MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3064359bd46de9cf0fd21817bc5a904aa1da5a262568fe701d58ba39c4e9a40f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3064359bd46de9cf0fd21817bc5a904aa1da5a262568fe701d58ba39c4e9a40f
SHA3-384 hash: 8cc91e444784c4d6f6630ad254ed1016075db84ab7f66ab31c5610776aad81a4db22106c7572216b5ddd3870ee1221f6
SHA1 hash: ee8ce8321e24045ffb114bcf61b3be8e5f25cc48
MD5 hash: cfa14ce8365b677068f4ee89a4a74d75
humanhash: ink-video-shade-equal
File name:kMXEkP04ZesB76R.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:852'480 bytes
First seen:2025-03-26 07:19:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:x91y8Vuik9V+mEJnlVyQl2ViURQ2aApL+mz:xWqCOZjlK0dAxR
Threatray 6 similar samples on MalwareBazaar
TLSH T1B405013D7D768E31C3584FF7C456604982B6CB62D477F7AA08CD2CF00E62659C8DAA92
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 16e8c8e8e8c8e812 (10 x SnakeKeylogger, 9 x Formbook, 6 x MassLogger)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
471
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
kMXEkP04ZesB76R.exe
Verdict:
Suspicious activity
Analysis date:
2025-03-26 07:44:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/661971e6-5d23-461a-9763-361f1d2ef49f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.21520.1435.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e3aa79cb6d38a89f3e4666
Tags:
micro spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67e3aa76f274bf2d8e22795b/reports/ad6adb99-b379-4a63-be44-03ae481d62f3/overview
Verdict:
Malicious
Labled as:
HackTool[Obfuscator]/MSIL.DeepSea
Link:
https://www.hybrid-analysis.com/sample/3064359bd46de9cf0fd21817bc5a904aa1da5a262568fe701d58ba39c4e9a40f
Result
Verdict:
MALICIOUS
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10023b5d-6568-457f-9595-6f3da5b7ef7f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1648818
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648818 Sample: kMXEkP04ZesB76R.exe Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 66 www.whalegamefi.xyz 2->66 68 www.tropicus.xyz 2->68 70 14 other IPs or domains 2->70 80 Suricata IDS alerts for network traffic 2->80 82 Antivirus detection for URL or domain 2->82 84 Antivirus / Scanner detection for submitted sample 2->84 88 7 other signatures 2->88 10 kMXEkP04ZesB76R.exe 7 2->10         started        14 ChAxqeruf.exe 5 2->14         started        16 svchost.exe 1 1 2->16         started        signatures3 86 Performs DNS queries to domains with low reputation 68->86 process4 dnsIp5 56 C:\Users\user\AppData\Roaming\ChAxqeruf.exe, PE32 10->56 dropped 58 C:\Users\...\ChAxqeruf.exe:Zone.Identifier, ASCII 10->58 dropped 60 C:\Users\user\AppData\Local\...\tmpE99A.tmp, XML 10->60 dropped 62 C:\Users\user\...\kMXEkP04ZesB76R.exe.log, ASCII 10->62 dropped 96 Uses schtasks.exe or at.exe to add and modify task schedules 10->96 98 Adds a directory exclusion to Windows Defender 10->98 100 Injects a PE file into a foreign processes 10->100 19 kMXEkP04ZesB76R.exe 10->19         started        22 powershell.exe 23 10->22         started        24 powershell.exe 23 10->24         started        26 schtasks.exe 1 10->26         started        102 Antivirus detection for dropped file 14->102 104 Multi AV Scanner detection for dropped file 14->104 28 schtasks.exe 14->28         started        30 ChAxqeruf.exe 14->30         started        32 ChAxqeruf.exe 14->32         started        64 127.0.0.1 unknown unknown 16->64 file6 signatures7 process8 signatures9 90 Maps a DLL or memory area into another process 19->90 34 o814bs81AlYg300TKDDijzl.exe 19->34 injected 92 Loading BitLocker PowerShell Module 22->92 37 conhost.exe 22->37         started        39 WmiPrvSE.exe 22->39         started        41 conhost.exe 24->41         started        43 conhost.exe 26->43         started        45 conhost.exe 28->45         started        process10 signatures11 78 Found direct / indirect Syscall (likely to bypass EDR) 34->78 47 RMActivate_ssp_isv.exe 34->47         started        process12 signatures13 106 Tries to steal Mail credentials (via file / registry access) 47->106 108 Tries to harvest and steal browser information (history, passwords, etc) 47->108 110 Modifies the context of a thread in another process (thread injection) 47->110 112 3 other signatures 47->112 50 o814bs81AlYg300TKDDijzl.exe 47->50 injected 54 firefox.exe 47->54         started        process14 dnsIp15 72 51-clubb.net 208.109.172.233, 49733, 49734, 49735 GO-DADDY-COM-LLCUS United States 50->72 74 www.flashselectionhub.shop 162.210.195.105, 49773, 49774, 49775 LEASEWEB-USA-WDCUS United States 50->74 76 9 other IPs or domains 50->76 94 Found direct / indirect Syscall (likely to bypass EDR) 50->94 signatures16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3064359bd46de9cf0fd21817bc5a904aa1da5a262568fe701d58ba39c4e9a40f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3064359bd46de9cf0fd21817bc5a904aa1da5a262568fe701d58ba39c4e9a40f/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-03-26 07:19:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gbsdlg6unxu46d6sdal3ywuqjkq5uwrgevup44a5lc5dtrhjuqhq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
3fbcec3b7e1d2b8efef9e2ab1be54a55e2252166cd357fc2ee9cb42581851365
Formbook
a4ce664077c1707b407385c08eb0f4e9299229717ee02b1b1b2f9745ad82613b
Formbook
ce113e073aa8b0c405170b4f9ba6f422fbf8e56719a2a9bc4e80c0c27a0df178
Formbook
error
Formbook
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250326-h5nedsyzdv/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/900fbcb0-5752-472c-a470-469440503c4e
Unpacked files
SH256 hash:
3064359bd46de9cf0fd21817bc5a904aa1da5a262568fe701d58ba39c4e9a40f
MD5 hash:
cfa14ce8365b677068f4ee89a4a74d75
SHA1 hash:
ee8ce8321e24045ffb114bcf61b3be8e5f25cc48
Link:
https://www.unpac.me/results/c5939b1f-f3af-4178-aa72-5d3bfbc37fa4/
SH256 hash:
c7da900c6a11ee75c94c6285415a89e012da8ba1c75bfe60a893c20b89db3129
MD5 hash:
de3d74ed1375f59d1bde57a73a9ab29f
SHA1 hash:
360ad54b43cce6e5948fb9478b31b2a658bea04e
Link:
https://www.unpac.me/results/c5939b1f-f3af-4178-aa72-5d3bfbc37fa4/
SH256 hash:
900339cbb4bacc9ad51a9f164fa61c13eabee57f97d1ff1d5c395a7d454499de
MD5 hash:
b8fd469eb641b9821d27022396252726
SHA1 hash:
79c6ed730edffa88c948b7b342d7641259435eb1
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c5939b1f-f3af-4178-aa72-5d3bfbc37fa4/
SH256 hash:
0723cd2e1012aa9b03bb31dfda2adcd2a2c9738f7dae21399f5b71272ebdf3f3
MD5 hash:
7c131bb60e9afbb7d8fb16cc6b5b18a4
SHA1 hash:
a9be095cdef518c2ba18aa2e0e95b3b781f24acd
Link:
https://www.unpac.me/results/c5939b1f-f3af-4178-aa72-5d3bfbc37fa4/
SH256 hash:
bdb7263ad3223671296c9b384d924f10409d60fd4326e0fcae2d2d74ff03ae87
MD5 hash:
f60af94ffcc6ca1fb4053c34c5525d29
SHA1 hash:
0c048b03d0e3c245cd0fe055c1cb7b6f9ef735cc
Link:
https://www.unpac.me/results/c5939b1f-f3af-4178-aa72-5d3bfbc37fa4/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3064359bd46d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3064359bd46de9cf0fd21817bc5a904aa1da5a262568fe701d58ba39c4e9a40f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments