MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1583f581b4aed3b58c6dfaa9e8934acb0afbfe12ebc7a5c99ee8757242b4f7fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1583f581b4aed3b58c6dfaa9e8934acb0afbfe12ebc7a5c99ee8757242b4f7fa
SHA3-384 hash: 28f00e43594a1558d3845922bf2d6e85c9ed1669332fc6af30fc3548f3987da4dee8424208ffc3463b3d4ad7a83ef7a2
SHA1 hash: 9c4c1aed92947d636109717667136b54bd28e2aa
MD5 hash: 211013cfdb48e16e952f68274de3fd7b
humanhash: north-fix-high-mike
File name:RECORDATORIO DE VCTO DHL - 1606560986.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'246'208 bytes
First seen:2025-08-06 20:51:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'624 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:pZN4BE7DwZOnE3sisdNcJYxJ93jCJH9o:T2ad7isdNjB3Sdo
Threatray 110 similar samples on MalwareBazaar
TLSH T1A34523A061E5CE01E95847B11932D53417BB2C4EE063C21ADFEB7CD73937B91667AB02
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon f99924e3634948d0 (37 x AgentTesla, 12 x SnakeKeylogger, 7 x Formbook)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RECORDATORIO DE VCTO DHL - 1606560986.exe
Verdict:
No threats detected
Analysis date:
2025-08-06 21:45:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b3935e2b-24d8-4fa7-88b5-bfa9f14f7339

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19373/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6893c0761e8a59ee04e6b550
Tags:
stration spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/6893c0736d7bffa0a79f3763/reports/c67e1446-3d43-4161-a7cc-d299d243a3a2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1583f581b4aed3b58c6dfaa9e8934acb0afbfe12ebc7a5c99ee8757242b4f7fa
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bd1a321d-85e6-40cf-87e7-5dc2d137bb82
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1751797
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1751797 Sample: RECORDATORIO DE VCTO DHL - ... Startdate: 06/08/2025 Architecture: WINDOWS Score: 100 48 www.youpartnership.xyz 2->48 50 www.teleexplore.xyz 2->50 52 15 other IPs or domains 2->52 68 Suricata IDS alerts for network traffic 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 Yara detected FormBook 2->72 76 5 other signatures 2->76 11 RECORDATORIO DE VCTO DHL - 1606560986.exe 4 2->11         started        15 svchost.exe 1 1 2->15         started        signatures3 74 Performs DNS queries to domains with low reputation 50->74 process4 dnsIp5 46 RECORDATORIO DE VC... 1606560986.exe.log, ASCII 11->46 dropped 90 Adds a directory exclusion to Windows Defender 11->90 18 RECORDATORIO DE VCTO DHL - 1606560986.exe 3 11->18         started        21 powershell.exe 23 11->21         started        23 RECORDATORIO DE VCTO DHL - 1606560986.exe 11->23         started        25 2 other processes 11->25 60 127.0.0.1 unknown unknown 15->60 file6 signatures7 process8 signatures9 62 Adds a directory exclusion to Windows Defender 18->62 64 Injects a PE file into a foreign processes 18->64 27 RECORDATORIO DE VCTO DHL - 1606560986.exe 18->27         started        30 powershell.exe 23 18->30         started        66 Loading BitLocker PowerShell Module 21->66 32 conhost.exe 21->32         started        process10 signatures11 86 Maps a DLL or memory area into another process 27->86 34 EQRZeYwb.exe 27->34 injected 88 Loading BitLocker PowerShell Module 30->88 36 conhost.exe 30->36         started        process12 process13 38 cacls.exe 13 34->38         started        signatures14 78 Tries to steal Mail credentials (via file / registry access) 38->78 80 Tries to harvest and steal browser information (history, passwords, etc) 38->80 82 Modifies the context of a thread in another process (thread injection) 38->82 84 3 other signatures 38->84 41 qwUUI6G3c.exe 38->41 injected 44 firefox.exe 38->44         started        process15 dnsIp16 54 www.closereasons.online 216.40.34.41, 49716, 49717, 49718 TUCOWSCA Canada 41->54 56 dumasuite.info 195.110.124.133, 49704, 49705, 49706 REGISTER-ASIT Italy 41->56 58 10 other IPs or domains 41->58
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1583f581b4aed3b58c6dfaa9e8934acb0afbfe12ebc7a5c99ee8757242b4f7fa
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.35 Win 32 Exe x86
Link:
https://app.malva.re/file/211013cfdb48e16e952f68274de3fd7b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1583f581b4aed3b58c6dfaa9e8934acb0afbfe12ebc7a5c99ee8757242b4f7fa/
Threat name:
ByteCode-MSIL.Trojan.DarkCloud
Create hunting rule
Status:
Malicious
First seen:
2025-08-06 20:52:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cwb7lanuv3j3lddn7ku6re2kzmfpx7qs5pd2lsm65b2xeqvu675a._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
00d6bcb13a0e5ee0a759c663a63d75866a7ceacbc91e3b63d96580926c5053af
Formbook
1583f581b4aed3b58c6dfaa9e8934acb0afbfe12ebc7a5c99ee8757242b4f7fa
Formbook
1bfc67fda739fb4b9d8ec51ab705c1348396d37eb76be0035183e12b26c7f6ea
Formbook
6bfefb0f3b8a878aec69c3d830824c3bf7d5181ffd6d6e88dc4a8d793370c233
Formbook
8b4e5f9c54d037c26559bf5c120c1a8a6f4a9c214c4f20ac44368857ac1bf260
Formbook
9cc3509d0971ef4d17669266b88c3e7c47e47581b277c5c8e4a59b93ef761c9b
Formbook
error
Formbook
+ 100 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250806-znzvjatsb1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f340afc4-fac9-4d47-a039-438f4d7de51f
Unpacked files
SH256 hash:
1583f581b4aed3b58c6dfaa9e8934acb0afbfe12ebc7a5c99ee8757242b4f7fa
MD5 hash:
211013cfdb48e16e952f68274de3fd7b
SHA1 hash:
9c4c1aed92947d636109717667136b54bd28e2aa
Link:
https://www.unpac.me/results/9cf742fe-2b5a-4326-856f-7ad613129e2f/
SH256 hash:
07d08c9f0c19e8d98e082cd0c06e03740d25ca82e9654bd3ba7f28e390244481
MD5 hash:
cad4333e5737e6dda91878f5e83a3fc7
SHA1 hash:
053bf05dae4b1bced96b19ad42126e86dd7168fb
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9cf742fe-2b5a-4326-856f-7ad613129e2f/
SH256 hash:
00049daf2e95649a724141fb24f6ac431a1a451f4b686dbbb97443379c821088
MD5 hash:
aa8038c1eb2e84e43b46114d91f8b00b
SHA1 hash:
4f7d03e7cd44ca646a2dcc8f53534f3aee9718ef
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/9cf742fe-2b5a-4326-856f-7ad613129e2f/
Parent samples :
9cc3509d0971ef4d17669266b88c3e7c47e47581b277c5c8e4a59b93ef761c9b
1bfc67fda739fb4b9d8ec51ab705c1348396d37eb76be0035183e12b26c7f6ea
00d6bcb13a0e5ee0a759c663a63d75866a7ceacbc91e3b63d96580926c5053af
f1f841722dfbf5ae03d0c6b8263565f091570ec9a1e9dc6f93f5759f746e2449
1583f581b4aed3b58c6dfaa9e8934acb0afbfe12ebc7a5c99ee8757242b4f7fa
5d112bae8efc523f75ae6067c634101605b6d4c5ee4bf67a264ad15daa419b71
c5746aba0a4755f24a90f73d4a3220c63cbcd475f9b24b5600778e5e6a49ce8b
ec21d54163c145fd0a8d5f5569913cf9a27bc54bd756028124e01e52e707b69d
SH256 hash:
a148126bd00fc6170aefb6728c2792f592d94306efe6c21557132c71c668d6a1
MD5 hash:
19c0c0cb6b87dbd88d8e81fdfd622d39
SHA1 hash:
992089c83ed78634af60b97f41006f93618e73a6
Link:
https://www.unpac.me/results/9cf742fe-2b5a-4326-856f-7ad613129e2f/
SH256 hash:
9485dba36ff93583b154f4ab11730ed448f7ee199d2203e0166349e8a3640ef7
MD5 hash:
ccfd69f655d4d803882b790df1d2be62
SHA1 hash:
813de8f1af8fedc5fec1f608824b2d7fec05f830
Link:
https://www.unpac.me/results/9cf742fe-2b5a-4326-856f-7ad613129e2f/
SH256 hash:
9eb341a6c9948b2c6f3ee3be9a29f2b76b0c60b73aed7c787ae10446502377d6
MD5 hash:
c8f723940a9bdebcdeeb1972e48eabc6
SHA1 hash:
9acc38f7c3c9fedb92c18b8f3fb13f0d5122b7ae
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9cf742fe-2b5a-4326-856f-7ad613129e2f/
Parent samples :
1583f581b4aed3b58c6dfaa9e8934acb0afbfe12ebc7a5c99ee8757242b4f7fa
a148126bd00fc6170aefb6728c2792f592d94306efe6c21557132c71c668d6a1
SH256 hash:
3824cf53758ca0787ff810876adf9d0937db8fa0be51c29465ca1eb6a7b875e8
MD5 hash:
46384651f9d702f3e31b50785a837999
SHA1 hash:
b6706102d52f3bf59bef0390a7ac82a109b3cc54
Link:
https://www.unpac.me/results/9cf742fe-2b5a-4326-856f-7ad613129e2f/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1583f581b4ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/19373/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments