MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41cbc855b5f9f98b5b15c3a88d712b64d6d99253950036e417448ea5955f2dc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 13 File information Comments

SHA256 hash:	41cbc855b5f9f98b5b15c3a88d712b64d6d99253950036e417448ea5955f2dc0
SHA3-384 hash:	5c1ed5e0ab49c6c54bb1ef4b548ab845606c04232a6580fe47c3ed8774b0497590c1d58057bb18b87369d074d4c91e95
SHA1 hash:	3c3f8129720e6cce15656c9a5762e9a5039fd3cc
MD5 hash:	e9e2b3293056de8bec90c19a7ba1dd5b
humanhash:	cold-music-michigan-hotel
File name:	YG.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	287'232 bytes
First seen:	2025-03-18 12:42:11 UTC
Last seen:	2025-03-19 14:36:55 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:BBieb55xwer/EltwZt/uueFeyDEsT2x1qNUQT7fuQANFgsBqzdWQ:ietMY/EltwzR0ynEfJAjgZ
TLSH	T13E5423A5BF42714EE455887130832148B8DAEB536939C7159EACA4D2F11A8B73F3173F
TrID	35.7% (.EXE) Win32 Executable (generic) (4504/4/1) 16.3% (.ICL) Windows Icons Library (generic) (2059/9) 16.1% (.EXE) OS/2 Executable (generic) (2029/13) 15.8% (.EXE) Generic Win/DOS Executable (2002/3) 15.8% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	KatzenTech
Tags:	176-65-144-3 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

463

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67d979e008116ce4257229e9

Tags:

injection virus zpack

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

crypt microsoft_visual_cc overlay packed packed packer_detected

Link:

https://www.filescan.io/uploads/67d96a5f0a7899f3579bcf21/reports/aab6726a-a2e1-4ed8-8a34-83cc7cabdbfd/overview

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/41cbc855b5f9f98b5b15c3a88d712b64d6d99253950036e417448ea5955f2dc0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1ac2e020-049c-45db-806a-8c17f8ce64d5

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1641794

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found direct / indirect Syscall (likely to bypass EDR)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/41cbc855b5f9f98b5b15c3a88d712b64d6d99253950036e417448ea5955f2dc0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/41cbc855b5f9f98b5b15c3a88d712b64d6d99253950036e417448ea5955f2dc0/

Threat name:

Win32.Backdoor.FormBook

Status:

Malicious

First seen:

2025-03-17 11:49:11 UTC

File Type:

PE (Exe)

AV detection:

27 of 36 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ihf4qvnv7h4ywwyvyoui24jlmtlntestsuadnzaxishklfk7fxaa._file

Verdict:

malicious

Label(s):

formbook

Similar samples:

error

Formbook

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/250318-pxe7dawrw4/

Behaviour

Suspicious behavior: EnumeratesProcesses

System Location Discovery: System Language Discovery

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/120dab10-d1e6-412e-9719-cca1f42b2ac5

Unpacked files

SH256 hash:

41cbc855b5f9f98b5b15c3a88d712b64d6d99253950036e417448ea5955f2dc0

MD5 hash:

e9e2b3293056de8bec90c19a7ba1dd5b

SHA1 hash:

3c3f8129720e6cce15656c9a5762e9a5039fd3cc

Link:

https://www.unpac.me/results/3a3e184a-9511-4a61-8ae6-068371737ff6/

SH256 hash:

ba33986f7d7f2a78cc9ecad38e562af5d0a9020801d2471a33ff2a228f9f47f1

MD5 hash:

1116d241fa0a4b1d64157adce8240437

SHA1 hash:

6bc964afaa24535b57522cbeb005b5bd79a1f98e

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/3a3e184a-9511-4a61-8ae6-068371737ff6/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/41cbc855b5f9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/41cbc855b5f9f98b5b15c3a88d712b64d6d99253950036e417448ea5955f2dc0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample