MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2673f98efbc942d0aba67697b4d92746c6f3675c14c28ec06fb5249bdb98f3bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2673f98efbc942d0aba67697b4d92746c6f3675c14c28ec06fb5249bdb98f3bb
SHA3-384 hash: af0948f9177989b31db069da6a3dee5de40fd8f07c4e108ffd22393f03ec172566f5247a616cefad10757d282bf177cc
SHA1 hash: ff98c3d3af1376c02a23e7358ba81f3dcc5b7813
MD5 hash: 80620d178225995de8d7d9afc19c7166
humanhash: mango-timing-music-jupiter
File name:TZZY20241121001S Shipping docus-copy.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:779'264 bytes
First seen:2025-05-13 13:53:01 UTC
Last seen:2025-05-19 09:13:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:khgR63lpPbiwKUwnq88cZn9ddKOVFr7DGPNILYaGeJL3hpneQBATk8TyfJ0EE5FR:khgR63lpPbiwKUwnq88cZn9ddKOVFr7M
TLSH T107F412382369C916CADA0FB45D72C3B457FCAE9EA801D70B9DEA7DAFB0367005492311
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
522
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
feed2060-6285-c0e0-776d-8dffd3b8caac.eml
Verdict:
Malicious activity
Analysis date:
2025-05-13 09:05:04 UTC
Tags:
qrcode arch-exec spf-fail attachments attc-arch
Link:
https://app.any.run/tasks/b8e019e5-f781-4c82-a08f-0b0148cca5a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3329.32539.12586.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68235080e16384d6a7040cb5
Tags:
shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68234ee0c52d37b13d5d0331/reports/8e6f970b-88ed-47fc-91e4-a750ce687a34/overview
Verdict:
Malicious
Labled as:
Dacic.5845.Generic
Link:
https://www.hybrid-analysis.com/sample/2673f98efbc942d0aba67697b4d92746c6f3675c14c28ec06fb5249bdb98f3bb
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a267f55c-18ce-4afe-83cb-9103a2138425
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1689008
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1689008 Sample: TZZY20241121001S  Shipping ... Startdate: 13/05/2025 Architecture: WINDOWS Score: 100 39 www.u939.top 2->39 45 Suricata IDS alerts for network traffic 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected FormBook 2->49 51 6 other signatures 2->51 10 TZZY20241121001S  Shipping docus-copy.exe 4 2->10         started        signatures3 process4 file5 37 TZZY20241121001S  ... docus-copy.exe.log, ASCII 10->37 dropped 55 Suspicious powershell command line found 10->55 57 Adds a directory exclusion to Windows Defender 10->57 14 TZZY20241121001S  Shipping docus-copy.exe 10->14         started        17 powershell.exe 23 10->17         started        19 TZZY20241121001S  Shipping docus-copy.exe 10->19         started        21 TZZY20241121001S  Shipping docus-copy.exe 10->21         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 14->67 23 6uGjT24XpQQcRYEbMoD51.exe 14->23 injected 69 Loading BitLocker PowerShell Module 17->69 26 conhost.exe 17->26         started        process9 signatures10 53 Found direct / indirect Syscall (likely to bypass EDR) 23->53 28 wscript.exe 13 23->28         started        process11 signatures12 59 Tries to steal Mail credentials (via file / registry access) 28->59 61 Tries to harvest and steal browser information (history, passwords, etc) 28->61 63 Modifies the context of a thread in another process (thread injection) 28->63 65 3 other signatures 28->65 31 6uGjT24XpQQcRYEbMoD51.exe 28->31 injected 35 firefox.exe 28->35         started        process13 dnsIp14 41 www.u939.top 104.21.80.1, 49691, 80 CLOUDFLARENETUS United States 31->41 43 Found direct / indirect Syscall (likely to bypass EDR) 31->43 signatures15
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2673f98efbc942d0aba67697b4d92746c6f3675c14c28ec06fb5249bdb98f3bb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2673f98efbc942d0aba67697b4d92746c6f3675c14c28ec06fb5249bdb98f3bb/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-05-13 07:53:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ezz7tdx3zfbnbk5go2l3jwjhi3dpgz24ctbi5qdpwusjxw4y6o5q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250513-q66lcsvqz6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8eabb78d-cae5-4b0a-9ff7-7e1d32d51c28
Unpacked files
SH256 hash:
2673f98efbc942d0aba67697b4d92746c6f3675c14c28ec06fb5249bdb98f3bb
MD5 hash:
80620d178225995de8d7d9afc19c7166
SHA1 hash:
ff98c3d3af1376c02a23e7358ba81f3dcc5b7813
Link:
https://www.unpac.me/results/9de1cb24-5ef6-4d71-94bf-1dc6706a6b47/
SH256 hash:
22a03f25544fecf96ca7f38781824e302238529b6e59cc10cfecf240043bd294
MD5 hash:
bee219cadf5a780865c3548d9936bc38
SHA1 hash:
077405987d76832010142540e3f9c5fc1f1c314a
Link:
https://www.unpac.me/results/9de1cb24-5ef6-4d71-94bf-1dc6706a6b47/
SH256 hash:
d883806ca592b44324ebce9845aa7250c3102c0650943cd03b8e864b957d0657
MD5 hash:
91cd575b34b7bfd874e94581bda8c63c
SHA1 hash:
5fc27501570dcd4463d73da004763d54bb8a00e1
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9de1cb24-5ef6-4d71-94bf-1dc6706a6b47/
SH256 hash:
79ca2ca0662f17ffdd27985fc21b3a24800a14daaa94e70a0234b93e095640a8
MD5 hash:
e583637f901f3c8016f5b814f9b4d359
SHA1 hash:
77255b1d24d614cab3009f54883596178451ad1a
Link:
https://www.unpac.me/results/9de1cb24-5ef6-4d71-94bf-1dc6706a6b47/
SH256 hash:
f6137f91ebf36af511ed0769f1aca9879a0293db113f2b38a1908ceaa7b35032
MD5 hash:
8abdaf2928b3ff416c163bcbc35e01a5
SHA1 hash:
ee412f5bceecbb6721de284d4657435540aa7690
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/9de1cb24-5ef6-4d71-94bf-1dc6706a6b47/
Parent samples :
577618a8427cc363b465ddd0d06924799d820b32e2f4e42e67a852e072198957
ab5b32b980e2e53ecd38bde41c2e48e8c7a50e37e1d0d5034d28d9f3a5b99199
85aa03ee749d1d7f49bc007a396272be71876668f48b6b24d14f8f783d9950a3
2673f98efbc942d0aba67697b4d92746c6f3675c14c28ec06fb5249bdb98f3bb
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2673f98efbc9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2673f98efbc942d0aba67697b4d92746c6f3675c14c28ec06fb5249bdb98f3bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 2673f98efbc942d0aba67697b4d92746c6f3675c14c28ec06fb5249bdb98f3bb

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments