MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50756b5cbf522662f76022571c154d9ae013b796482240b7f88ff874a7c4d5e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 11 File information Comments

SHA256 hash:	50756b5cbf522662f76022571c154d9ae013b796482240b7f88ff874a7c4d5e1
SHA3-384 hash:	42534b89c73cba9c8f58828d2e2e78aa47b5d4ca100196032231f1c5d131243e8f64588dbbfb3888a2b4d2534b0eb3e4
SHA1 hash:	2434ec6c9a616b3363ca349e1555f3724662cbe7
MD5 hash:	867ecfbb8cb26a736348165181258b2e
humanhash:	robin-eighteen-freddie-paris
File name:	INVOICE.r15
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'065'960 bytes
First seen:	2025-09-29 10:10:08 UTC
Last seen:	2025-09-30 10:28:25 UTC
File type:	rar
MIME type:	application/x-rar
ssdeep	24576:eTFcjz336NA0gbPqnC27WYdBbkf/RtGoagHUgDpF:GFBA0gbrYdB4nRNnHUgD3
Threatray	1'576 similar samples on MalwareBazaar
TLSH	T19535338DDF0AD386DB58FAC291D13242280787E57D8E57DF0E740C1A5E8A86C60B7E97
TrID	58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1) 41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	cocaman
Tags:	FormBook GuLoader INVOICE payment r15 rar

cocaman

Malicious email (T1566.001)
From: "vanessa.wang@skf.com" (likely spoofed)
Received: "from [91.92.242.11] (unknown [91.92.242.11]) "
Date: "30 Sep 2025 03:15:07 -0700"
Subject: "RE: Confirm revised invoice to proceed with payment ASAP."
Attachment: "INVOICE.r15"

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:	INVOICE.exe
File size:	768'512 bytes
SHA256 hash:	3189a2a8530b26f87a47c614fd895e197d7fd0fc0900ae8551b44114b277dec8
MD5 hash:	9ad804c7432ad16d21e0bd3a0a01bc92
MIME type:	application/x-dosexec
Signature	Formbook

File name:	Invoice.bat
File size:	382'970 bytes
SHA256 hash:	e770d4bd2d65dbb979c56054b2ba5b2b6c862e8a55a9769c1c762dd73febe81c
MD5 hash:	55cf812788692306c413aad62ba65b6c
MIME type:	application/x-dosexec
Signature	GuLoader

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27154.Rar5Heur.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68d5537d1e4783989051f578

Tags:

injection blic

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade packed vbnet

Link:

https://www.filescan.io/uploads/68da5b27c564c8e81d09db53/reports/a77ec67a-28c1-4226-afba-082e097b74f7/overview

Verdict:

Suspicious

Labled as:

Mal/DrodRar

Link:

https://www.hybrid-analysis.com/sample/50756b5cbf522662f76022571c154d9ae013b796482240b7f88ff874a7c4d5e1

Verdict:

Malicious

File Type:

rar

First seen:

2025-09-29T04:39:00Z UTC

Last seen:

2025-09-29T04:39:00Z UTC

Hits:

~100

Detections:

Trojan.Win32.Guloader.dcy HEUR:Trojan.Win32.GuLoader.gen

Link:

https://opentip.kaspersky.com/50756b5cbf522662f76022571c154d9ae013b796482240b7f88ff874a7c4d5e1/results?tab=lookup

Verdict:

inconclusive

YARA:

2 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout Rar Archive SOS: 0.44

Link:

https://app.malva.re/file/867ecfbb8cb26a736348165181258b2e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/50756b5cbf522662f76022571c154d9ae013b796482240b7f88ff874a7c4d5e1/

Verdict:

Malicious

Threat:

Family.FORMBOOK

Link:

https://tip.neiki.dev/file/50756b5cbf522662f76022571c154d9ae013b796482240b7f88ff874a7c4d5e1

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2025-09-29 10:10:11 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

29 of 37 (78.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kb2wwxf7kitgf53aejlryfkntlqbhn4wjarebn7yr74hjj6e2xqq._file

Verdict:

malicious

Label(s):

formbook

unc_loader_037

Formbook

29688877a36107747d055f72f6760d360a6f3715ef32d90f46815838b56e18dc

Formbook

3189a2a8530b26f87a47c614fd895e197d7fd0fc0900ae8551b44114b277dec8

Formbook

5f9b01b88c7faf63239a79405c1f7c5521b9cfd1934c659a8c56345ad1549d17

Formbook

ad0a87e7d15323230f7732b7d734abe976d5e6b4e32ec086e7892ca0f67acfe7

Formbook

b0be564eb26f9cf2f58ea450d43194f3a4fb7dd2ca16375e3ecbfd636e5e7c13

Formbook

c55443835b9da7ef3fd8e804969c806713c352c5fbdbe8e673e348f9588e7189

Formbook

error

Formbook

+ 1'566 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:formbook family:guloader discovery downloader execution installer rat spyware stealer trojan

Link:

https://tria.ge/reports/250929-qesv7agj9y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Formbook payload

Formbook

Formbook family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/50756b5cbf522662f76022571c154d9ae013b796482240b7f88ff874a7c4d5e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win32_dotnet_form_obfuscate Create hunting rule
Author:	Reedus0
Description:	Rule for detecting .NET form obfuscate malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 50756b5cbf522662f76022571c154d9ae013b796482240b7f88ff874a7c4d5e1

(this sample)

GuLoader

exe e770d4bd2d65dbb979c56054b2ba5b2b6c862e8a55a9769c1c762dd73febe81c

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 e770d4bd2d65dbb979c56054b2ba5b2b6c862e8a55a9769c1c762dd73febe81c

Dropping

GuLoader

Dropping

SHA256 3189a2a8530b26f87a47c614fd895e197d7fd0fc0900ae8551b44114b277dec8

Dropping

Formbook

Dropping

MD5 9ad804c7432ad16d21e0bd3a0a01bc92

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample