MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41afa43a3aea61c4b0eb08892fec971037c87a7df05daada19e4d87a4df2fc9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41afa43a3aea61c4b0eb08892fec971037c87a7df05daada19e4d87a4df2fc9b
SHA3-384 hash: ceb38c0fe9a476238daba35c3827194736dc4f419ee8fab2765f0bbb2e29e300dad8ede4ebb60672b30601a608412c5e
SHA1 hash: 89b71711457bd6d78d78e5d3eade2901e9711e07
MD5 hash: 9a90943d977de42e588dc4662a75a636
humanhash: angel-north-charlie-may
File name:DHL-PAYMENTOVERDUE-1STREMINDER-1300712211.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'069'568 bytes
First seen:2026-04-15 13:20:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'887 x AgentTesla, 19'802 x Formbook, 12'306 x SnakeKeylogger)
ssdeep 24576:9XenMHUrcISfixiZgo/yDFmZ9jKuq0hFdzA/XtYzw2YSvfS:96M010KhRe3FA/XtYzw2YSv6
Threatray 2'702 similar samples on MalwareBazaar
TLSH T15D35121A5328D803C4670BF419B1E0B427A88D9CE576D606AFDE7FEBF07970446A9393
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/699dc47a-6654-4f6c-9d5c-4cf89c6ec6fc/
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL - PAYMENT OVERDUE - 1ST REMINDER - 1300712211.exe
Verdict:
Malicious activity
Analysis date:
2026-04-15 06:55:11 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/7101f138-5a50-4395-96f5-3ebf98dea82f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/61748/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69df363345787c53e539da85
Tags:
shell virus micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin masquerade packed tracker vbnet
Link:
https://www.filescan.io/uploads/69df90bcd920e19044fcc291/reports/2d82e155-c98d-4a91-b0fa-7d9dee119990/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/41afa43a3aea61c4b0eb08892fec971037c87a7df05daada19e4d87a4df2fc9b
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-14T21:46:00Z UTC
Last seen:
2026-04-16T23:35:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Win32.Noon.sb UDS:DangerousObject.Multi.Generic Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C Trojan.Win32.Agent.sb HEUR:Trojan.MSIL.Dnoper.gen
Link:
https://opentip.kaspersky.com/41afa43a3aea61c4b0eb08892fec971037c87a7df05daada19e4d87a4df2fc9b/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/19a319bd-ce4a-4273-9192-12431a4b379e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1898789
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1898789 Sample: DHL-PAYMENTOVERDUE-1STREMIN... Startdate: 15/04/2026 Architecture: WINDOWS Score: 92 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected FormBook 2->26 28 Yara detected AntiVM3 2->28 30 4 other signatures 2->30 7 DHL-PAYMENTOVERDUE-1STREMINDER-1300712211.exe 4 2->7         started        process3 file4 22 DHL-PAYMENTOVERDUE...-1300712211.exe.log, ASCII 7->22 dropped 32 Adds a directory exclusion to Windows Defender 7->32 34 Injects a PE file into a foreign processes 7->34 11 powershell.exe 23 7->11         started        14 DHL-PAYMENTOVERDUE-1STREMINDER-1300712211.exe 7->14         started        signatures5 process6 signatures7 36 Loading BitLocker PowerShell Module 11->36 16 conhost.exe 11->16         started        18 WmiPrvSE.exe 11->18         started        20 WerFault.exe 19 16 14->20         started        process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/41afa43a3aea61c4b0eb08892fec971037c87a7df05daada19e4d87a4df2fc9b
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41afa43a3aea61c4b0eb08892fec971037c87a7df05daada19e4d87a4df2fc9b/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/41afa43a3aea61c4b0eb08892fec971037c87a7df05daada19e4d87a4df2fc9b
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2026-04-15 04:44:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=igx2ior25jq4jmhlbces73exca34q6t56bo2vwqz4tmhutps7snq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0035d9424bdee5b512bd3441db4be0486f82a7beb8890713dada7d83e3b7b845
Formbook
06319316c7d3da0881bcf83a4509a9dd15fa4765228240b0d4c7684df40aa99d
Formbook
0a49ae686b7a7d0153f290bd5d125d354e7aca15e095b049f7107a23e53137e0
Formbook
170a6b1733b3f3c3b0bab99254b4d93ac9a843bd1af1030d4af4d4cc936b10f6
Formbook
201fd89861c6272f544766e8366c0bf17869c029b4349e639d5aa55b85482ead
Formbook
41afa43a3aea61c4b0eb08892fec971037c87a7df05daada19e4d87a4df2fc9b
Formbook
8a639273cd274f71edc6b10737fd4733e3186d5ce9d3c9287158b05a53707abd
Formbook
error
Formbook
+ 2'692 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/260415-qll18ahx9z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Family: Formbook
Formbook payload
Unpacked files
SH256 hash:
41afa43a3aea61c4b0eb08892fec971037c87a7df05daada19e4d87a4df2fc9b
MD5 hash:
9a90943d977de42e588dc4662a75a636
SHA1 hash:
89b71711457bd6d78d78e5d3eade2901e9711e07
Link:
https://www.unpac.me/results/7115e327-0486-4394-bc08-a98a659c9980/
SH256 hash:
58a3c88b94e5362969012d6a8ef0fa14e37e0fae667fa062bb6f92fba00c540a
MD5 hash:
199fa8739117f3e8e651a361137d9bb3
SHA1 hash:
61cdc283454d2f422ffcc16c0a6f5626c93af8f2
Link:
https://www.unpac.me/results/7115e327-0486-4394-bc08-a98a659c9980/
SH256 hash:
1e5f3ef537d7393dd3eb4b516541753cba55aa951e2e4f527379c8c53abef0b0
MD5 hash:
98ee2b293906a889b914368d9cd6f9e8
SHA1 hash:
ae9bf2b1d023671d7acd3132c805e9eb1c5efbe8
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/7115e327-0486-4394-bc08-a98a659c9980/
SH256 hash:
265710a4053dc7c993ca47e266c6b9c6808530186385a0e192fe747e0e903bfc
MD5 hash:
4ff8bbf69b087c8173d1548b6164ca02
SHA1 hash:
d7ba0745511bfc645fd1f13c956fa6aff5449e40
Link:
https://www.unpac.me/results/7115e327-0486-4394-bc08-a98a659c9980/
SH256 hash:
9abf9a49a25cef748c43796c6138a97fb8ea77a52a4127073df907120ad400df
MD5 hash:
d78eb794eaa3ab044c3a7fb2eff6cf7d
SHA1 hash:
0451a652b5224f67c9d67891770cf6901b79cb5b
Link:
https://www.unpac.me/results/7115e327-0486-4394-bc08-a98a659c9980/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/41afa43a3aea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41afa43a3aea61c4b0eb08892fec971037c87a7df05daada19e4d87a4df2fc9b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/3822466/
Cape
Cape
https://www.capesandbox.com/analysis/61748/

Comments