MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 246c7a9c17bba40dd3cace1b04a7235eb682ba4ca03d64cfd36067d3f4146222. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 19


Intelligence 19 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 246c7a9c17bba40dd3cace1b04a7235eb682ba4ca03d64cfd36067d3f4146222
SHA3-384 hash: 6448098de3d1b00c09993d2374a2e3e706209d5f0deb4b4e13f82ff364e866b7a311e0d02693c6039f0b3e66bec989b0
SHA1 hash: 9820f121bd0e2a5143f5ea0164a184c92c791097
MD5 hash: f1bca3d5bb99015c0fdad3b237c3b266
humanhash: papa-batman-white-oregon
File name:PO00408322.xlsx.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:796'680 bytes
First seen:2025-10-20 09:02:13 UTC
Last seen:2025-11-06 10:48:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'633 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:n0OTMfwUCRBCOA+TVD3OqjwppMi9+2dxyryzJYLXmMTQgYGDNdhxX2lJDCRisixy:Qfw8+L8ppMiDdCXTeyNvVyC4sis
TLSH T1E90512507669EB02D5616BF45A72F2380BB92E9DF411C30A4EE8BDEBB874F404D60E53
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO00408322.xlsx.scr
Verdict:
Malicious activity
Analysis date:
2025-10-20 09:03:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fc52d0db-1dca-44ce-a3a9-02453e46eddf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33400/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f5fab36dc4a08515e36764
Tags:
underscore obfusc virus shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expired-cert invalid-signature masquerade packed phishing signed strictor
Link:
https://www.filescan.io/uploads/68f5faafc85c5c56972eccdd/reports/909efee5-5937-49c4-8865-b4405b980b10/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/246c7a9c17bba40dd3cace1b04a7235eb682ba4ca03d64cfd36067d3f4146222
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-17T05:05:00Z UTC
Last seen:
2025-10-22T07:01:00Z UTC
Hits:
~10000
Detections:
Trojan-Spy.Noon.HTTP.ServerRequest Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb HEUR:Trojan-Spy.MSIL.Noon.gen VHO:Backdoor.Win32.Agent.gen PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Crypt.sb
Link:
https://opentip.kaspersky.com/246c7a9c17bba40dd3cace1b04a7235eb682ba4ca03d64cfd36067d3f4146222/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f7f2acf-4b79-4c07-ae7b-cdaeda5adcdd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1798173
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1798173 Sample: PO00408322.xlsx.scr.exe Startdate: 20/10/2025 Architecture: WINDOWS Score: 100 38 www.stickyogasol.xyz 2->38 40 www.vrgadget.xyz 2->40 42 10 other IPs or domains 2->42 56 Suricata IDS alerts for network traffic 2->56 58 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->58 60 Multi AV Scanner detection for submitted file 2->60 64 7 other signatures 2->64 10 PO00408322.xlsx.scr.exe 4 2->10         started        14 svchost.exe 1 1 2->14         started        signatures3 62 Performs DNS queries to domains with low reputation 40->62 process4 dnsIp5 36 C:\Users\user\...\PO00408322.xlsx.scr.exe.log, ASCII 10->36 dropped 66 Adds a directory exclusion to Windows Defender 10->66 17 PO00408322.xlsx.scr.exe 10->17         started        20 powershell.exe 23 10->20         started        44 127.0.0.1 unknown unknown 14->44 file6 signatures7 process8 signatures9 52 Maps a DLL or memory area into another process 17->52 22 Ic7hFwYZL.exe 17->22 injected 54 Loading BitLocker PowerShell Module 20->54 24 WmiPrvSE.exe 20->24         started        26 conhost.exe 20->26         started        process10 process11 28 PresentationHost.exe 13 22->28         started        signatures12 68 Tries to steal Mail credentials (via file / registry access) 28->68 70 Tries to harvest and steal browser information (history, passwords, etc) 28->70 72 Modifies the context of a thread in another process (thread injection) 28->72 74 3 other signatures 28->74 31 VWG4e2tA92w.exe 28->31 injected 34 firefox.exe 28->34         started        process13 dnsIp14 46 www.xerina.life 63.250.47.100, 49711, 49712, 49713 NAMECHEAP-NETUS United States 31->46 48 apptudemo.online 79.116.71.67, 80 RCS-RDS73-75DrStaicoviciRO Romania 31->48 50 5 other IPs or domains 31->50
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/246c7a9c17bba40dd3cace1b04a7235eb682ba4ca03d64cfd36067d3f4146222
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.45 Win 32 Exe x86
Link:
https://app.malva.re/file/f1bca3d5bb99015c0fdad3b237c3b266
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/246c7a9c17bba40dd3cace1b04a7235eb682ba4ca03d64cfd36067d3f4146222/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/246c7a9c17bba40dd3cace1b04a7235eb682ba4ca03d64cfd36067d3f4146222
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-10-17 08:02:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=erwhvhaxxosa3u6kzynqjjzdl23ifosmua6wjt6tmbt5h5aumira._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251020-kzrkzaskhj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Unpacked files
SH256 hash:
246c7a9c17bba40dd3cace1b04a7235eb682ba4ca03d64cfd36067d3f4146222
MD5 hash:
f1bca3d5bb99015c0fdad3b237c3b266
SHA1 hash:
9820f121bd0e2a5143f5ea0164a184c92c791097
Link:
https://www.unpac.me/results/50bd9ee3-72d5-4003-91dc-3769fe5ff40f/
SH256 hash:
a2df9936a7fba473f166cac5325728bd87eafd388619a83af5ca2930945daf80
MD5 hash:
5a1e3da1d469ad51d5517c9f78d12c5b
SHA1 hash:
53d7bf044aaa24db09ca8e4df3555d4194927cdd
Link:
https://www.unpac.me/results/50bd9ee3-72d5-4003-91dc-3769fe5ff40f/
SH256 hash:
55dc2774d5b538caab7ebb1ff2a5b3b3946abf6eafc20882407c2126d6a465f9
MD5 hash:
06478d8998ca13ba235031b418a075fc
SHA1 hash:
5c201171728e5ecba2191ff7ebb84d87966e7d91
Link:
https://www.unpac.me/results/50bd9ee3-72d5-4003-91dc-3769fe5ff40f/
SH256 hash:
d47fa3588c69f970a0a46d8fa62763b852c66e191f115dc975ed5841bd56498b
MD5 hash:
eba1f4a5f24ba9730bfb08bcaaa7b29d
SHA1 hash:
d074704a960283f55d3d71dc6478f872078683ac
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/50bd9ee3-72d5-4003-91dc-3769fe5ff40f/
SH256 hash:
4e247caa6bce726ca29be1d0f447e9bc8c3d8cd70df41e34457d74659439b71d
MD5 hash:
400e3c2597993a6670d65ce3326fcfbf
SHA1 hash:
26077d92ff5151301f3247902680e2adf3b7b8f8
Link:
https://www.unpac.me/results/50bd9ee3-72d5-4003-91dc-3769fe5ff40f/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/246c7a9c17bb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/246c7a9c17bba40dd3cace1b04a7235eb682ba4ca03d64cfd36067d3f4146222

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 246c7a9c17bba40dd3cace1b04a7235eb682ba4ca03d64cfd36067d3f4146222

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33400/

Comments