MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fb4fd8f482e50ae5fb82247c94247c33ff6d60224d293ac98a568b819959965. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 22


Intelligence 22 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fb4fd8f482e50ae5fb82247c94247c33ff6d60224d293ac98a568b819959965
SHA3-384 hash: 75aa7fa2e7121632c889ff22ebdd570bbdbaf0ada340de06a62dcb24d88b4b6e533a0cfaad99b8eb16cb55515165df4a
SHA1 hash: 3d046e482e5ca3398957d33335eff912e400dec1
MD5 hash: f671033f3350e6e08ab9a9d2ae6df01c
humanhash: kilo-mississippi-steak-nitrogen
File name:REVISED SALES CONTRACT AND BUDGET .exe
Download: download sample
Signature Formbook
Create hunting rule
File size:708'608 bytes
First seen:2025-11-03 11:38:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:DzoyHBySMGmVeGi0Es6RYQLAKyHKkEiKr6otdYJhEyLoRM+C:DVySMxgGi/sO6Zte6AdOEyL
Threatray 2'049 similar samples on MalwareBazaar
TLSH T13CE40228269AD813CB9653700F63F3BC1B3EADAE9501C3134EE97DA77DBAF512840591
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
_2fb4fd8f482e50ae5fb82247c94247c33ff6d60224d293ac98a568b819959965.exe
Verdict:
Malicious activity
Analysis date:
2025-11-03 11:39:59 UTC
Tags:
auto-sch-xml formbook stealer xloader
Link:
https://app.any.run/tasks/e5391782-eb90-46b2-a974-a32a03d5bb3c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/35121/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690894849942f1282ecba71b
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/6908947cde25fddba062b979/reports/52efe6d5-4096-48d0-ac9f-c2f54fb2ba13/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/2fb4fd8f482e50ae5fb82247c94247c33ff6d60224d293ac98a568b819959965
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-03T01:31:00Z UTC
Last seen:
2025-11-05T08:26:00Z UTC
Hits:
~1000
Detections:
VHO:Trojan.MSIL.Convagent.gen HEUR:Trojan-PSW.MSIL.DarkCloud.gen Backdoor.Agent.HTTP.C&C Trojan.Win32.SpeedBit.sb Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Noon.HTTP.ServerRequest Trojan.MSIL.Taskun.sb Backdoor.Win32.Blakken.sb Trojan.MSIL.Agent.sb Trojan-Spy.Win32.Noon.sb HEUR:Trojan.Win32.Generic HEUR:Trojan.MSIL.Taskun.sb Trojan-Dropper.Win32.Injector.sb
Link:
https://opentip.kaspersky.com/2fb4fd8f482e50ae5fb82247c94247c33ff6d60224d293ac98a568b819959965/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7756f90-313e-41aa-9d9a-e04be54e2de0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1806871
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1806871 Sample: REVISED SALES CONTRACT AND ... Startdate: 03/11/2025 Architecture: WINDOWS Score: 100 62 www.ourburger.xyz 2->62 64 www.inoption.xyz 2->64 66 3 other IPs or domains 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Sigma detected: Scheduled temp file as task from temp location 2->72 76 12 other signatures 2->76 11 REVISED SALES CONTRACT AND BUDGET .exe 7 2->11         started        15 GVxmNQDxpSb.exe 5 2->15         started        17 svchost.exe 1 1 2->17         started        signatures3 74 Performs DNS queries to domains with low reputation 64->74 process4 dnsIp5 52 C:\Users\user\AppData\...behaviorgraphVxmNQDxpSb.exe, PE32 11->52 dropped 54 C:\Users\...behaviorgraphVxmNQDxpSb.exe:Zone.Identifier, ASCII 11->54 dropped 56 C:\Users\user\AppData\Local\...\tmpF0AF.tmp, XML 11->56 dropped 58 REVISED SALES CONT...AND BUDGET .exe.log, ASCII 11->58 dropped 96 Adds a directory exclusion to Windows Defender 11->96 98 Injects a PE file into a foreign processes 11->98 20 REVISED SALES CONTRACT AND BUDGET .exe 11->20         started        23 powershell.exe 23 11->23         started        25 schtasks.exe 1 11->25         started        100 Tries to detect virtualization through RDTSC time measurements 15->100 102 Switches to a custom stack to bypass stack traces 15->102 27 GVxmNQDxpSb.exe 15->27         started        29 schtasks.exe 1 15->29         started        60 127.0.0.1 unknown unknown 17->60 file6 signatures7 process8 signatures9 78 Modifies the context of a thread in another process (thread injection) 20->78 80 Maps a DLL or memory area into another process 20->80 82 Sample uses process hollowing technique 20->82 84 Queues an APC in another process (thread injection) 20->84 31 explorer.exe 27 1 20->31 injected 86 Loading BitLocker PowerShell Module 23->86 33 WmiPrvSE.exe 23->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        39 conhost.exe 29->39         started        process10 process11 41 colorcpl.exe 31->41         started        44 cscript.exe 31->44         started        46 autofmt.exe 31->46         started        signatures12 88 Modifies the context of a thread in another process (thread injection) 41->88 90 Maps a DLL or memory area into another process 41->90 92 Tries to detect virtualization through RDTSC time measurements 41->92 94 Switches to a custom stack to bypass stack traces 41->94 48 cmd.exe 41->48         started        process13 process14 50 conhost.exe 48->50         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2fb4fd8f482e50ae5fb82247c94247c33ff6d60224d293ac98a568b819959965
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.25 Win 32 Exe x86
Link:
https://app.malva.re/file/f671033f3350e6e08ab9a9d2ae6df01c
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2fb4fd8f482e50ae5fb82247c94247c33ff6d60224d293ac98a568b819959965/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/2fb4fd8f482e50ae5fb82247c94247c33ff6d60224d293ac98a568b819959965
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-11-03 08:43:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f62p3d2ifzik4x5yejd4sqshym77nvqcetjjhleyuvulqgmvtfsq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
3f1bebc7b0ea5164074e72a8f77e3bc133d1d415f5db79c20385b8d5a601a1a0
Formbook
3f57d382a91d317a9534cdc957cd87407f5515c8950320987338dddb4899aeb8
Formbook
44a2b2a04288b8a218d80ea21b9b96de167b844fa7481adfbd48cfdf179aa0df
Formbook
69ae2e849e4b148f879630ae9e3a4f991602cc6a658dd732dd775c31839d69ce
Formbook
94f3a5b7cc5784d0be1f7d4c726ea45c5c84a132f7b86a10dee5d63332c5415a
Formbook
c34753d6a802dcb3570354a7ecc7e930d957a28cca0d63e698ac0c0cbe67e6cc
Formbook
da99e5e90a490e93120bd11d5bdb6226ad5e6fa21c10d5514b97d09b56dcc403
Formbook
ee68d6bc31aa1661dfdbf95b66fccba4ec8678ee2b6f384d8f51cab0608e81df
Formbook
error
Formbook
f05c22a1efc4ae70839768e6d0d22057eadd708c8da4e3fc8de7376267e8bca4
Formbook
+ 2'039 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:te56 discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251103-nsl9fsfy5c/
Behaviour
Gathers network information
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3c9ad1d9-7861-404e-8879-1174f013258e
Unpacked files
SH256 hash:
2fb4fd8f482e50ae5fb82247c94247c33ff6d60224d293ac98a568b819959965
MD5 hash:
f671033f3350e6e08ab9a9d2ae6df01c
SHA1 hash:
3d046e482e5ca3398957d33335eff912e400dec1
Link:
https://www.unpac.me/results/c749c60b-f033-4c9b-a37e-738d1cafbb6b/
SH256 hash:
af26ee533c8f0f8da5b08fcf050592aa09abb9c64e4c4a195cc32fce01dbf018
MD5 hash:
9c806e3429c46c64578c67b7f518085d
SHA1 hash:
41f7a963b82e9528fe07910cf920838eaf4affd0
Link:
https://www.unpac.me/results/c749c60b-f033-4c9b-a37e-738d1cafbb6b/
SH256 hash:
17e506dfecc6148173b284ce7fb0a1a16cbc97361d6fcf3dfca6fcf2583bcc74
MD5 hash:
0320f52277d0f972d52e5a2d55dcbd18
SHA1 hash:
f1e93974115308c024a707395441d6c77b4b734a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c749c60b-f033-4c9b-a37e-738d1cafbb6b/
SH256 hash:
65905ee3589ae10b46abe9e22aedf1351c10b15c6f9ac3fe914e7e52caedced8
MD5 hash:
cdd2773bc382ec08ab5eca0b43c2657d
SHA1 hash:
f106c43ff2ff3e66842d40a58a5a23ef2ce04724
Detections:
win_formbook_auto
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/c749c60b-f033-4c9b-a37e-738d1cafbb6b/
Parent samples :
2fb4fd8f482e50ae5fb82247c94247c33ff6d60224d293ac98a568b819959965
810ecd256ce1afe106edf3e2cab6ea9f33840ea71d5b9f1559bf60a5984c6571
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2fb4fd8f482e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2fb4fd8f482e50ae5fb82247c94247c33ff6d60224d293ac98a568b819959965

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 2fb4fd8f482e50ae5fb82247c94247c33ff6d60224d293ac98a568b819959965

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35121/

Comments