MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ea5a4fb25528051254f255dc64913ca7d4faa1ecba2f40a55b536f871624fb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ea5a4fb25528051254f255dc64913ca7d4faa1ecba2f40a55b536f871624fb9
SHA3-384 hash: 24077d67d61b0a5b4c0f4256cfc4fb4517b6325c8dcbb7cbfaefa106249cc5ebb014a6c1823ef3ad66556a69f3f5400b
SHA1 hash: f7cbd77555b01f41bcf8d03fb85d05303bf68c67
MD5 hash: cd5faffe1a0378ef892d798532c399a6
humanhash: king-fillet-bakerloo-snake
File name:COVID-19 Vaccine.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:139'264 bytes
First seen:2020-03-27 09:50:11 UTC
Last seen:2020-03-27 11:32:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b20c2b01e9d86fe0918430668aec2238 (1 x Formbook)
ssdeep 1536:teRHC5ODadkRKpgn3urkpcccRpH1sadOm/Q5WpUMUO4vzoTUrxA:teIzkRKinYacccRdyaAmZU5y
Threatray 4'863 similar samples on MalwareBazaar
TLSH 2CD36B77BA62C454CA500E740C6BC3A855B07C20BC509BDFBB653F5C98B4E0BEE62766
Reporter abuse_ch
Tags:COVID-19 exe FormBook GuLoader


Avatar
abuse_ch
COVID-19 themed malspam, pretending to come from "Dr. Stella" at WHO:

GZ archive->GuLoader->FormBook

HELO: ps.hostingenlaweb.com
Sending IP: 108.170.35.67
From: Dr. Stella WHO Asst <noreply@WHO.com>
Subject: Latest vaccine release for Corona-virus(COVID-19)
Attachment: COVID-19Vaccine.gz (contains "COVID-19 Vaccine.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Noon-7646052-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-03-27 04:50:50 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
25 of 30 (83.33%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f2s2j6zfkkafcjkpevo4msitzj6u7kq6zorpicsvwu3pq4lcj64q._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
052e19392c73c979c31554983a4aed5589c4ece553083dddfb4fe14ee55c440a
Formbook
0e0472b3b50c46eff5b4529b1bb8dd54f60db45f4bc772d3bef3666a72e15898
Formbook
2bde030373678bb2df1223cd3e3c4e7f2992e30739dcc63b688368f02a100067
Formbook
3bc2e6f78c3a261a13546f719d6b089dab1730e8f6539d7ab7a319fc3e410270
Formbook
490a783bc399cb6dd9b64ecc8d0f909830fe1a351d18f148493fcdf6eefb52cd
Formbook
6f95416c1006a499c7012c6cde49a27f83223c665cf9b28764030afeb04bf697
Formbook
730fd544eac15f337f3d2acfd6473f2ab1d8037da100855ca93cdc88f9edf681
Formbook
8e5e93b6f3eee7f1a08a0420b25105017d3479769e6bf9d6b2518d3abc6b1a75
Formbook
8f71441f8e9db24dceee698de265dab77bda6298ceb4b9bc8cb1d77a54d7229d
Formbook
95782c62fb59f497cbcc62927b212edc970d9b70c1f551b2e6587ec196fe1bf6
Formbook
+ 4'853 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz 3de1aa5cd2d05f38c192ebecf2a0fdcd04174fdc217879e5c52b331d16702e52

Formbook

Executable exe 2ea5a4fb25528051254f255dc64913ca7d4faa1ecba2f40a55b536f871624fb9

(this sample)

FormBook

Executable exe 0e0472b3b50c46eff5b4529b1bb8dd54f60db45f4bc772d3bef3666a72e15898

  
URLhaus
https://urlhaus.abuse.ch/url/330807/
  
Dropped by
MD5 c73755b8ad20a371ac935f5820371563
  
Dropped by
SHA256 3de1aa5cd2d05f38c192ebecf2a0fdcd04174fdc217879e5c52b331d16702e52
  
Dropping
FormBook
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 0e0472b3b50c46eff5b4529b1bb8dd54f60db45f4bc772d3bef3666a72e15898
  
Dropping
MD5 38002648240387caa73baddffa787e0b
  
Dropping
SHA256 0e0472b3b50c46eff5b4529b1bb8dd54f60db45f4bc772d3bef3666a72e15898
  
Dropping
SHA256 0e0472b3b50c46eff5b4529b1bb8dd54f60db45f4bc772d3bef3666a72e15898

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef

Comments