MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2641d864d67844df7ceab8302836407bb07c23f8a8e1c7556212b35d4650db86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2641d864d67844df7ceab8302836407bb07c23f8a8e1c7556212b35d4650db86
SHA3-384 hash: fc7a64683c49aa763c4f9577c5691f428e944ae4499731930a840e89391e13cc3d3afd0dfdd59fe441f5454d074440c0
SHA1 hash: dd1fca4d029d929269ec4e8db1acffee3c40a607
MD5 hash: b58bb2eac90a9d20fdd576958f71e9e5
humanhash: video-eight-social-stream
File name:2641d864d67844df7ceab8302836407bb07c23f8a8e1c7556212b35d4650db86
Download: download sample
Signature Formbook
Create hunting rule
File size:795'648 bytes
First seen:2025-06-10 10:56:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:+HMkxNiLoF/Ptma/skmYa16Z5LqB4RKfs56FnydVMaODdGhc/ny:uD/PtF/W4Z5LbR6s5enyoey/ny
Threatray 65 similar samples on MalwareBazaar
TLSH T13A05E06813898901C2BDA7F79060E23557B9AD5BF011D30BDBD02DEF3E72791A90A1DB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
326
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2641d864d67844df7ceab8302836407bb07c23f8a8e1c7556212b35d4650db86
Verdict:
No threats detected
Analysis date:
2025-06-10 16:17:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8de73d05-fdd5-4c08-b770-16bd12941ff0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/8653/
Detection(s):
SecuriteInfo.com.Win32.Trojan-Stealer.FormBook.REOPEB.23219.22294.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68480f9407b5e8c1cfe61421
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2641d864d67844df7ceab8302836407bb07c23f8a8e1c7556212b35d4650db86
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6559f06b-3bbf-428a-a466-f9ea8a70da11
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1711304
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses threadpools to delay analysis
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1711304 Sample: 34wNLUd0XZ.exe Startdate: 10/06/2025 Architecture: WINDOWS Score: 100 30 www.ufarm.net 2->30 32 www.ouhael.club 2->32 34 11 other IPs or domains 2->34 38 Suricata IDS alerts for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 8 other signatures 2->44 11 34wNLUd0XZ.exe 3 2->11         started        signatures3 process4 file5 28 C:\Users\user\AppData\...\34wNLUd0XZ.exe.log, ASCII 11->28 dropped 54 Tries to detect virtualization through RDTSC time measurements 11->54 56 Injects a PE file into a foreign processes 11->56 58 Uses threadpools to delay analysis 11->58 60 Switches to a custom stack to bypass stack traces 11->60 15 34wNLUd0XZ.exe 11->15         started        signatures6 process7 signatures8 62 Modifies the context of a thread in another process (thread injection) 15->62 64 Maps a DLL or memory area into another process 15->64 66 Sample uses process hollowing technique 15->66 68 2 other signatures 15->68 18 explorer.exe 88 1 15->18 injected process9 dnsIp10 36 www.9trq.top 154.23.222.116, 49697, 80 COGENT-174US United States 18->36 21 cmstp.exe 18->21         started        process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 52 Switches to a custom stack to bypass stack traces 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2641d864d67844df7ceab8302836407bb07c23f8a8e1c7556212b35d4650db86
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2641d864d67844df7ceab8302836407bb07c23f8a8e1c7556212b35d4650db86/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-05-28 09:55:31 UTC
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eza5qzgwpbcn67hkxaycqnsapoyhyi7yvdq4ovlcckzv2rsq3oda._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
009176f8fe52515f6230b0716f1c6fbed3036b6efc285a4a219260814e739e7c
Formbook
2641d864d67844df7ceab8302836407bb07c23f8a8e1c7556212b35d4650db86
Formbook
5cc4e78268ea872c52ba12d08a527a7da6a0abd65d7b1aaabc2d56ae4edbdef6
Formbook
eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc
Formbook
error
Formbook
+ 55 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:i26e discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/250610-m2ckyagj9x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8e349c1a-e2d0-4819-8ce6-010f4d334600
Unpacked files
SH256 hash:
2641d864d67844df7ceab8302836407bb07c23f8a8e1c7556212b35d4650db86
MD5 hash:
b58bb2eac90a9d20fdd576958f71e9e5
SHA1 hash:
dd1fca4d029d929269ec4e8db1acffee3c40a607
Link:
https://www.unpac.me/results/d2b78716-91e4-4c2a-ad35-48618524e645/
SH256 hash:
40821f2c5247a234030a44871d4d62035044e2d486432b81e06880213c6fa912
MD5 hash:
c98557f7f6d853d88f1704eeacf3f39d
SHA1 hash:
01fb8c8b57fe8e19022f3fe0ac882c4e9cd9c69c
Link:
https://www.unpac.me/results/d2b78716-91e4-4c2a-ad35-48618524e645/
SH256 hash:
6cf298469e86dc5b279e2f17f8b2ba7931c14a576ccd180ad270079743b39628
MD5 hash:
4de84f6dc5544daddfe147eeb6bbc9f4
SHA1 hash:
b79a8d8ee8251b02e5a100e4ea5a86fd023777bb
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d2b78716-91e4-4c2a-ad35-48618524e645/
SH256 hash:
8ce199b5554f819cdbfb01bcfc00e08bdbe69340c14aa39829cb0f65b1a9eb03
MD5 hash:
7803d86c34f1d4d168542fb3781d330b
SHA1 hash:
90969adf903acc89ce3a61b570c3f9c06dee34ed
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/d2b78716-91e4-4c2a-ad35-48618524e645/
Parent samples :
2641d864d67844df7ceab8302836407bb07c23f8a8e1c7556212b35d4650db86
82f415c500ccb21a936a061f3ae04c255fee596102d783f91c7fcb6e2a7a1e8d
13d5f928a4a2b54818e4ac7e8a629e50536462929d5a338415a3618794120d11
8d8125ab11e71b1f93a499ebfcf39c91ad208f3260fa3a848188a0b39cba3898
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2641d864d67844df7ceab8302836407bb07c23f8a8e1c7556212b35d4650db86

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/8653/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments