MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0e26d2e543d4f4d1e4aafab4adc37f7762a9f5452af32fc235afada414581ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0e26d2e543d4f4d1e4aafab4adc37f7762a9f5452af32fc235afada414581ad
SHA3-384 hash: af6de3252b9b07c7232cf0376e09f364e65d9547cbe160483697a54c7b4fe04a36924972f3c33d7462172d83eaea6bdc
SHA1 hash: 2349872238ca432b1f18ad7460f2b3feb8cddc1d
MD5 hash: b38d96961c65171ab8cef1e0c8c80019
humanhash: artist-apart-one-kilo
File name:shipping documents.r11
Download: download sample
Signature Formbook
Create hunting rule
File size:716'105 bytes
First seen:2025-09-08 15:30:37 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:JgJGNB4k7S/UmpeX+Zw/A8xwrJkel6u4QnblbMtmOZe0hHXOz03xaoV63x:JeGNB4wSdyA/nl6JwbhrOZe2jgoV63x
TLSH T162E4336D2F4738A9347739D498262E7ADC0BB7C532D722CDB122C963A74367E6063C90
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika rar
Reporter cocaman
Tags:r11 rar Shipping


Avatar
cocaman
Malicious email (T1566.001)
From: "agencqhd@hoscogroup.com" (likely spoofed)
Received: "from 216-131-87-122.mia.as62651.net (216-131-87-122.mia.as62651.net [216.131.87.122]) "
Date: "8 Sep 2025 01:54:22 -0700"
Subject: "RE: Shipment Docs"
Attachment: "shipping documents.r11"

Intelligence

File Origin
# of uploads :
1
# of downloads :
36
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:shipping documents.exe
File size:741'376 bytes
SHA256 hash: 800bd73ca92a135c6484e12e92ea1ed0ad33d33a01228e9ad23b0062d6a57024
MD5 hash: 5964ecc729d220d84df2965ba6bd73ef
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bedfe0b20052598878fae4
Tags:
autoit emotet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit compiled-script findstr fingerprint lolbin masquerade microsoft_visual_cc netsh packed packed packed regsvr32 upx wscript
Link:
https://www.filescan.io/uploads/68bef6b7cfa59bfdc7f3b7bc/reports/b040d14d-efe9-4a30-aed4-206a03091216/overview
Verdict:
Malicious
Labled as:
Trojan.Downloader
Link:
https://www.hybrid-analysis.com/sample/c0e26d2e543d4f4d1e4aafab4adc37f7762a9f5452af32fc235afada414581ad
Verdict:
Malicious
File Type:
rar
First seen:
2025-09-08T16:06:00Z UTC
Last seen:
2025-09-08T16:06:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/c0e26d2e543d4f4d1e4aafab4adc37f7762a9f5452af32fc235afada414581ad/results?tab=lookup
Verdict:
Malware
YARA:
1 match(es)
Tags:
AutoIt Decompiled Executable PE (Portable Executable) PE File Layout Rar Archive Suspect
Link:
https://app.malva.re/file/b38d96961c65171ab8cef1e0c8c80019
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0e26d2e543d4f4d1e4aafab4adc37f7762a9f5452af32fc235afada414581ad/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2025-09-08 08:05:09 UTC
File Type:
Binary (Archive)
Extracted files:
53
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ydrg2lsuhvhu2hskv6vuvxbx653cvh2ukkxtf7bdll5nuqkfqgwq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c0e26d2e543d4f4d1e4aafab4adc37f7762a9f5452af32fc235afada414581ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:win_upx_packed
Create hunting rule
Author:Reedus0
Description:Rule for detecting UPX packed malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar c0e26d2e543d4f4d1e4aafab4adc37f7762a9f5452af32fc235afada414581ad

(this sample)

Formbook

Executable exe 800bd73ca92a135c6484e12e92ea1ed0ad33d33a01228e9ad23b0062d6a57024

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 800bd73ca92a135c6484e12e92ea1ed0ad33d33a01228e9ad23b0062d6a57024
  
Dropping
MD5 5964ecc729d220d84df2965ba6bd73ef

Comments