MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36308ae1801e78e307b824c9fe812b3ffb9161c6fb8bbcb4d25a7cd4104e8e41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	36308ae1801e78e307b824c9fe812b3ffb9161c6fb8bbcb4d25a7cd4104e8e41
SHA3-384 hash:	8043e493d65627aff348053437bbbf6fd98a2d3c3afd9d295deeba4c440de280aba67dacc46acbb408a68130c7599941
SHA1 hash:	df36af0f552de6da15c504afab35baf8a7ea66a5
MD5 hash:	8468238f3db412fade9d74f96762c290
humanhash:	item-echo-quebec-pluto
File name:	SecuriteInfo.com.BackDoor.AgentTeslaNET.18.10453.28992
Download:	download sample
Signature	Formbook Create hunting rule
File size:	933'888 bytes
First seen:	2025-06-18 10:35:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	24576:/6K7vLr9CBLbrKQjJ0D8cl6nEXQuZm1eFqxdOusu7v:/6K7jr9OrK4ggeQ+qDt7
Threatray	2'959 similar samples on MalwareBazaar
TLSH	T1271512E9468EC931CAE92FB8A660D1BB1378EE895001C3078DDEBCF77C173552956392
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	0b797979e0e73f10 (5 x SnakeKeylogger, 4 x Formbook, 4 x a310Logger)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

500

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.BackDoor.AgentTeslaNET.18.10453.28992

Verdict:

No threats detected

Analysis date:

2025-06-18 10:38:43 UTC

Tags:

netreactor

Link:

https://app.any.run/tasks/eb353af9-b469-4605-9e1e-533a14a6f362

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/10005/

Detection(s):

SecuriteInfo.com.BackDoor.AgentTeslaNET.18.10453.28992.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6852980d58dda9f6852238ba

Tags:

malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/36308ae1801e78e307b824c9fe812b3ffb9161c6fb8bbcb4d25a7cd4104e8e41

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/a1022a99-36c2-4753-829f-ef4dd70a0dcf

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1717338

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/36308ae1801e78e307b824c9fe812b3ffb9161c6fb8bbcb4d25a7cd4104e8e41

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/36308ae1801e78e307b824c9fe812b3ffb9161c6fb8bbcb4d25a7cd4104e8e41/

Threat name:

ByteCode-MSIL.Trojan.VIPKeylogger

Status:

Malicious

First seen:

2025-06-18 04:45:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gyyivymadz4ogb5yete75ajlh75zcyog7of3zngslj6niecorzaq._file

Verdict:

malicious

Label(s):

unc_loader_037

Formbook

4a6dcfe4dfe7d02d44962cb9e47d87d6d755d0a9481a8013b145eb674ba567a0

Formbook

d6a676ac2fedead7999ed8250543e38da6096cc6efd3c7517d49d6b090ffbec2

Formbook

dfb8ecbf4f52efbf20605c2be946d62bb062edf1dce896a9b45516c7aa90e422

Formbook

error

Formbook

+ 2'949 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/250618-mm1dfswrv8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5a844a63-849a-458f-a7fd-8aabb4aede57

Unpacked files

SH256 hash:

36308ae1801e78e307b824c9fe812b3ffb9161c6fb8bbcb4d25a7cd4104e8e41

MD5 hash:

8468238f3db412fade9d74f96762c290

SHA1 hash:

df36af0f552de6da15c504afab35baf8a7ea66a5

Link:

https://www.unpac.me/results/ca8d0398-e22c-4974-a12f-28186028c790/

SH256 hash:

327c9ac82023faee0c3e417539b45ecf404ffba2b269984f84d2662e1aee1db6

MD5 hash:

30588035e76b68c63be6a504602abb57

SHA1 hash:

1451b539f278f68cd9a5f194c3700be82099f448

Link:

https://www.unpac.me/results/ca8d0398-e22c-4974-a12f-28186028c790/

SH256 hash:

a5c0006918a2d8df2f655b5dce6edee5c8ac336010fad6fe0d8cb17be6aecc1c

MD5 hash:

c93f82cd577fe45d220533947f0785cd

SHA1 hash:

3dbad7da0b630e878fb83b0706eba6ed0779e48c

Link:

https://www.unpac.me/results/ca8d0398-e22c-4974-a12f-28186028c790/

SH256 hash:

60839774aa9c24a714ae3e96cb824b45106242b45b56d9fb7b31ffd06416e6eb

MD5 hash:

c377156425a72244deb4c7225de0256d

SHA1 hash:

5472bdef3d626f3c2be286f5198672e5856feafe

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/ca8d0398-e22c-4974-a12f-28186028c790/

SH256 hash:

24ddfd30b1071ffd5e1ee4eba3d4d3500e40c23e8aeee125d6f1c60d9ec96e3a

MD5 hash:

348a625d406dea41a5a467a848e6d582

SHA1 hash:

dc94b2a9e131c9b51480d7ac9661a8fd77158cf3

Link:

https://www.unpac.me/results/ca8d0398-e22c-4974-a12f-28186028c790/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/36308ae1801e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/36308ae1801e78e307b824c9fe812b3ffb9161c6fb8bbcb4d25a7cd4104e8e41

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/10005/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample