MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01c182ee03e32e4603c205ae79739a559e1d5eb094a27c6174c8555cad20133c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01c182ee03e32e4603c205ae79739a559e1d5eb094a27c6174c8555cad20133c
SHA3-384 hash: a033dae4950b91d11ac7dcfa505746e7bd54c957a63ee195a23903a25703c42b18439e47fa817d2b7f40477a0cc6d743
SHA1 hash: 4b194a95ce2cd3528106850c4d428ea3f0d4e678
MD5 hash: 7381ed46748006c9b5ae5fa855a3061c
humanhash: ceiling-pip-fish-blossom
File name:RFQ-1579.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:806'575 bytes
First seen:2022-04-21 06:48:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:yYQZMutWqdKZIC+Gsg8mWlTTTTew16uKCsTiSxToJFYJg:yYQZMutWqdKZXrDWlWqLpYY6i
Threatray 15'249 similar samples on MalwareBazaar
TLSH T132058DF074D6C4CEE1B652358170E77CC9C5FE80192A825A5DC63ADFF53B280EA5A1B2
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1ffe879b8f3c30a0 (2 x Formbook)
Reporter FORMALITYDE
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265326/
Detection(s):
SecuriteInfo.com.Trojan.Win32.GuLoader.ac.3857.9955.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6260fe61482f2f41cade871f/reports/cf89ea57-abfb-4079-b88d-13080d90cffc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb7657ed-081e-4833-8f50-556249d98c2f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/980436
Signature
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/01c182ee03e32e4603c205ae79739a559e1d5eb094a27c6174c8555cad20133c/
Threat name:
Win32.Downloader.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-04-20 22:16:55 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
15 of 41 (36.59%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ahayf3qd4mxema6cawxhs442kwpb2xvqssrhyyluzbkvzljacm6a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
1378ae8590449eb1d4300a28ca1119097f5954ac6c54f99dc0d83d75d932da28
Formbook
1aa89074af39244a69ae04905a4f959cb59d567abbbb7ab76407c2fa34a8f59b
Formbook
28c28db28e96276f72ce38a60d04f0711388d3f93ecb34d4721dc94fc2bf9f07
Formbook
2a5fecaa7aa29ffedca8d999e1868afef3a14ca955248b617d3445ea239186e4
Formbook
53685ac5f275b61fc580f2203e7d7e431d2b03b8e4320015b428745d68d5e333
Formbook
747f948dea9afe0caf124dfbda7a3dad32851baf62d502ded5d6d0b560bca033
Formbook
95c771c632d3d8501bcb90643f6587624eb5c5773557eeceb34bb08872cbd3cd
Formbook
9e6a92df11bb23b335d5bbf85731a1ea96f6c4038a24c2e4edb28e2169804c30
Formbook
bc7cf974c3cfb35a9e7f4abff78a9c68ae6a9ecb2eb78725adfd3ef6db6d6e0a
Formbook
de33667dae23bef601f35b12ddf77d50031c4d4565662d296019df378950a22e
Formbook
+ 15'239 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:xloader campaign:f7sb downloader loader rat suricata
Link:
https://tria.ge/reports/220421-hlctjsaadl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Deletes itself
Loads dropped DLL
Xloader Payload
Guloader,Cloudeye
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE Generic .bin download from Dotted Quad
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/060406bf-e882-4790-b1c0-6ede7c254f71/
SH256 hash:
f453864e0009b297b2c587547aa1bc7597d449d9d70745306c6fb0213023bfaa
MD5 hash:
a4e8f6d2fd911527f531b21f718a1c43
SHA1 hash:
c33beee413443e2d56546299edc88115249763ac
Link:
https://www.unpac.me/results/060406bf-e882-4790-b1c0-6ede7c254f71/
SH256 hash:
24a1c06934ffb7e5e034e13378db45a132f50ff1c832ec3a5f0442f87e217f3e
MD5 hash:
447e0adedc36cd4d4d27747a0446b3c4
SHA1 hash:
2b719484dd8dc99a76055e26486d3556f4c15eb3
Link:
https://www.unpac.me/results/060406bf-e882-4790-b1c0-6ede7c254f71/
SH256 hash:
01c182ee03e32e4603c205ae79739a559e1d5eb094a27c6174c8555cad20133c
MD5 hash:
7381ed46748006c9b5ae5fa855a3061c
SHA1 hash:
4b194a95ce2cd3528106850c4d428ea3f0d4e678
Link:
https://www.unpac.me/results/060406bf-e882-4790-b1c0-6ede7c254f71/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01c182ee03e32e4603c205ae79739a559e1d5eb094a27c6174c8555cad20133c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 01c182ee03e32e4603c205ae79739a559e1d5eb094a27c6174c8555cad20133c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/265326/

Comments