MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 845d86a44b920a55e48bc54225ea06da1e0e7b8e865b1b93b7c03a023f6034eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 32 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 845d86a44b920a55e48bc54225ea06da1e0e7b8e865b1b93b7c03a023f6034eb
SHA3-384 hash: 6e85bf2b471dbf2ff95ac9d011c68cb04942073ceb0349e195dfb0cd9e24876e82635318e553fde36cfe7b46b8a1fb86
SHA1 hash: 8bc32395b205c8048d38daf046217e3e2c1a1ecf
MD5 hash: f5619b84a785182e230449a8430288d5
humanhash: louisiana-xray-pizza-south
File name:main.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:718'848 bytes
First seen:2025-06-13 11:55:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:OVNMTWT5KB7cdXOIfE0OI+IVs2dWDXJBykPWPL+TovUlelSc7:UT8440H+IVsEclZToKel
Threatray 56 similar samples on MalwareBazaar
TLSH T1E3E4E10137E8CB26EA6E13BDE4B056245BB6A14B9153FB4DB48C19FE5B1730099123BF
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter burger
Tags:exe FormBook SilverRAT UmbralStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
520
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
main.exe
Verdict:
Malicious activity
Analysis date:
2025-06-13 08:54:20 UTC
Tags:
discord exfiltration stealer github evasion asyncrat discordgrabber generic umbralstealer ims-api divulgestealer umbral amsi-bypass
Link:
https://app.any.run/tasks/81d46846-2ce4-4289-bb51-2793a16aec41

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
R77
Create hunting rule
Link:
https://www.capesandbox.com/analysis/9346/
Detection(s):
Win.Dropper.LokiBot-10010685-0
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684c11d48bd5d68a12e8758e
Tags:
shell spawn hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a window
Launching a process
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Creating a service
Launching a service
Running batch commands
Creating a file in the Windows subdirectories
Possible injection to a system process
Blocking the User Account Control
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Using obfuscated Powershell scripts
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/845d86a44b920a55e48bc54225ea06da1e0e7b8e865b1b93b7c03a023f6034eb
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ce2036e-9d4e-443d-91d9-d1fc7bcfc536
Result
Threat name:
Blank Grabber, SilverRat, Umbral Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1714057
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Detected Stratum mining protocol
Disables UAC (registry)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: WScript or CScript Dropper
Sigma detected: Xmrig
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Blank Grabber
Yara detected SilverRat
Yara detected UAC Bypass using CMSTP
Yara detected Umbral Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1714057 Sample: main.exe Startdate: 13/06/2025 Architecture: WINDOWS Score: 100 93 de.monero.herominers.com 2->93 95 date-enclosed.gl.at.ply.gg 2->95 97 3 other IPs or domains 2->97 107 Sigma detected: Xmrig 2->107 109 Found malware configuration 2->109 111 Malicious sample detected (through community Yara rule) 2->111 113 24 other signatures 2->113 10 $77smartscreen.exe 15 3 2->10         started        14 cmd.exe 2->14         started        16 main.exe 3 2->16         started        19 5 other processes 2->19 signatures3 process4 dnsIp5 103 date-enclosed.gl.at.ply.gg 147.185.221.28, 20227 SALSGIVERUS United States 10->103 105 discord.com 162.159.135.232, 443, 49724 CLOUDFLARENETUS United States 10->105 159 Protects its processes via BreakOnTermination flag 10->159 161 Found many strings related to Crypto-Wallets (likely being stolen) 10->161 163 Creates autostart registry keys with suspicious names 10->163 181 5 other signatures 10->181 21 RegAsm.exe 10->21         started        25 RegAsm.exe 10->25         started        28 powershell.exe 10->28         started        36 6 other processes 10->36 165 Suspicious powershell command line found 14->165 167 Wscript starts Powershell (via cmd or directly) 14->167 169 Obfuscated command line found 14->169 30 powershell.exe 14->30         started        79 C:\ProgramData\$77smartscreen.exe, PE32 16->79 dropped 81 C:\Users\user\AppData\Local\...\main.exe.log, CSV 16->81 dropped 171 Bypasses PowerShell execution policy 16->171 173 Adds a directory exclusion to Windows Defender 16->173 32 powershell.exe 23 16->32         started        34 powershell.exe 23 16->34         started        175 Antivirus detection for dropped file 19->175 177 Multi AV Scanner detection for dropped file 19->177 179 Changes security center settings (notifications, updates, antivirus, firewall) 19->179 file6 signatures7 process8 dnsIp9 99 api.filedoge.com 49.13.193.134, 443, 49723 HETZNER-ASDE Germany 21->99 83 C:\Users\user\AppData\...\$77xmrig.exe, PE32+ 21->83 dropped 85 C:\Users\user\AppData\Roaming\...\$77lol.vbs, ASCII 21->85 dropped 87 C:\Users\user\AppData\...\$77haideptrai.bat, ASCII 21->87 dropped 38 wscript.exe 21->38         started        89 C:\Users\user\AppData\...\lqsf2km2.cmdline, Unicode 25->89 dropped 143 Loading BitLocker PowerShell Module 25->143 145 Reads the Security eventlog 25->145 147 Reads the System eventlog 25->147 41 csc.exe 25->41         started        44 conhost.exe 28->44         started        149 Writes to foreign memory regions 30->149 151 Creates a thread in another existing process (thread injection) 30->151 153 Injects a PE file into a foreign processes 30->153 46 winlogon.exe 30->46 injected 48 conhost.exe 30->48         started        155 Found many strings related to Crypto-Wallets (likely being stolen) 32->155 157 Found suspicious powershell code related to unpacking or dynamic code loading 32->157 50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 conhost.exe 36->54         started        file10 signatures11 process12 file13 115 Wscript starts Powershell (via cmd or directly) 38->115 117 Windows Scripting host queries suspicious COM object (likely to drop second stage) 38->117 56 cmd.exe 38->56         started        91 C:\Users\user\AppData\Local\...\lqsf2km2.dll, PE32 41->91 dropped 58 conhost.exe 41->58         started        60 cvtres.exe 41->60         started        119 Found strings related to Crypto-Mining 46->119 121 Injects code into the Windows Explorer (explorer.exe) 46->121 123 Contains functionality to inject code into remote processes 46->123 125 4 other signatures 46->125 62 svchost.exe 46->62 injected 65 lsass.exe 46->65 injected 67 svchost.exe 46->67 injected 69 9 other processes 46->69 signatures14 process15 signatures16 71 $77xmrig.exe 56->71         started        75 conhost.exe 56->75         started        183 Writes to foreign memory regions 62->183 185 Creates a thread in another existing process (thread injection) 62->185 187 Injects a PE file into a foreign processes 62->187 77 wscript.exe 62->77         started        process17 dnsIp18 101 de.monero.herominers.com 141.95.126.31, 1111, 49726 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 71->101 127 Multi AV Scanner detection for dropped file 71->127 129 Query firmware table information (likely to detect VMs) 71->129 131 Found strings related to Crypto-Mining 71->131 133 Writes to foreign memory regions 77->133 135 Allocates memory in foreign processes 77->135 137 Windows Scripting host queries suspicious COM object (likely to drop second stage) 77->137 141 2 other signatures 77->141 signatures19 139 Detected Stratum mining protocol 101->139
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/845d86a44b920a55e48bc54225ea06da1e0e7b8e865b1b93b7c03a023f6034eb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/845d86a44b920a55e48bc54225ea06da1e0e7b8e865b1b93b7c03a023f6034eb/
Threat name:
Win32.Backdoor.Asyncrat
Create hunting rule
Status:
Malicious
First seen:
2025-06-13 11:56:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
29 of 37 (78.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qroynjclsifflzelyvbcl2qg3ipa464oqznrxe5xya5aep3agtvq._file
Verdict:
malicious
Label(s):
umbral
Create hunting rule
admintool_ps2exe
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
02c577714fbe59d1fa42aa8ec3c26cb1c240bef2a26d477334819ab576898680
Formbook
59d32fa381f4dd0d841042c158dc54448af26913ae97a1bc401dfd2dc4da6387
Formbook
e327efd4243601327f2dab0e3d9a5ef0426edaeb90f78964a6f699d49ff1bfa3
Formbook
eaa6b8a5b290c65fde4b9529864704ec9e562156c933ecb93a9d132d18fad386
Formbook
error
Formbook
f258e1faa4cbb6c3976d2e99e55f9a97da51d197f9fd9ba58553c2dd2541999e
Formbook
+ 46 additional samples on MalwareBazaar
Result
Malware family:
umbral
Create hunting rule
Score:
  10/10
Tags:
family:silverrat family:umbral defense_evasion discovery execution persistence spyware stealer trojan
Link:
https://tria.ge/reports/250613-n386zayvbt/
Behaviour
Checks SCSI registry key(s)
Detects videocard installed
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Drops file in Drivers directory
Detect Umbral payload
SilverRat
Silverrat family
UAC bypass
Umbral
Umbral family
Malware Config
C2 Extraction:
date-enclosed.gl.at.ply.gg:20227
https://discordstealervortex.vercel.app/upload
Verdict:
Malicious
Tags:
Win.Dropper.LokiBot-10010685-0
YARA:
n/a
Link:
https://app.threat.zone/submission/37554dae-2630-451c-9e6e-6ed54bc9c7dd
Unpacked files
SH256 hash:
845d86a44b920a55e48bc54225ea06da1e0e7b8e865b1b93b7c03a023f6034eb
MD5 hash:
f5619b84a785182e230449a8430288d5
SHA1 hash:
8bc32395b205c8048d38daf046217e3e2c1a1ecf
Link:
https://www.unpac.me/results/b692a326-f183-486f-a2e4-cc44590bba9c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/845d86a44b92/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/845d86a44b920a55e48bc54225ea06da1e0e7b8e865b1b93b7c03a023f6034eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Detect_Zoom_Invite_malware_RAT_C2
Create hunting rule
Author:daniyyell
Description:Detects Zoom Invite Call Leading to Malware Hosted in Telegram C2
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Scheduled_Tasks_Create_From_Susp_Dir
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PowerShell Script that creates a Scheduled Task that runs from an suspicious directory
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/9346/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments