MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77ccc8e4098cda8ee5e2e1933a3c5e630e56b1ba17550648f0660c3977d0ad08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	77ccc8e4098cda8ee5e2e1933a3c5e630e56b1ba17550648f0660c3977d0ad08
SHA3-384 hash:	5a9069436c75f4f67fe4d66439159fe367cd1fd9a45ffd5dac23403d5b3f4539960d2b20fc15d48b17426f3fd2b1d55a
SHA1 hash:	91f13d6ce34fae3bbfa48dec5302573c883fe29b
MD5 hash:	488862d80a112bbb96cccb90acbe60fc
humanhash:	fish-foxtrot-hotel-october
File name:	COVID-19 Vaccine.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	143'360 bytes
First seen:	2020-03-28 09:28:31 UTC
Last seen:	2020-03-28 11:37:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e39c7869076e939ec7aa117178590df8 (1 x FormBook)
ssdeep	1536:tWIr/Z+x2huI1LvC03hokxNMSjvtdmJ+gmLpUPl:tZx+x2hpvVhok5bmJ+gms
Threatray	617 similar samples on MalwareBazaar
TLSH	87E33C23AD18C566EC5445714E59839D0E22BC20B5999BCB33857B6FECFAF03E8A1345
Reporter	abuse_ch
Tags:	COVID-19 exe FormBook GuLoader

abuse_ch

COVID-19 themed malspam distributing GuLoader that drops FormBook:

HELO: rep.pulapint.nl
Sending IP: 67.207.88.169
From: info@rep.pulapint.nl <info@rep.pulapint.nl >
Subject: Latest vaccine release for Corona-virus(COVID-19)
Attachment: COVID-19Vaccine.arj (contains COVID-19 Vaccine.exe)

GuLoader payload URL (dropping FormBook):
https://drive.google.com/uc?export=download&id=11gsxnBxEfe18C1fAYV9kpdESsdsXUox3

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Vebzenpak-7645390-0

Gathering data

Threat name:

Win32.Trojan.Noon

Status:

Malicious

First seen:

2020-03-26 15:34:20 UTC

AV detection:

25 of 30 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=o7gmrzajrtni5zpc4gjtupc6mmhfnmn2c5kqmshqmygds56qvuea._file

Verdict:

malicious

Label(s):

guloader

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

arj 2e04c8c51c9ab2c5665ab1991f9200d33aa49b7ae0a8f9880986582dc8a9db0e

FormBook

exe 77ccc8e4098cda8ee5e2e1933a3c5e630e56b1ba17550648f0660c3977d0ad08

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/330223/

Dropped by

MD5 d911ce0fc48332cbcca9c5c1c4172f69

Dropped by

SHA256 2e04c8c51c9ab2c5665ab1991f9200d33aa49b7ae0a8f9880986582dc8a9db0e

Dropping

FormBook

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::EVENT_SINK_AddRef

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample