MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b8313decdeb72e5bc04326dcb9cedf06c1bcce618e5f65d84fe5f481f9af3c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	3b8313decdeb72e5bc04326dcb9cedf06c1bcce618e5f65d84fe5f481f9af3c0
SHA3-384 hash:	f6cf80c70142935a760ce18ea74450f9ed1a22a6437fc32420cadc93ca7c3feedce4df02b8c3a148584b9fd1fbf2e500
SHA1 hash:	af1a1efe1ad91da8cb6a96c2fdbd35d68f3513c3
MD5 hash:	a64458dad0ee19084210ead0f7882e46
humanhash:	shade-pasta-asparagus-tennessee
File name:	OTSUSA INDIA PVT ReservationsOrders.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	772'096 bytes
First seen:	2025-07-22 10:40:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:BwC1/3plPNWJKWjh1+AlEkyDDv3Sfv0eyGWaNx6lo4jh7g95ujSoLEa/QgAVS8QZ:bF5lPNWJwTD7SfsYXwWCq5urdE/QZ
TLSH	T1EFF40105E53ADE11C4660BB52B31EDB013BE6D88B420E7239EDABDDB727774204C1A5B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	ccb66361791992cc (11 x Formbook, 6 x VIPKeylogger, 2 x XWorm)
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

OTSUSAINDIAPVTReservationsOrders.exe

Verdict:

Malicious activity

Analysis date:

2025-07-22 10:45:42 UTC

Tags:

netreactor formbook xloader

Link:

https://app.any.run/tasks/5900fc9a-c660-44cb-9b14-7026740f4b60

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/16297/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=687f6b572f623871a5f1c0a7

Tags:

virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/3b8313decdeb72e5bc04326dcb9cedf06c1bcce618e5f65d84fe5f481f9af3c0

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/edc0b2ac-ca4c-4f51-9fdc-0eb00f28ebab

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3b8313decdeb72e5bc04326dcb9cedf06c1bcce618e5f65d84fe5f481f9af3c0

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable PDB Path PE (Portable Executable) SOS: 0.30 Win 32 Exe x86

Link:

https://app.malva.re/file/a64458dad0ee19084210ead0f7882e46

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3b8313decdeb72e5bc04326dcb9cedf06c1bcce618e5f65d84fe5f481f9af3c0/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2025-07-14 12:59:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 36 (58.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hobrhxwn5nzolpaegjw4xhhn6bwbxthgdds7mxme7zpuqh426paa._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/250722-mrzmqavsax/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Formbook payload

Formbook family

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e955b5bc-636c-4012-b882-5bc81f570505

Unpacked files

SH256 hash:

3b8313decdeb72e5bc04326dcb9cedf06c1bcce618e5f65d84fe5f481f9af3c0

MD5 hash:

a64458dad0ee19084210ead0f7882e46

SHA1 hash:

af1a1efe1ad91da8cb6a96c2fdbd35d68f3513c3

Link:

https://www.unpac.me/results/9ad6e2db-8964-4334-aa0d-96b5e0bc79b6/

SH256 hash:

0ad9330f8096b30a282f53d51dfe44664f3ba3251199d25f097c01f43fe55aec

MD5 hash:

cc621595551035aa96c37e8738bfb040

SHA1 hash:

3507953a4fba3cf6df37347156f060e4e9e09ed7

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/9ad6e2db-8964-4334-aa0d-96b5e0bc79b6/

Parent samples :

06ede9a79380740bc6717b85c81962911c87ef299c0f9925e44cf66569784154
881666cfb7700551912b6f0b5ed601d61aa0c81576d53f69a43246b573832f8c
c45640db87251995dc06c2ea4ef6ca5c0922df2b54819c84f4ef3477a4cd23c1
371f1cb8f80e05125b0673ba6bcb23237cdfa3c66f2954561ee476b8d6f89e70
6ae17339b8a76cb12268e292ad1bd020e9b02acad06d868472bf00926bb83821
28dd00c9360fc7d7359113ee5599e0d902fdab71305d9f8ac52e97ccdfb1858b
939adafee7fd3b294a363969520389b8390412da3869677d34feeed44062abf2
b37ff76776a38f2a0ded7ae2220a44c0dfcb92ed88f135bb3f4443ad8b98548a
bae9c509299e16792064c4219babb32f5acaf456a067228c77320ae69c678d31
4c732e0d384f492723ed512743084b8d30e75dc836f9baec38435e7f7298a752
10b473d1b8926572686bf2c6b3bdbc67e18a8dbf066d7f392966bccac917c97a
b72158c1c37f7ef6edfe5511acd3c9f7131ee6093688290b33d250871d7b74fc
034376b7cdb06a63b0232f54fb906b95f37fc7f4921e9c6999c37f4aad9d61ba
3cdbdeddbb04d4382fdd85e848bbfbbcc01e3dfa25df1a96c7bc6a9d1f5bbd7f
6d8d665ed1c840de96732ee893e4fce02f684b81491b92291fb99d537cd2b933
71cc18003948de6d70cfef8ecad9a10d842c3c24d07488b7b1c040c39755fd2d
f10f2a163771c5a1a36a9c243b3887caa461b7c6340c069e16735e2ec7d89219
9b77205f51b2a49e9a04f112d14f350e37c0183fe87c0614b597f81c5d57a95d
d2d35b1008ab18a196bf68887081208b475a1a70a74ef2ee8da7fe065cc4ad09
32232a07b736cd0d8e26f355bb8132d736c71bdb01fe2a78e386664cccde6dbd
566ca7ccb9b63e49ff9bbfe0dc46bfc628d8232f7d45097eeb92518203711b5a
a8c09aa5ef25bcd378a81138c1eb67c3e259c3e1e8ab6a25d3f59859d0929937
8f59ab17a29c57035493103d83e22f6f1ee15d33df4164fc69f47918f177cc1e
36a075c198f7bd34a5a7ac2981d644428a32d32efdcb6f5a16ce1b085f0fc08e
d1a0edb84de425f4ab004ef17965b309fce345f682248865b34d9b4932d6f8f6
52f7d9e48e3bd296430db88b98ee848e1d5daec114c1f2afce6d1220a89e2914
a8561c312838771cf9a079cb93b31fe770796853a74b4306fd881e8dd4340479
1f51b1d0df7579263dcf24df5e1c929e697f6d10549086c366f673450b69e079
b11795618dd4c3d57ad342cade637ad1d96006c7d46e803bd9eb3bee29ef2b67
0edf6cb143e229fe20ab001a3807027e15681cf90663407519dacf6f3765c99f
3b8313decdeb72e5bc04326dcb9cedf06c1bcce618e5f65d84fe5f481f9af3c0
af94dfc71a87808a55b15f45c08c816f8c82eae3727760424c03d5c790613d06
d1811755daa3a02ad817f8b136e4c7b8299f8b17af7e38bdab0059986d510a7f
56a52da62bfba5f29ebc4c1ddff84bf2959c84db06fd685220ed910f18074e7b
1d026c14b484d4d249c82b889bab3523f5df51fc5522e482279c2b0d99b6b55a

SH256 hash:

d5493a431b14acb611120c89280cad67712bceed253a96eb1035529ccd482010

MD5 hash:

cabee8c851f68c2d3765926e1a101304

SHA1 hash:

39811afbfd23e34fc606dbfd924bd72970e44c1a

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/9ad6e2db-8964-4334-aa0d-96b5e0bc79b6/

SH256 hash:

fc4b67409ffa1051ecb459d32e0bfdbcaf7c62e498430d0d56c23a3e3c27bff0

MD5 hash:

7211f34e2a294d0171119f9787ca7d18

SHA1 hash:

90f402d0b28a6a218ae75f262bca85ccec6bc400

Link:

https://www.unpac.me/results/9ad6e2db-8964-4334-aa0d-96b5e0bc79b6/

SH256 hash:

100320b51388dda1a4b3306d6a294222eb4d2dfe67f42f8490ce4e0c7fdc5b3a

MD5 hash:

e978b8e5272347c7c831368c87056830

SHA1 hash:

263bac811ca81aaf982dce0b92b8b38bfc59292e

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/9ad6e2db-8964-4334-aa0d-96b5e0bc79b6/

Parent samples :

fae04e1753cc051af6229b382defa6367e33075095c579249473f6f467cbccb1
3b8313decdeb72e5bc04326dcb9cedf06c1bcce618e5f65d84fe5f481f9af3c0
241d00dc87b5c01600a761460116e618505ecb4263f586ef5447b8c1d4329ebd
078cabe3f98bbf49468d898d869cd8f58df0ff0a1bddd9d00524ac49dd04f3af
cd96ca7a5b5ea72b4c03e9b2363296307ea826dc504c2dd54df89c3aeae94d5d
db2b7020233579fb99689c7e706545b2d7eefa8a83ef24160831c8fc982a1b4c
c5658d0585c94a50f715384ed28507806352107648eafa58fd7764a16c382244
fea19e2a8ec0ae79fb6f25deec6ac647a53027ee3d4861be780daf205d49a718
53b1100f0b09af2d37c8df2bcd77aaf844c4424bf17d71854a5d14130881ba10
3f3bedd484f8e49e35bd9e77b1ae88b27d5efc747a44dee28277be0556653ecb
62f63b180fc726bb6d54ecba4b3edb4436e2442953b07aea87c0e60cf057417f
9bcb3e63dbaaaccc6ed10bde4e8f96b264947758d1bf27d143b37f3f29166a84
6baa5a857ac8045ba485189e5098242a01946a00e35a7a541d7494562137aef1
5ee3dca8cae3f74a8d15e487328d1a33c28ca7098c747f2d50e4e5547d038474
928f36967f7a7af841021d4833479ec18178d48d9c418e772d0b3d32da7a2e6d

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3b8313decdeb72e5bc04326dcb9cedf06c1bcce618e5f65d84fe5f481f9af3c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 3b8313decdeb72e5bc04326dcb9cedf06c1bcce618e5f65d84fe5f481f9af3c0

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/16297/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample