MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7c55c55988c689f4950eec33581a2095c1dd6785cad65aa4418e67ca2bf9ea8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7c55c55988c689f4950eec33581a2095c1dd6785cad65aa4418e67ca2bf9ea8
SHA3-384 hash: f59309691fa503bed79301fec21a5895e07b6be7ae799d75ed3e188c26d3cd665099f90df9436e4f154e8edc45576a5a
SHA1 hash: eee9e75fbf2e117b0c306606c8e76398318b0608
MD5 hash: 4443f8f73632d7bb9e797f1938e33203
humanhash: mexico-comet-speaker-victor
File name:SecuriteInfo.com.Trojan.NSIS.Guloader.28924.32007
Download: download sample
Signature Formbook
Create hunting rule
File size:540'336 bytes
First seen:2023-07-27 08:33:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 076b06e6a65c9b7cca5a61be0cd82165 (51 x GuLoader, 4 x AgentTesla, 4 x Formbook)
ssdeep 6144:l21JpU7T7JhRlSTp9S6gUkka++aNOGkJppbXP2KhS1dO9D3p/gCHLadQuY4k:g0xheTp9bgfkWakHpA4S1YCVBY
Threatray 1'632 similar samples on MalwareBazaar
TLSH T114B4F1133268876BC5DB5F7482EBC317B2B91E014797560B5B68BF2CA4B13943E0E98D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c0a0a0a0f4747438 (1 x Formbook)
Reporter SecuriteInfoCom
Tags:exe FormBook signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-27T10:10:52Z
Valid to:2026-01-26T10:10:52Z
Serial number: 7942fc78d954fc02ab11565a013013ed13468755
Thumbprint Algorithm:SHA256
Thumbprint: 76707ac76b4522008fd5eb3b566440e555a11f487ea38482192f2ca34358e65d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.NSIS.Guloader.28924.32007
Verdict:
Suspicious activity
Analysis date:
2023-07-27 08:36:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1b8f1c67-0cea-4d70-83b1-5da0a75c08ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/434704/
Detection(s):
SecuriteInfo.com.Trojan.NSIS.Guloader.28924.32007.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Searching for the window
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control guloader lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64c22bbef69d8e39b7ad98e2/reports/ec1dc28f-21a3-47c8-b1ab-f6a64f94190e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/a7c55c55988c689f4950eec33581a2095c1dd6785cad65aa4418e67ca2bf9ea8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/79e190eb-1fad-41a9-a84e-b359a4e349b2
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1280946
Signature
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7c55c55988c689f4950eec33581a2095c1dd6785cad65aa4418e67ca2bf9ea8/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-07-27 06:21:49 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u7cvyvmyrruj6skq53btlancbfob3vtylswwlkseddthziv7t2ua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
28384833cb4f57932b5344a38245cc995941d7fcccc387a2ffa7f295c91108ac
Formbook
2afb072fe81c319cbe4cee6d2c660a16a833b4243c8e5ea0aa041b2b974c3ef5
Formbook
38b1fa09afda5be40267c84dc88ed1291301a6f031b2de0185d40dd9372b2c45
Formbook
856c3482c119fdecb777d14ef351c90a24a045cf8da8cafbb2d229619cb11bbf
Formbook
9765dbd65a085f5367621bfec9f896cf9d37eb298cee6e8568d4488137d888b1
Formbook
ae4782832ffbad77734b2b938435a05073bb4b15f1218654ea88dca421b8609a
Formbook
c8a94c78a7376f91457a32319670c828f10d5616712154c969ef65bee7de122f
Formbook
cd24796ce83ec93f4e5e116d5402986cca52840cf878f7cdedc63f865734d409
Formbook
d167c08baf19919551b1731763974baa43a7193cfaf4704d754308d53bdb2b5e
Formbook
e29c4da2ffb29da2ca94953e638058674b6234ac0c75864d644a661d582a3ab1
Formbook
+ 1'622 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230727-kfvhhscg35/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Loads dropped DLL
Unpacked files
SH256 hash:
fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce
MD5 hash:
4d3b19a81bd51f8ce44b93643a4e3a99
SHA1 hash:
35f8b00e85577b014080df98bd2c378351d9b3e9
Link:
https://www.unpac.me/results/f539cb30-7e51-4457-a25d-c2c682ff83ff/
SH256 hash:
a7c55c55988c689f4950eec33581a2095c1dd6785cad65aa4418e67ca2bf9ea8
MD5 hash:
4443f8f73632d7bb9e797f1938e33203
SHA1 hash:
eee9e75fbf2e117b0c306606c8e76398318b0608
Link:
https://www.unpac.me/results/f539cb30-7e51-4457-a25d-c2c682ff83ff/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a7c55c55988c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7c55c55988c689f4950eec33581a2095c1dd6785cad65aa4418e67ca2bf9ea8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/434704/

Comments