MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52bca6a14b850bcd73ab0dd52a8f5be9e00ccb9ca7743a42bb44f236dc4d5a45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	52bca6a14b850bcd73ab0dd52a8f5be9e00ccb9ca7743a42bb44f236dc4d5a45
SHA3-384 hash:	4172a7cc6811b129fcd90e159329cd3a45dca4f794d3380cd7a9d8cf3ecc15be20363dd90c5146cb657a4d7b06605d13
SHA1 hash:	6ac546722e341654d3ddabbeab0e20de77296fe0
MD5 hash:	46ed637f1480905b94113f87211cbd38
humanhash:	triple-blossom-bacon-quebec
File name:	Covid-19 vaccines samples.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	110'592 bytes
First seen:	2020-04-02 06:52:09 UTC
Last seen:	2020-04-02 07:48:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e6302005cd36187c02dc4af54bec5511 (1 x FormBook)
ssdeep	3072:fw0BRe1Wu4POOExwBYh6kv/g8mTTL8fw+buPqi:4oRJpPQO
Threatray	887 similar samples on MalwareBazaar
TLSH	EFB30A55BA81CB50C0198CF2AF26C7EC8164BE319D48DA0736C63F9D3F766C1A26275B
Reporter	abuse_ch
Tags:	COVID-19 exe FormBook GuLoader

abuse_ch

COVID-19 themed malspam distributing GuLoader->FormBook:

HELO: lalo.com
Sending IP: 94.177.242.156
From: Dr. Kim Jung <monique@kitsaptransit.com>
Subject: Latest vaccine release for Corona-virus(COVID-19)
Attachment: Covid-19 vaccines samples.arj (contains "Covid-19 vaccines samples.exe")

GuLoader payload URL (FormBook):
https://drive.google.com/uc?export=download&id=1OTx0IxAGluWa0AFZHdGXDmmw1G_lgtKZ

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Filerepmalware-7646386-0

Gathering data

Threat name:

Win32.Trojan.Fareit

Status:

Malicious

First seen:

2020-04-02 19:02:42 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kk6kniklquf4245lbxksvd235hqazs44u52duqv3itzdnxcnljcq._file

Verdict:

malicious

Label(s):

guloader

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

arj 83ba9d7bcfba422fd9f4e801d8f61901c56473d287d952a41530f6a49c59c905

FormBook

exe 52bca6a14b850bcd73ab0dd52a8f5be9e00ccb9ca7743a42bb44f236dc4d5a45

(this sample)

Formbook

exe ce860f3976ba5df3c4465a4b60d12980677dccc961a9fa91555c7b9de14c3dd8

URLhaus

https://urlhaus.abuse.ch/url/333818/

Dropped by

MD5 03db3c58e9ff87b03894a49263546b9c

Dropped by

SHA256 83ba9d7bcfba422fd9f4e801d8f61901c56473d287d952a41530f6a49c59c905

Dropping

FormBook

Dropping

MD5 4ad2d7b6f0d4bf0cad6094b02c836f9b

Dropping

SHA256 ce860f3976ba5df3c4465a4b60d12980677dccc961a9fa91555c7b9de14c3dd8

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 ce860f3976ba5df3c4465a4b60d12980677dccc961a9fa91555c7b9de14c3dd8

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef MSVBVM60.DLL::__vbaLateMemCallLd

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample