2bb5eef1268b3cf356f7192f4f221c42104fad2a89

Formbook

Executable exe 052e19392c73c979c31554983a4aed5589c4ece553083dddfb4fe14ee55c440a

(this sample)

  
Dropped by
MD5 9ddf2ece1aff252f23667546f359d4b7
  
Dropped by
7e765af2d1bf7c139df8fb2bb5eef1268b3cf356f7192f4f221c42104fad2a89
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 7e765af2d1bf7c139df8fb2bb5eef1268b3cf356f7192f4f221c42104fad2a89

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play Multimediawinmm.dll::mciGetErrorStringA
winmm.dll::mciSendCommandA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::VirtualAllocEx
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WinExec
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetFileAttributesA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments