MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec2fc373c7839907ad0efe939cc78b99f8236863396b81d430ea9f379aa1e0ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec2fc373c7839907ad0efe939cc78b99f8236863396b81d430ea9f379aa1e0ac
SHA3-384 hash: 3d8e4aa8ec1fea81889f9088552cafa4d7889c5d6763378b331edd241f89ae6672e6bd8992fb5595f0e1a5432143e3e9
SHA1 hash: d1ea16527f8daf315166c02b9348a5ffebc85b09
MD5 hash: 9e860be853f1450557bcc86d49bf17ca
humanhash: oven-may-sweet-angel
File name:SecuriteInfo.com.Trojan.NSIS.Agent.32534.27657
Download: download sample
Signature Formbook
Create hunting rule
File size:782'776 bytes
First seen:2023-11-10 02:19:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 12288:Kr+y02Jk86r8pRlrkjW5TCetJd5wYptFTVPOLypOzOPQy9CHTge8:KqyHk8ggrk8TB5wYTxOu1Qy9CH0d
TLSH T158F412B33D34DACFE83B5036A07BB9672B6464785CC51A0A7141F75B6D52387CA0F24A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70f4f0e5e1fa5860 (2 x Formbook, 1 x Loki)
Reporter SecuriteInfoCom
Tags:exe FormBook signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-04-21T03:05:23Z
Valid to:2026-04-20T03:05:23Z
Serial number: 3d209eaa580c1a50f9b1996128a5dca7cf657d5c
Thumbprint Algorithm:SHA256
Thumbprint: e37d8384b3ba4e9b59b24ec0b4f79d26a0795ccea312d6510c08ef2314ccaebf
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.NSIS.Agent.32534.27657.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a file
Delayed reading of the file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/654d9353946b6ab2245d3f44/reports/90a3263f-3634-42c0-876c-5e81b982dfb0/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/ec2fc373c7839907ad0efe939cc78b99f8236863396b81d430ea9f379aa1e0ac
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/80542387-63c8-4e93-aa4a-8b6703f34337
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1340183
Signature
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ec2fc373c7839907ad0efe939cc78b99f8236863396b81d430ea9f379aa1e0ac
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec2fc373c7839907ad0efe939cc78b99f8236863396b81d430ea9f379aa1e0ac/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5qx4g46hqomqplio72jzzr4lth4cg2ddhfvydvbq5kptpgvb4cwa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231110-csezlahf9v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
MD5 hash:
75ed96254fbf894e42058062b4b4f0d1
SHA1 hash:
996503f1383b49021eb3427bc28d13b5bbd11977
Link:
https://www.unpac.me/results/0e847800-a6e9-42c5-b468-b07a6c299ded/
SH256 hash:
ec2fc373c7839907ad0efe939cc78b99f8236863396b81d430ea9f379aa1e0ac
MD5 hash:
9e860be853f1450557bcc86d49bf17ca
SHA1 hash:
d1ea16527f8daf315166c02b9348a5ffebc85b09
Link:
https://www.unpac.me/results/0e847800-a6e9-42c5-b468-b07a6c299ded/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec2fc373c7839907ad0efe939cc78b99f8236863396b81d430ea9f379aa1e0ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments