MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1abb2bfc4898bc01d9af8659741081e4bfa1bb4fe400194845e2e17ed28cf205. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1abb2bfc4898bc01d9af8659741081e4bfa1bb4fe400194845e2e17ed28cf205
SHA3-384 hash: 4b81091ee920803305edac5b9372e849789aa12017d5bf1d379b7860f8029b7982a131a78c435c22a0cb47158ef4c3ee
SHA1 hash: 5a786882413a4ab93a0a6f6c0aca66125ac64782
MD5 hash: 43a70cf8778adf3fedc88dd16edefd27
humanhash: bulldog-oscar-hotel-monkey
File name:Details Of Our PO..exe
Download: download sample
Signature Formbook
Create hunting rule
File size:786'944 bytes
First seen:2025-04-16 12:34:01 UTC
Last seen:2025-05-09 12:38:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'624 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:O1c2iN0f2ThrcEa7SoiuN70mN399fFjsgSXSwhBYGnlA2SkwvSQUgoVU:D1WfKhrVau+F0mNN9kSMZaXvf1wU
TLSH T105F4120573A8EA06C8920BB56491E27953F88E8DA413E307DFE97EEF7876B4505063D3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
443
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Details Of Our PO..exe
Verdict:
No threats detected
Analysis date:
2025-04-16 12:43:52 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/68a3d936-5545-47e4-8b15-753d5b574fbf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/2463/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ffa63d954c9c53de0bc7ac
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67ffa3c190767142c3d721c3/reports/188c5654-6894-4542-bd1c-1adaa3f2d3e9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1abb2bfc4898bc01d9af8659741081e4bfa1bb4fe400194845e2e17ed28cf205
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8c33475-3bbc-4917-91eb-c13baab31daa
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1666310
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1666310 Sample: Details Of Our PO..exe Startdate: 16/04/2025 Architecture: WINDOWS Score: 100 31 www.restrainreflection.xyz 2->31 33 www.melayari.xyz 2->33 35 20 other IPs or domains 2->35 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 53 4 other signatures 2->53 10 Details Of Our PO..exe 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 33->51 process4 file5 29 C:\Users\user\...\Details Of Our PO..exe.log, ASCII 10->29 dropped 65 Injects a PE file into a foreign processes 10->65 14 Details Of Our PO..exe 10->14         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 14->67 17 JscBX4KCFylIAlZemRlc6rZ.exe 14->17 injected process9 signatures10 43 Found direct / indirect Syscall (likely to bypass EDR) 17->43 20 ktmutil.exe 13 17->20         started        process11 signatures12 55 Tries to steal Mail credentials (via file / registry access) 20->55 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 59 Modifies the context of a thread in another process (thread injection) 20->59 61 3 other signatures 20->61 23 JscBX4KCFylIAlZemRlc6rZ.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 www.restrainreflection.xyz 13.248.169.48, 49724, 49725, 49726 AMAZON-02US United States 23->37 39 www.aibay.top 185.27.134.103, 49737, 49738, 49739 WILDCARD-ASWildcardUKLimitedGB United Kingdom 23->39 41 10 other IPs or domains 23->41 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1abb2bfc4898bc01d9af8659741081e4bfa1bb4fe400194845e2e17ed28cf205
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1abb2bfc4898bc01d9af8659741081e4bfa1bb4fe400194845e2e17ed28cf205/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-04-16 02:30:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dk5sx7citc6adwnpqzmxieeb4s72do2p4qabsscf4lqx5uum6icq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250416-prs62svqx7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/002c3d66-ca71-40ce-868a-654966c04d50
Unpacked files
SH256 hash:
1abb2bfc4898bc01d9af8659741081e4bfa1bb4fe400194845e2e17ed28cf205
MD5 hash:
43a70cf8778adf3fedc88dd16edefd27
SHA1 hash:
5a786882413a4ab93a0a6f6c0aca66125ac64782
Link:
https://www.unpac.me/results/f8c74542-2233-423c-a5f1-d2cc120aa2fa/
SH256 hash:
d76bcd239c803ae3d0054135fd6b8c2afd1cb709b97c13133089ac128f7bf376
MD5 hash:
9b86525e0132de32b578a07a8a6aaf08
SHA1 hash:
149e06b8872dd1bc29d2403c17e23808f7871d77
Link:
https://www.unpac.me/results/f8c74542-2233-423c-a5f1-d2cc120aa2fa/
SH256 hash:
315dc081f45ac2de766200d3143fbaa3520dd9b2475849b10ef5ae3c0a5257f3
MD5 hash:
9d89486ac9da1e22335a95a9bff8c801
SHA1 hash:
7b6c03c704f865f28c9890225dca6a63d5ad78e3
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f8c74542-2233-423c-a5f1-d2cc120aa2fa/
SH256 hash:
00383de0838a17a8d61ca4375fb8b275297337d6cce73afe108efa35018058fc
MD5 hash:
9850dea4433e133e33091b18c7a6bb32
SHA1 hash:
d739029a85827add4061388535457d264f22ac7c
Link:
https://www.unpac.me/results/f8c74542-2233-423c-a5f1-d2cc120aa2fa/
SH256 hash:
3a492f089a7f5173cd3e386aeb5156771eeec8b4a227c68726a460ed98a28fc3
MD5 hash:
fc2b3f740c2bfa29d09a99a5ddb391f9
SHA1 hash:
a4117452f07181835cfcdbd2ed69b75b486bdfdd
Link:
https://www.unpac.me/results/f8c74542-2233-423c-a5f1-d2cc120aa2fa/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1abb2bfc4898/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip a4c1553e6f8e8cce581c7e9598124f7eabfb6c57842a9aff454ee6eff0f6810e

Formbook

Executable exe 1abb2bfc4898bc01d9af8659741081e4bfa1bb4fe400194845e2e17ed28cf205

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/2463/
  
Dropped by
SHA256 a4c1553e6f8e8cce581c7e9598124f7eabfb6c57842a9aff454ee6eff0f6810e
  
Dropped by
MD5 5d6dd764b702a66c1176d68a2ed64d5d

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments