MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b1fe8fbb2e89bed49f8cfcb3d111e0b0f7a2db9dd9d18dac5d232b610572190. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b1fe8fbb2e89bed49f8cfcb3d111e0b0f7a2db9dd9d18dac5d232b610572190
SHA3-384 hash: cb259200cfb955f48d1cf6dae225f44216a5f7f3e54b9ae253565c165f96603d7aac4c11fce9f419738e9637e8d6d124
SHA1 hash: 7d9a785754803708bef977a1ea44df828e87bda8
MD5 hash: f2f7da93e790c3a67919a35ddd12f32b
humanhash: bulldog-mirror-india-ink
File name:RFQ-1579.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:689'152 bytes
First seen:2025-10-06 07:08:05 UTC
Last seen:2025-10-06 07:26:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:89FZMu2bPGzBHyIzMO3ortgeoMQpSRK6CUEvfso+9D2jXA3LIex4+bv/:89J2KBHZzP3or2HMkSRkUTND2jXAFxv/
Threatray 1'738 similar samples on MalwareBazaar
TLSH T1E2E42241661FD703D5632BF02872F2300BB85DA9AC1BD52B0EEE6DEF7916766660130B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter cocaman
Tags:exe FormBook RFQ

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ-1579.exe
Verdict:
No threats detected
Analysis date:
2025-10-06 07:09:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ef05d41a-bfcf-4e6f-a1ab-57f3832ba5fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30715/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e36af691bc581176cc49e5
Tags:
virus spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Launching a process
Creating a file
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected phishing vbnet
Link:
https://www.filescan.io/uploads/68e36af7d4a0085473c13bf5/reports/a8cdc56f-b884-4e04-ad71-c0b188c78196/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/3b1fe8fbb2e89bed49f8cfcb3d111e0b0f7a2db9dd9d18dac5d232b610572190
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-03T07:15:00Z UTC
Last seen:
2025-10-08T03:55:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/3b1fe8fbb2e89bed49f8cfcb3d111e0b0f7a2db9dd9d18dac5d232b610572190/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fcf3af84-227b-4a41-86ba-fe1fd3c4a3b5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1789548
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rundll32 Execution Without CommandLine Parameters
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1789548 Sample: RFQ-1579.exe Startdate: 06/10/2025 Architecture: WINDOWS Score: 100 40 www.youquestions.xyz 2->40 42 www.runefi.xyz 2->42 44 17 other IPs or domains 2->44 52 Suricata IDS alerts for network traffic 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for submitted file 2->56 60 7 other signatures 2->60 11 RFQ-1579.exe 4 2->11         started        signatures3 58 Performs DNS queries to domains with low reputation 42->58 process4 file5 38 C:\Users\user\AppData\...\RFQ-1579.exe.log, ASCII 11->38 dropped 70 Adds a directory exclusion to Windows Defender 11->70 15 MSBuild.exe 11->15         started        18 powershell.exe 23 11->18         started        signatures6 process7 signatures8 72 Maps a DLL or memory area into another process 15->72 20 jHCSrBBLrj.exe 15->20 injected 74 Loading BitLocker PowerShell Module 18->74 22 WmiPrvSE.exe 18->22         started        24 conhost.exe 18->24         started        process9 process10 26 rundll32.exe 13 20->26         started        signatures11 62 Tries to steal Mail credentials (via file / registry access) 26->62 64 Tries to harvest and steal browser information (history, passwords, etc) 26->64 66 Modifies the context of a thread in another process (thread injection) 26->66 68 2 other signatures 26->68 29 iOhcoF6vdD.exe 26->29 injected 32 chrome.exe 26->32         started        34 firefox.exe 26->34         started        process12 dnsIp13 46 www.bl1.mobi 154.215.65.207, 49712, 49713, 49714 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 29->46 48 www.im8900.mobi 154.84.79.165, 49700, 49701, 49702 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 29->48 50 8 other IPs or domains 29->50 36 WerFault.exe 4 32->36         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3b1fe8fbb2e89bed49f8cfcb3d111e0b0f7a2db9dd9d18dac5d232b610572190
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.39 Win 32 Exe x86
Link:
https://app.malva.re/file/f2f7da93e790c3a67919a35ddd12f32b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b1fe8fbb2e89bed49f8cfcb3d111e0b0f7a2db9dd9d18dac5d232b610572190/
Threat name:
ByteCode-MSIL.Trojan.VIPKeyLogger
Create hunting rule
Status:
Malicious
First seen:
2025-10-03 11:13:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hmp6r65s5cn62spyz7ft2ei6bmhxulnz3worrwwf2izlmecxegia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
10898c09830634012bc320ad02afc6120f285bada5b22db95687d0796e3d86d6
Formbook
4123bedccc18eee83aa4c7d8e1b64191ddde5fc234bd3c1cbd7f998571e47112
Formbook
4da133b1ed7d9098b7b76b888472c069a08da9334cac292ea995c113d54812e3
Formbook
5a30c4e68c8a9e2fa23d7176efd9f712624fb375d443c25b8829dd307e8b030d
Formbook
68ef29d9bd6e88b4fda357fa69b156376a0a611d287e909285bebbc0d6afc059
Formbook
cba5a4c3813bbce1dfd6591d94bdd59e773c33d06d4a534da0b3cb527f0a9f7b
Formbook
error
Formbook
+ 1'728 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251006-hyhwbswydv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e4de1d86-a9dc-416d-859e-537445ed8bcd
Unpacked files
SH256 hash:
3b1fe8fbb2e89bed49f8cfcb3d111e0b0f7a2db9dd9d18dac5d232b610572190
MD5 hash:
f2f7da93e790c3a67919a35ddd12f32b
SHA1 hash:
7d9a785754803708bef977a1ea44df828e87bda8
Link:
https://www.unpac.me/results/0119cc1f-afd0-447f-8823-628a0a343357/
SH256 hash:
3a4fd3254840e121919224d81c384b4f6bfca33fe6e6cb134465b95f44564dff
MD5 hash:
5ab836213f6d442dfc53dc5bf13c64fb
SHA1 hash:
0d45e4651f05e446da69fcd0da3d549a9631b8e1
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0119cc1f-afd0-447f-8823-628a0a343357/
SH256 hash:
cc2b98223c9dcaf35c31d2eb743780aa3ea50177043e82633dda11aa7b7ff66b
MD5 hash:
014ace331af3642ddb3d3aa754e94950
SHA1 hash:
2ee54a101d1817ffdf1154d6bc19a7fa6db81c97
Link:
https://www.unpac.me/results/0119cc1f-afd0-447f-8823-628a0a343357/
SH256 hash:
39892614c7e06b007c0ba628fa9e2aa78278bdac7beae0baa2765b4bc9e3cb98
MD5 hash:
587a19d4eadb28302de78968d31330d7
SHA1 hash:
5c0766ba4f9659bf24005ae60b8197c543d847e2
Link:
https://www.unpac.me/results/0119cc1f-afd0-447f-8823-628a0a343357/
SH256 hash:
6464da9838148c50a722b2d3a59eb82212d02b37ad1c4c5d0f1ce61b2bc00390
MD5 hash:
07ab88272b091668620b7f411e892af6
SHA1 hash:
a1e0caf91135c2e46c9ac6080c69967d1a56ed80
Link:
https://www.unpac.me/results/0119cc1f-afd0-447f-8823-628a0a343357/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3b1fe8fbb2e8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b1fe8fbb2e89bed49f8cfcb3d111e0b0f7a2db9dd9d18dac5d232b610572190

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip f51bdce370c3dc8b9f5c2308d5e44442639da6107d98504443e691f1a6445af5

Formbook

Executable exe 3b1fe8fbb2e89bed49f8cfcb3d111e0b0f7a2db9dd9d18dac5d232b610572190

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 f51bdce370c3dc8b9f5c2308d5e44442639da6107d98504443e691f1a6445af5
Cape
Cape
https://www.capesandbox.com/analysis/30715/
  
Dropped by
MD5 5d58bab320508543628a72134f5db757

Comments