MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ef4c4e15fe09341a0eed5d0b538d1287a230f5e8778cf8acbc317fb873bf977. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments

SHA256 hash: 2ef4c4e15fe09341a0eed5d0b538d1287a230f5e8778cf8acbc317fb873bf977
SHA3-384 hash: 2c59fbd646c683847b2f7c55be96f42aff96da190d910a3e354d8514e155bf007c8501130d6f1eb9625b27a14277e51f
SHA1 hash: c79d3bba9c049ccdac28f3353763c861a50072e1
MD5 hash: d86a4a463c4347b7580d0729faeab46e
humanhash: montana-enemy-potato-summer
File name:DHL_AWB#6078538091.exe
Download: download sample
Signature Formbook
File size:1'125'888 bytes
First seen:2026-06-30 07:52:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'078 x AgentTesla, 20'046 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 24576:aTqGGb9CwXK5b5wbW3uxFRvTxuM3E5Jp34X6TcvgGVRnj5f:aThEGsWMrVE5/4qTzwj5f
Threatray 240 similar samples on MalwareBazaar
TLSH T1CE3502C43B69B709DEAC69308476EDB512B51D687010B9F2AEDD3B877AED2026D0CF05
TrID 70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win64 Executable (generic) (6522/11/2)
4.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon d8d8dc9abc9c78e8 (1 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence


File Origin
# of uploads :
1
# of downloads :
167
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-06-30 07:54:08 UTC
Tags:
formbook xloader

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Tags:
stration shell micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-30T02:03:00Z UTC
Last seen:
2026-07-01T05:45:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Noon.gen Trojan.Win32.Agent.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Win32.Noon.sb Trojan-Spy.Noon.HTTP.ServerRequest Trojan-PSW.Win32.Stealer.sb Backdoor.Agent.HTTP.C&C Trojan.MSIL.Inject.sb
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1935414 Sample: DHL_AWB#6078538091.exe Startdate: 30/06/2026 Architecture: WINDOWS Score: 100 40 www.productgrowthflow.pro 2->40 42 www.pihora.site 2->42 44 21 other IPs or domains 2->44 52 Suricata IDS alerts for network traffic 2->52 54 Antivirus detection for URL or domain 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 7 other signatures 2->58 11 DHL_AWB#6078538091.exe 4 2->11         started        signatures3 process4 file5 38 C:\Users\user\...\DHL_AWB#6078538091.exe.log, ASCII 11->38 dropped 68 Adds a directory exclusion to Windows Defender 11->68 70 Unusual module load detection (module proxying) 11->70 15 DHL_AWB#6078538091.exe 11->15         started        18 powershell.exe 23 11->18         started        signatures6 process7 signatures8 72 Maps a DLL or memory area into another process 15->72 20 2ZrRhSuOZB0Xiu.exe 15->20 injected 74 Loading BitLocker PowerShell Module 18->74 22 WmiPrvSE.exe 18->22         started        24 conhost.exe 18->24         started        process9 process10 26 certreq.exe 13 20->26         started        signatures11 60 Tries to steal Mail credentials (via file / registry access) 26->60 62 Tries to harvest and steal browser information (history, passwords, etc) 26->62 64 Modifies the context of a thread in another process (thread injection) 26->64 66 4 other signatures 26->66 29 FtbJ9rcvErH.exe 26->29 injected 32 chrome.exe 26->32         started        34 firefox.exe 26->34         started        process12 dnsIp13 46 www.hbqqoo.com 38.38.139.119, 49761, 49762, 49763 PEG-SV-PEGTECHINCUS United States 29->46 48 www.mshl2t.asia 154.215.105.24, 49753, 49754, 49755 OWGELS-AS-APOWGELSINTERNATIONALCOLIMITEDHK Hong Kong SAR China 29->48 50 14 other IPs or domains 29->50 36 WerFault.exe 4 32->36         started        process14
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.24 Win 32 Exe x86
Result
Malware family:
formbook
Score:
  10/10
Tags:
family:formbook adware discovery execution persistence rat spyware stealer trojan
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Enumerates connected drives
Checks computer location settings
Boot or Logon Autostart Execution: Active Setup
Command and Scripting Interpreter: PowerShell
Family: Formbook
Formbook payload
Unpacked files
SH256 hash:
2ef4c4e15fe09341a0eed5d0b538d1287a230f5e8778cf8acbc317fb873bf977
MD5 hash:
d86a4a463c4347b7580d0729faeab46e
SHA1 hash:
c79d3bba9c049ccdac28f3353763c861a50072e1
SH256 hash:
ad5c1bd88815de4dbcda5056a74fe4b7e7bfcda9d9a76baf2c21bc8a92b580e1
MD5 hash:
9efb0cf1d109ca961765010a043a8ed5
SHA1 hash:
063d805263b46656e4462622e09be2c9f2849b21
SH256 hash:
26d85383838c6cd5af824f133eb5f608d70f54866aad8d4a6e313877589b4053
MD5 hash:
59c5210cea105567f210fd438a45b2c7
SHA1 hash:
076873d622151a38c7c1f5d1c7dc80036434c4f0
SH256 hash:
fb834a0ab2df553494aaef352befbd935d0b19be3c4f9e0c941396b23f1d19b9
MD5 hash:
fae1997c18e2eddb1a14b50a38f85b99
SHA1 hash:
d00909bc6d3db89af66ea9148f2e4a1a8cced112
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 2ef4c4e15fe09341a0eed5d0b538d1287a230f5e8778cf8acbc317fb873bf977

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments