{
	"id": "ecb5ffc4-69f4-4dc8-8ac4-88e70b7aac4f",
	"created_at": "2026-04-06T01:31:53.511735Z",
	"updated_at": "2026-04-10T13:12:00.887715Z",
	"deleted_at": null,
	"sha1_hash": "4d10efe9718f872a8dc81e406075bdc1ca93f94f",
	"title": "COVID19 Malware Analysis - with Kill MBR Feature",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2018427,
	"plain_text": "COVID19 Malware Analysis - with Kill MBR Feature\r\nPublished: 2020-04-08 · Archived: 2026-04-06 00:17:53 UTC\r\nFor couple of weeks now, the whole world are really having some hard time with the pandemic COVID-19 virus\r\nand aside from that this event was also abuse by bad guys by using this theme in their spam campaign, malicious\r\nmacro document that will download malware to the infected machine or even in the actual binary files. Today I\r\ndecided to look further to the code of covid19 malware that mess the MBR of the infected machine that I found in\r\nthe app.any.run:\r\nhttps://app.any.run/tasks/8a404eaa-f7f5-425a-a49f-ae9138ce8e1c/\r\nCovid-19 Loader:\r\nThe note worthy behavior of this loader is extracting all of its main component to the infected machine by parsing\r\nits .rsrc section with rsrc entry type 0x0A (RAW_DATA).\r\nhttps://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html\r\nPage 1 of 10\n\nfigure 1: parsing the .rsrc entry\r\nIt also fetch the langauge identifier to get the language name of the infected machine and check if it is \"deutsch\".\r\nif yes it will use the deutsch version of its message to the user otherwise it will use english.\r\nhttps://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html\r\nPage 2 of 10\n\nfigure 2: check machine language\r\nand one of this rsrc entry is a batch file that will modify some registry for autorun, wallpaper/cursor modification,\r\ndisabling task manager, disabling EULA and force shutdown.\r\nhttps://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html\r\nPage 3 of 10\n\nCOVID-19 FOLDER:\r\nIt will create a folder name as \"COVID-19\" in homedrive with hidden attribute that contains all the component of\r\nthis malware. The wallpaper and the cursor.cur will be used as soon as the machine was already infected and you\r\nwill notice this before it request to restart the machine.\r\nfigure 3 : the components of this malware\r\nI . mainWindow.exe - The GUI Announcer:\r\nThis file is responsible of creating the window UI that will be shown during the infection.This UI will tell the user\r\nthat the computer was already infected and some windows tools will not working.\r\nhttps://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html\r\nPage 4 of 10\n\nfigure 4: UI of this malware including its help message\r\nII. run.exe - Execution and Persistence:\r\nThis is the component file that is almost a copy of the actual loader, where it also contains the language checking\r\nand batch files in the .rsrc section with additional entry where it will execute the mainwindow.exe.\r\nfigure 5: the batch file in run.exe\r\nIII. end.exe - The MBR Killer :\r\nhttps://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html\r\nPage 5 of 10\n\nThis is the executable that are responsible in modifying the MBR. First it will allocate and initialized SID memory\r\nand check the Token membership of that SID.\r\nfigure 6: check the token membership of the SID\r\nThen it will read the \\\\\\\\.\\\\PhysicalDrive0 where the MBR reside. the 0x200 bytes original MBR will be converted\r\ninto hexAscii that will be compared to the hexAscii value of the bad MBR reside on its code. The modification of\r\nMBR start with writing the original MBR to the boot sector, next it will write the malicious MBR in same sector\r\nand last it will write its message in same sector that will be printed out upon reboot.\r\nfigure 7 : the malicious MBR\r\nhttps://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html\r\nPage 6 of 10\n\nfigure 8: the original MBR\r\nhttps://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html\r\nPage 7 of 10\n\nfigure 9: the code that do the MBR modification\r\nfigure 10: MBR message\r\nThe malicious boot sector will only try to display the message in write in the boot sector memory. where it prints\r\nthe each character using si register as the index ptr and int 10.\r\nfigure 11: the malicious boot sector\r\nIOC:\r\nsha1: b87405ff26a1ab2a03f3803518f306cf906ab47f\r\nmd5: 9dbbfa81fe433b24b3f3b7809be2cc7f\r\nsha256: dfbcce38214fdde0b8c80771cfdec499fc086735c8e7e25293e7292fc7993b4c\r\nfilename: KillMBR1\r\nhttps://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html\r\nPage 8 of 10\n\nsha1: b2f4288577bf8f8f06a487b17163d74ebe46ab43\r\nmd5: 7def1c942eea4c2024164cd5b7970ec8\r\nsha256: c3f11936fe43d62982160a876cc000f906cb34bb589f4e76e54d0a5589b2fdb9\r\nfilename: end.exe\r\nsha1: d29cbc92744db7dc5bb8b7a8de6e3fa2c75b9dcd\r\nmd5: e6ccc960ae38768664e8cf40c74a9902\r\nsha256: b780e24e14885c6ab836aae84747aa0d975017f5fc5b7f031d51c7469793eabe\r\nfilename: mainWindow.exe\r\nsha1: 44fac7dd4b9b1ccc61af4859c8104dd507e82e2d\r\nmd5: b1349ca048b6b09f2b8224367fda4950\r\nsha256: c46c3d2bea1e42b628d6988063d247918f3f8b69b5a1c376028a2a0cadd53986\r\nfilename: run.exe\r\n YARA:\r\nimport \"pe\"\r\nrule covid_mbr_gui {\r\n meta:\r\n author = \"tcontre\"\r\n description = \"detecting covid_19_main_window\"\r\n date = \"2020-04-08\"\r\n sha256 = \"b780e24e14885c6ab836aae84747aa0d975017f5fc5b7f031d51c7469793eabe\"\r\n strings:\r\n $mz = { 4d 5a }\r\n $s1 = \"coronavirus has infected your PC!\" fullword\r\n $s2 = \"Task Manager are disabled\" fullword wide\r\n \r\n condition:\r\n ($mz at 0) and all of ($s*)\r\n }\r\n import \"pe\"\r\nrule covid_mbr_killer {\r\n meta:\r\n author = \"tcontre\"\r\n description = \"detecting covid_19_end_exe\"\r\n date = \"2020-04-08\"\r\n sha256 = \"c3f11936fe43d62982160a876cc000f906cb34bb589f4e76e54d0a5589b2fdb9\"\r\nhttps://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html\r\nPage 9 of 10\n\nstrings:\r\n $mz = { 4d 5a }\r\n $c1 = {8A 03 C1 E8 04 40 BA DC 83 40 00 8A 44 02 FF 5A 88 02 8B C5 }\r\n $c2 = {8B D6 03 D2 42 03 C2 50 8A 03 24 0F 25 FF 00 00 00 40 BA DC 83 40 00 8A 44 02 FF 5A 88 02}\r\n $d1 = {6A 00 68 F4 B7 40 00 68 00 02 00 00 68 FC C5 40 00 53 E8 ?? ?? ?? ?? 6A 00 6A 00 68 00 02 00 00}\r\n $d2 = {53 E8 ?? ?? ?? ?? 6A 00 68 F8 B7 40 00 A1 F4 B7 40 00 50 68 FC C5 40 00 53 E8 ?? ?? ?? ?? 53 E8}\r\n $s1 = \"WobbyChip\" fullword\r\n \r\n condition:\r\n ($mz at 0) and $s1 and 1 of ($c*) and 1 of ($d*)\r\n }\r\n import \"pe\"\r\nrule covid_runner {\r\n meta:\r\n author = \"tcontre\"\r\n description = \"detecting covid_19_unpack_run_exe\"\r\n date = \"2020-04-08\"\r\n sha256 = \"c46c3d2bea1e42b628d6988063d247918f3f8b69b5a1c376028a2a0cadd53986\"\r\n strings:\r\n $mz = { 4d 5a }\r\n $c = {68 0A 00 00 00 FF 74 24 04 FF 74 24 14 E8 ?? ?? ?? ?? 89 44 24 04 83 7C 24 04 00 74 24 FF 74 24 04\r\n $s1 = \"%homedrive%\\\\COVID-19\" fullword\r\n $s2 = \"disabletaskmgr\" fullword\r\n $s3 = \"NoChangingWallPaper\" fullword\r\n $s4 = \"ADD HKLM\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\" fullword\r\n \r\n condition:\r\n ($mz at 0) and 2 of ($s*) and $c\r\n } tag\r\nSource: https://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html\r\nhttps://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html"
	],
	"report_names": [
		"covid19-malware-analysis-with-kill-mbr.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439113,
	"ts_updated_at": 1775826720,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4d10efe9718f872a8dc81e406075bdc1ca93f94f.pdf",
		"text": "https://archive.orkl.eu/4d10efe9718f872a8dc81e406075bdc1ca93f94f.txt",
		"img": "https://archive.orkl.eu/4d10efe9718f872a8dc81e406075bdc1ca93f94f.jpg"
	}
}