MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 446db8c0272f51979be2c65ad7ff221e5b00b3d3718a16cb2e6f7bd2f4003773. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 446db8c0272f51979be2c65ad7ff221e5b00b3d3718a16cb2e6f7bd2f4003773
SHA3-384 hash: 39962c078781826b92d7c5182fc5888583049f772757c4901b236d68049896e0e3cc7a1d70325efbbc0e46d90604e4ce
SHA1 hash: 925e5cfa6e3efb090fea4b73c492205316171fa2
MD5 hash: a9d941d0d81b45045d0fbfe0e6a10075
humanhash: november-washington-butter-hamper
File name:DHL_7482551.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:726'016 bytes
First seen:2025-08-22 15:10:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:1b9rVUJTinKsEUJTLl5QLau3gYwQbG79B/R8R0hfijvquLkPuhan2:1LUBicUJTLl5KDwaG799U0iL3Le
Threatray 398 similar samples on MalwareBazaar
TLSH T116F412966622FA16C8E9277419A2D3B543BC9EDCA810E3168FFDFDEB3D1574129013C2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_7482551.exe
Verdict:
No threats detected
Analysis date:
2025-08-22 16:05:24 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/02a18df9-9c46-4e9c-8490-84046c3b6073

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23003/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a888b1e9d9dbcfd96d1a4a
Tags:
virus shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap lolbin masquerade msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks stego vbc vbnet zero
Link:
https://www.filescan.io/uploads/68a88a764a87ed7967685ed6/reports/d5215b5f-f676-4cbd-af3c-f286ccbc148f/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/446db8c0272f51979be2c65ad7ff221e5b00b3d3718a16cb2e6f7bd2f4003773
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-20T13:34:00Z UTC
Last seen:
2025-08-20T13:34:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/446db8c0272f51979be2c65ad7ff221e5b00b3d3718a16cb2e6f7bd2f4003773/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/24b8f695-622e-4a7d-9abc-e687a55c506f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1763017
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1763017 Sample: DHL_7482551.exe Startdate: 22/08/2025 Architecture: WINDOWS Score: 100 38 www.teleexplore.xyz 2->38 40 www.royal-bet-king.xyz 2->40 42 5 other IPs or domains 2->42 56 Suricata IDS alerts for network traffic 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected FormBook 2->60 64 4 other signatures 2->64 10 DHL_7482551.exe 4 2->10         started        14 svchost.exe 1 1 2->14         started        signatures3 62 Performs DNS queries to domains with low reputation 40->62 process4 dnsIp5 36 C:\Users\user\AppData\...\DHL_7482551.exe.log, ASCII 10->36 dropped 66 Adds a directory exclusion to Windows Defender 10->66 68 Injects a PE file into a foreign processes 10->68 17 DHL_7482551.exe 10->17         started        20 powershell.exe 23 10->20         started        44 127.0.0.1 unknown unknown 14->44 file6 signatures7 process8 signatures9 52 Maps a DLL or memory area into another process 17->52 22 MKghRgZfQL.exe 17->22 injected 54 Loading BitLocker PowerShell Module 20->54 24 WmiPrvSE.exe 20->24         started        26 conhost.exe 20->26         started        process10 process11 28 cacls.exe 13 22->28         started        signatures12 70 Tries to steal Mail credentials (via file / registry access) 28->70 72 Tries to harvest and steal browser information (history, passwords, etc) 28->72 74 Modifies the context of a thread in another process (thread injection) 28->74 76 3 other signatures 28->76 31 PL40JSPyH2Ma.exe 28->31 injected 34 firefox.exe 28->34         started        process13 dnsIp14 46 408.design 3.33.130.190, 49708, 49709, 49710 AMAZONEXPANSIONGB United States 31->46 48 dumasuite.info 195.110.124.133, 49716, 49717, 49718 REGISTER-ASIT Italy 31->48 50 3 other IPs or domains 31->50
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/446db8c0272f51979be2c65ad7ff221e5b00b3d3718a16cb2e6f7bd2f4003773
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.47 Win 32 Exe x86
Link:
https://app.malva.re/file/a9d941d0d81b45045d0fbfe0e6a10075
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/446db8c0272f51979be2c65ad7ff221e5b00b3d3718a16cb2e6f7bd2f4003773/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-08-20 16:21:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=irw3rqbhf5izpg7cyznnp7zcdznqbm6togfbnszon555f5aag5zq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
2c35c24bdd434cf329bb45dce96e7499cdd231f182c9e679a01770fc006aac69
Formbook
784ce0e82c852d420792062fc2370bfed13b8b846bbc126bfd5f6e3f5d1a2c67
Formbook
aaa5b20a90d1f1755d39e6e228f8d4a4060d9da1451d9dd54a6e85fa2dd9ceef
Formbook
bc8c43e5b2edd24663599d319b7c0b0f855504d66c6e26b122904781291a33a5
Formbook
cba5a4c3813bbce1dfd6591d94bdd59e773c33d06d4a534da0b3cb527f0a9f7b
Formbook
cc6de21ebaf5b1da25218987714320f9dcc9dd38acad71a9513a42323621a2ed
Formbook
da8284106b636de03b241025ab845283131fb8df64a730a854ecad0eff718b3c
Formbook
e2dc30f133c91cab67e24cebc23291f6953654e16d4ea2621dd64dd500c5cc9a
Formbook
e3f0db807199f2c11edacf8fa4a177b047b984f1fb5e85418c43d64c63bddf6d
Formbook
error
Formbook
fe2ffc367b1dc62198c5b5f8d4a6d6548b69e23d6e4fc1512e6670b559ef722c
Formbook
+ 388 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook defense_evasion discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250822-spegnawmv7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Modifies trusted root certificate store through registry
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/416ff15a-d4aa-428a-97da-2f940f99defa
Unpacked files
SH256 hash:
446db8c0272f51979be2c65ad7ff221e5b00b3d3718a16cb2e6f7bd2f4003773
MD5 hash:
a9d941d0d81b45045d0fbfe0e6a10075
SHA1 hash:
925e5cfa6e3efb090fea4b73c492205316171fa2
Link:
https://www.unpac.me/results/46c466af-ca4a-4c39-968a-8eb28459fa86/
SH256 hash:
338eec1b8f81648168774142d32504dcfbdbf117fd766a5dfb8b55fc268751b4
MD5 hash:
241d283e71e647bd8c014036a659793e
SHA1 hash:
2e18adfafa1f106df0aeb621c4d1e65fbd42ce77
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/46c466af-ca4a-4c39-968a-8eb28459fa86/
Parent samples :
446db8c0272f51979be2c65ad7ff221e5b00b3d3718a16cb2e6f7bd2f4003773
5ee3dca8cae3f74a8d15e487328d1a33c28ca7098c747f2d50e4e5547d038474
SH256 hash:
9485dba36ff93583b154f4ab11730ed448f7ee199d2203e0166349e8a3640ef7
MD5 hash:
ccfd69f655d4d803882b790df1d2be62
SHA1 hash:
813de8f1af8fedc5fec1f608824b2d7fec05f830
Link:
https://www.unpac.me/results/46c466af-ca4a-4c39-968a-8eb28459fa86/
SH256 hash:
5b510b18323605b7bdef6f1784102e720767f19410c3ddb3ddc8ca2d3c866e78
MD5 hash:
b0b9c1d08bab3ea81d75038ba3442aa2
SHA1 hash:
87ab4fe135b6301fec6a891a815431f389b9c77c
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/46c466af-ca4a-4c39-968a-8eb28459fa86/
SH256 hash:
7fdb90f50f25a2ee61893a56a53cadba49274b71143bff854d40a104f53ea6e9
MD5 hash:
6a9e392389d0ad136892b19d8355c7ac
SHA1 hash:
3b9a9bee21adb3f0dc2caa82cf048589b0848639
Link:
https://www.unpac.me/results/46c466af-ca4a-4c39-968a-8eb28459fa86/
Malware family:
zgRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/446db8c0272f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/446db8c0272f51979be2c65ad7ff221e5b00b3d3718a16cb2e6f7bd2f4003773

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:attack_India
Create hunting rule
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/23003/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments