MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4da133b1ed7d9098b7b76b888472c069a08da9334cac292ea995c113d54812e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4da133b1ed7d9098b7b76b888472c069a08da9334cac292ea995c113d54812e3
SHA3-384 hash: 1e6f4bc70216e8828243685cdcc0e07195692bd9fb44a7d7d3c97de2c8f6d329e3255fd1484bb3f7cd58ff7cefeb3f33
SHA1 hash: 5a1da980c3f765265e4e10406b40f7cf57ed055c
MD5 hash: c7a508e2d74c3bd75b5770b68cb8e80a
humanhash: winner-romeo-friend-mango
File name:Updated Price List for 2025 Business Year.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:778'240 bytes
First seen:2025-08-26 09:12:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:NRac20K4GS009Usdb/4Fns2LaaVnUSiF2yO2ICmZchan2Xu3V6Uy1mR/wT:VZGvuHdr4Fs27UhH
Threatray 518 similar samples on MalwareBazaar
TLSH T146F4E1897111B19EC497EA318DA4EEB4EA646CAA5307D303D1E72DEFBC0D587DE041E2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Updated Price List for 2025 Business Year.exe
Verdict:
Malicious activity
Analysis date:
2025-08-26 09:16:43 UTC
Tags:
netreactor formbook xloader
Link:
https://app.any.run/tasks/a7f92667-ad36-466a-ba33-749dd4d73ea4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23633/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ad7afeeb163e0ec182bbc0
Tags:
virus shell msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68ad7bce4a87ed79676c0af7/reports/f685d854-347a-48a1-9ba5-49bc2644b751/overview
Verdict:
Malicious
Labled as:
Trojan_MSIL_LummaStealer_LLO_MTB
Link:
https://www.hybrid-analysis.com/sample/4da133b1ed7d9098b7b76b888472c069a08da9334cac292ea995c113d54812e3
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-20T12:42:00Z UTC
Last seen:
2025-08-20T12:42:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/4da133b1ed7d9098b7b76b888472c069a08da9334cac292ea995c113d54812e3/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2d8dea0b-cb8a-4717-9e82-d74d556d3583
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4da133b1ed7d9098b7b76b888472c069a08da9334cac292ea995c113d54812e3
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.82 Win 32 Exe x86
Link:
https://app.malva.re/file/c7a508e2d74c3bd75b5770b68cb8e80a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4da133b1ed7d9098b7b76b888472c069a08da9334cac292ea995c113d54812e3/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/4da133b1ed7d9098b7b76b888472c069a08da9334cac292ea995c113d54812e3
Threat name:
ByteCode-MSIL.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-20 16:13:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jwqthmpnpwijrn5xnoeii4wangqi3kjtjswcslvjsxarhvkiclrq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
120449b84850ba5b41e73f85e2f178271dd1cd0b8743f1e5af6ef760aa39b199
Formbook
2c35c24bdd434cf329bb45dce96e7499cdd231f182c9e679a01770fc006aac69
Formbook
446db8c0272f51979be2c65ad7ff221e5b00b3d3718a16cb2e6f7bd2f4003773
Formbook
842dc19cf33d84748f6d47ed991f212b19c04e614b1fdec55afa8e7a428e612c
Formbook
b0be564eb26f9cf2f58ea450d43194f3a4fb7dd2ca16375e3ecbfd636e5e7c13
Formbook
b27f17a52b7a491a0887307a8e4984f283b8076c1e49d535863068c51758c8bc
Formbook
b8a9598e5ab9a3cc65d1e011d01223128c6e6ce2dafe3409d33ac212a5192b82
Formbook
cba5a4c3813bbce1dfd6591d94bdd59e773c33d06d4a534da0b3cb527f0a9f7b
Formbook
e2dc30f133c91cab67e24cebc23291f6953654e16d4ea2621dd64dd500c5cc9a
Formbook
error
Formbook
+ 508 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook defense_evasion discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250826-k9l38sxqt2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Modifies trusted root certificate store through registry
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1037d735-0de3-4924-bc1b-dc501f844df0
Unpacked files
SH256 hash:
4da133b1ed7d9098b7b76b888472c069a08da9334cac292ea995c113d54812e3
MD5 hash:
c7a508e2d74c3bd75b5770b68cb8e80a
SHA1 hash:
5a1da980c3f765265e4e10406b40f7cf57ed055c
Link:
https://www.unpac.me/results/05c2e822-2ddb-4350-964e-f32abec96985/
SH256 hash:
27e5ffda53751e7360f380bd82a3176a7875a555f6af5b130fb2d64ff776c895
MD5 hash:
68845a1d0f6c65bb7ecc09ca76d2f005
SHA1 hash:
0145c4314c2cf41ae583bb32784fe780c1cdaf1d
Link:
https://www.unpac.me/results/05c2e822-2ddb-4350-964e-f32abec96985/
SH256 hash:
a21219d6ea3664ad11c07d4b00cd4bc000b92d47eda88d6e53b0f4e44e08ca69
MD5 hash:
a6d85223a30cc4c6ff27780550c75429
SHA1 hash:
8d7bfff0a9c3b309e11f940ad3e44a76aa1d2228
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/05c2e822-2ddb-4350-964e-f32abec96985/
SH256 hash:
c6d60625cf125f8667269925e9845d37d979a101cc7143590bd1dd28a654e6e2
MD5 hash:
51734f0ed37a35ac3b2bfbf539d35ffb
SHA1 hash:
cd569180511ec590b545ef8d130ad92d85dacf44
Link:
https://www.unpac.me/results/05c2e822-2ddb-4350-964e-f32abec96985/
SH256 hash:
a4f2b90aa1b60c8122787a3eb11ea7a3f4b8e12bf73ea288378e619b3867e750
MD5 hash:
adb1c307d43b060072d54ced055119b7
SHA1 hash:
80f4bb133bed9314bbb51dcbd2542a5ac5bd3d2b
Link:
https://www.unpac.me/results/05c2e822-2ddb-4350-964e-f32abec96985/
Malware family:
zgRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4da133b1ed7d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4da133b1ed7d9098b7b76b888472c069a08da9334cac292ea995c113d54812e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 4da133b1ed7d9098b7b76b888472c069a08da9334cac292ea995c113d54812e3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23633/

Comments