MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1dc40d185826d3b1017c756cc2451548fa4236bbb0e8fd721b5e4c58857202c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1dc40d185826d3b1017c756cc2451548fa4236bbb0e8fd721b5e4c58857202c3
SHA3-384 hash: c0571f33358febd404dafc25fa65f6dc4ecf8b07b4c0b294c7e2450e3f9668edce481b1b8c0d0c9e3b1e2ee3fbf08ad8
SHA1 hash: 149e1b2e158335e354fba9a9b56ad9e17877d0c4
MD5 hash: 9c406201d76ed1d51ffb37a1f7577425
humanhash: spaghetti-sad-twelve-island
File name:TT SLIP.cmd
Download: download sample
Signature Formbook
Create hunting rule
File size:856'584 bytes
First seen:2025-11-20 08:15:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:QDVyEbq4OmDM8HKS5JdTEYn0fkZNmgbTL:oBxjzHKS5JdTEBWL
Threatray 965 similar samples on MalwareBazaar
TLSH T1DE05F180277CAF03D6B68FF41AB1D27103F57E9B8921E20A5ED63CDB3965B900941B5B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter cocaman
Tags:cmd exe FormBook


Avatar
cocaman
Malicious email (T1566.001)
From: "jonax@thecheapestyoucanget.cheap" (likely spoofed)
Received: "from thecheapestyoucanget.cheap (thecheapestyoucanget.cheap [147.189.170.170]) "
Date: "19 Nov 2025 21:48:02 -0800"
Subject: "Recharges for December 2025"
Attachment: "TT SLIP.cmd"

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_1dc40d185826d3b1017c756cc2451548fa4236bbb0e8fd721b5e4c58857202c3.exe
Verdict:
Malicious activity
Analysis date:
2025-11-20 08:22:32 UTC
Tags:
auto-sch-xml
Link:
https://app.any.run/tasks/71cceedc-0511-4a37-b687-3ebc95bb5bff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38818/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691ece594917b5d23daf9a35
Tags:
shell sage msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expired-cert invalid-signature masquerade packed reconnaissance signed vbnet
Link:
https://www.filescan.io/uploads/691ece52419ba6b30e8227c6/reports/f718f9ef-9094-4079-bd92-01ee874cbf19/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1dc40d185826d3b1017c756cc2451548fa4236bbb0e8fd721b5e4c58857202c3
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-20T03:35:00Z UTC
Last seen:
2025-11-21T23:42:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.MSIL.Taskun.sb VHO:Backdoor.MSIL.XWorm.gen PDM:Trojan.Win32.Generic Trojan.MSIL.Taskun.sb HEUR:Trojan.MSIL.Injector.gen Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Backdoor.MSIL.XWorm.gen
Link:
https://opentip.kaspersky.com/1dc40d185826d3b1017c756cc2451548fa4236bbb0e8fd721b5e4c58857202c3/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a581c32-2786-44fe-86f9-b60d2c034dfe
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1817635
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1817635 Sample: TT SLIP.cmd.exe Startdate: 20/11/2025 Architecture: WINDOWS Score: 100 62 www.ss464.xyz 2->62 64 www.motobubble.com 2->64 66 3 other IPs or domains 2->66 74 Suricata IDS alerts for network traffic 2->74 76 Sigma detected: Scheduled temp file as task from temp location 2->76 78 Multi AV Scanner detection for submitted file 2->78 82 10 other signatures 2->82 10 TT SLIP.cmd.exe 7 2->10         started        14 dLROpkXejeIkAH.exe 5 2->14         started        16 svchost.exe 1 1 2->16         started        signatures3 80 Performs DNS queries to domains with low reputation 62->80 process4 dnsIp5 52 C:\Users\user\AppData\...\dLROpkXejeIkAH.exe, PE32 10->52 dropped 54 C:\...\dLROpkXejeIkAH.exe:Zone.Identifier, ASCII 10->54 dropped 56 C:\Users\user\AppData\Local\...\tmpDEDE.tmp, XML 10->56 dropped 58 C:\Users\user\AppData\...\TT SLIP.cmd.exe.log, ASCII 10->58 dropped 88 Adds a directory exclusion to Windows Defender 10->88 90 Injects a PE file into a foreign processes 10->90 19 TT SLIP.cmd.exe 10->19         started        22 powershell.exe 23 10->22         started        24 schtasks.exe 1 10->24         started        26 TT SLIP.cmd.exe 10->26         started        92 Multi AV Scanner detection for dropped file 14->92 94 Unusual module load detection (module proxying) 14->94 28 schtasks.exe 1 14->28         started        30 dLROpkXejeIkAH.exe 14->30         started        32 dLROpkXejeIkAH.exe 14->32         started        60 127.0.0.1 unknown unknown 16->60 file6 signatures7 process8 signatures9 84 Maps a DLL or memory area into another process 19->84 34 1CmTErrT6.exe 19->34 injected 86 Loading BitLocker PowerShell Module 22->86 36 WmiPrvSE.exe 22->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 28->42         started        process10 process11 44 openfiles.exe 13 34->44         started        signatures12 96 Tries to steal Mail credentials (via file / registry access) 44->96 98 Tries to harvest and steal browser information (history, passwords, etc) 44->98 100 Modifies the context of a thread in another process (thread injection) 44->100 102 4 other signatures 44->102 47 eBBH34MGqdmD.exe 44->47 injected 50 firefox.exe 44->50         started        process13 dnsIp14 68 www.ss464.xyz 104.21.71.8, 49694, 49695, 49696 CLOUDFLARENETUS United States 47->68 70 www.bloodyslots13.com 104.21.9.135, 49698, 49699, 49700 CLOUDFLARENETUS United States 47->70 72 2 other IPs or domains 47->72
Score:
63%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/1dc40d185826d3b1017c756cc2451548fa4236bbb0e8fd721b5e4c58857202c3
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.23 Win 32 Exe x86
Link:
https://app.malva.re/file/9c406201d76ed1d51ffb37a1f7577425
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1dc40d185826d3b1017c756cc2451548fa4236bbb0e8fd721b5e4c58857202c3/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/1dc40d185826d3b1017c756cc2451548fa4236bbb0e8fd721b5e4c58857202c3
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2025-11-20 08:16:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dxca2gcye3j3cal4ovwmerivjd5eenv3wdup24q3lzgfrblsalbq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
unc_loader_078
Create hunting rule
Similar samples:
23dca6b91ea8093febf5261d70a65f9fbf59891997da2e2232e0e4bacc263815
Formbook
ae89095b97719ff3ce49ac533b9b91fee0025d20e67c7ef2d50269328474f370
Formbook
dbdb5cabf0e5480c8d7aa1ea7958be25b60bf5105a80247fc1be4d7082487038
Formbook
e552d35dc7e4fb521ae8032d3b4d18a1afcedf16e0d956452b554e960dd8c9af
Formbook
error
Formbook
f068fb3047695dbc66a4ca46c931ae9bc0834a4ac743044a5084fab7127d1342
Formbook
+ 955 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook adware discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251120-j59hasdn3s/
Behaviour
Modifies Internet Explorer settings
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bcdaeb9c-ab2e-45b9-a154-d9ca0aed0c34
Unpacked files
SH256 hash:
1dc40d185826d3b1017c756cc2451548fa4236bbb0e8fd721b5e4c58857202c3
MD5 hash:
9c406201d76ed1d51ffb37a1f7577425
SHA1 hash:
149e1b2e158335e354fba9a9b56ad9e17877d0c4
Link:
https://www.unpac.me/results/ae58afdc-d8bf-41a2-8b9a-2bd4cf2d4799/
SH256 hash:
111e88b06ab4bda9dcea292177f2fbf656f056ee3bc315aea8861653872867a4
MD5 hash:
ca046727926a963297a6f802f7f59312
SHA1 hash:
49c2d05a1f1ea2530c2b54c1450b70ab1595175c
Link:
https://www.unpac.me/results/ae58afdc-d8bf-41a2-8b9a-2bd4cf2d4799/
SH256 hash:
9f31227ad77c533a3b87882b16fd0ce32a773102ec4a8652d1112f34b9953ebe
MD5 hash:
b25708a5e9d615301b716b768d780f9e
SHA1 hash:
6cc4d5450ffbf05ec656ca56113bb300f6cb4e56
Link:
https://www.unpac.me/results/ae58afdc-d8bf-41a2-8b9a-2bd4cf2d4799/
SH256 hash:
ee930f3a57e6fc5321bf6b64270b11e3fb49ee8985d16c25f1ecbcbd1f2d69b6
MD5 hash:
3352632daba25462fbceddb7c50a8def
SHA1 hash:
cf74c1f606ab792d0c5d5ce4fd6d7c3c60662211
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ae58afdc-d8bf-41a2-8b9a-2bd4cf2d4799/
SH256 hash:
274897602b2d32d842fd2fc73c1f9d532be88344776085835e8a1f72332030fc
MD5 hash:
355ee792a1478b80191ae0ec3e822402
SHA1 hash:
0a49f4203edf02e7074e0a6966801c804a57f955
Link:
https://www.unpac.me/results/ae58afdc-d8bf-41a2-8b9a-2bd4cf2d4799/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1dc40d185826/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1dc40d185826d3b1017c756cc2451548fa4236bbb0e8fd721b5e4c58857202c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win32_dotnet_form_obfuscate
Create hunting rule
Author:Reedus0
Description:Rule for detecting .NET form obfuscate malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 1dc40d185826d3b1017c756cc2451548fa4236bbb0e8fd721b5e4c58857202c3

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
Dropping
Formbook
Cape
Cape
https://www.capesandbox.com/analysis/38818/

Comments