MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f897b135d89fd4fae9653b4ee0e7ac959c478cc12734ec5fe887d6ac92680cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 21


Intelligence 21 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f897b135d89fd4fae9653b4ee0e7ac959c478cc12734ec5fe887d6ac92680cc
SHA3-384 hash: 4bbc3cf31432da0b3c1e2b6ac5297f7a2bde4777d0fb5b05b9cbf6544a810d9129993ec4ac39394309228393c39a2b69
SHA1 hash: 9f448aab77c9610cbe0eb9ed9ab25d5b5eb34db4
MD5 hash: c71d0e2c0a1a3202b9299c812f4b807a
humanhash: six-mirror-seventeen-seven
File name:DRC091125-03 New order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:696'320 bytes
First seen:2025-09-11 14:07:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:HcKqOZQ8XhU173oiHHXN+Us90xJ9AmR0LkYBctCRP+N:DRQoh+vHXN++xJ9AzZSs2
Threatray 3'027 similar samples on MalwareBazaar
TLSH T1B2E4CE162F8DC9D6D0F2CAF24933D2701E6C5E699D56E232CED53F8BF63E6508A01191
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DRC091125-03 New order.exe
Verdict:
Malicious activity
Analysis date:
2025-09-11 14:08:16 UTC
Tags:
formbook stealer xloader
Link:
https://app.any.run/tasks/57d63b44-0f23-4c74-9a05-62fa806f1c2f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26926/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c2d7a46e66ba602d7a71ac
Tags:
phishing trojan spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap config-extracted formbook formbook lolbin masquerade msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks stego vbc windows zero
Link:
https://www.filescan.io/uploads/68c2d7d90d1238ff0aaa2162/reports/a48d4b03-bddc-457d-955c-1430cbfcf038/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4f897b135d89fd4fae9653b4ee0e7ac959c478cc12734ec5fe887d6ac92680cc
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-11T05:17:00Z UTC
Last seen:
2025-09-11T05:17:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/4f897b135d89fd4fae9653b4ee0e7ac959c478cc12734ec5fe887d6ac92680cc/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c42b036-c89c-4d6e-9352-008e14f5e1ab
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1775668
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1775668 Sample: DRC091125-03 New order.exe Startdate: 11/09/2025 Architecture: WINDOWS Score: 100 35 www.ian485.xyz 2->35 37 www.zborderfree.net 2->37 39 9 other IPs or domains 2->39 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 51 14 other signatures 2->51 11 DRC091125-03 New order.exe 4 2->11         started        signatures3 49 Performs DNS queries to domains with low reputation 35->49 process4 file5 33 C:\Users\...\DRC091125-03 New order.exe.log, ASCII 11->33 dropped 65 Adds a directory exclusion to Windows Defender 11->65 15 DRC091125-03 New order.exe 11->15         started        18 powershell.exe 23 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 20 explorer.exe 62 1 15->20 injected 75 Loading BitLocker PowerShell Module 18->75 24 conhost.exe 18->24         started        process9 dnsIp10 41 www.c4589.top 54.179.179.216, 49691, 80 AMAZON-02US United States 20->41 53 System process connects to network (likely due to code injection or exploit) 20->53 55 Uses netstat to query active network connections and open ports 20->55 26 NETSTAT.EXE 20->26         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 26->57 59 Maps a DLL or memory area into another process 26->59 61 Tries to detect virtualization through RDTSC time measurements 26->61 63 Switches to a custom stack to bypass stack traces 26->63 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4f897b135d89fd4fae9653b4ee0e7ac959c478cc12734ec5fe887d6ac92680cc
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.28 Win 32 Exe x86
Link:
https://app.malva.re/file/c71d0e2c0a1a3202b9299c812f4b807a
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4f897b135d89fd4fae9653b4ee0e7ac959c478cc12734ec5fe887d6ac92680cc/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-09-11 08:28:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
27 of 38 (71.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j6exwe25rh6u7luwko2o4dt2zfm4i6gmcjzu5rp6rb6wvsjgqdga._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
212151a618e9234e1c746f364ae9f98f12a2198c0ac9c4b3058d056541163240
Formbook
3f56b75e0a22acce7e85ba3b5e24ba8ccdfc573929376671a0ababd8a5db6686
Formbook
41eaa4d9ca00fdef1f8ac2b02ffbb0498b8ed8565916247c20b4a41beaa102a8
Formbook
4f897b135d89fd4fae9653b4ee0e7ac959c478cc12734ec5fe887d6ac92680cc
Formbook
617bf6800d42409a74ae0539d3e3ffc412e6c4bb137c232159c3ca946bc0fcdd
Formbook
89369898ebf3b91a1f28cecd38382b3f47d32e0cbde22543b1ece74c25c03eef
Formbook
94976e161177276c6c1f03697f87bbbda781fedb937342a311728f51a3bce501
Formbook
b456996591120e1dddad01bcd6651f37ee3a30644d7ef77c3e41c21189615404
Formbook
d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a
Formbook
error
Formbook
+ 3'017 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:fa27 discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250911-re7vsatwby/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c591e6e4-4c7b-450c-96dd-7f7f26caa907
Unpacked files
SH256 hash:
4f897b135d89fd4fae9653b4ee0e7ac959c478cc12734ec5fe887d6ac92680cc
MD5 hash:
c71d0e2c0a1a3202b9299c812f4b807a
SHA1 hash:
9f448aab77c9610cbe0eb9ed9ab25d5b5eb34db4
Link:
https://www.unpac.me/results/8f7b354e-1b82-4add-b53e-98af2cc8d0ef/
SH256 hash:
12dda0cd3b378fbced3071df357733426bb09e47c31fcc3ba6273650f67895dc
MD5 hash:
773c55854eb467033abb78bc2b667f80
SHA1 hash:
54bfd694185cd257abb4ee6b477dba12b971b9b9
Link:
https://www.unpac.me/results/8f7b354e-1b82-4add-b53e-98af2cc8d0ef/
SH256 hash:
f8fcc96a8eb94edf70a2b7bd0150bad8746a11f8d16041280003a3137d68aaf4
MD5 hash:
df3ab23b6014d7047b17df3ece1e6543
SHA1 hash:
8e47764116fe6002d6e661e8bf80895918e13195
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8f7b354e-1b82-4add-b53e-98af2cc8d0ef/
SH256 hash:
229354a837745aab79c01f7c3c35f0596a637a8e53e5b42903742fb8a937706b
MD5 hash:
0c9a941bfd588e8e56a9230691d9e3b3
SHA1 hash:
bad91e41b88a43ebfe62208fc6d2555a7ff972df
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/8f7b354e-1b82-4add-b53e-98af2cc8d0ef/
Parent samples :
212151a618e9234e1c746f364ae9f98f12a2198c0ac9c4b3058d056541163240
94976e161177276c6c1f03697f87bbbda781fedb937342a311728f51a3bce501
64b46245757a9181c081dfd7d31c504f3d74659d1c72bb01a21697032ab1b702
4f897b135d89fd4fae9653b4ee0e7ac959c478cc12734ec5fe887d6ac92680cc
c2f65520679a99af012fb9ba6d2eab1beb9af9de7d5acc28aa34c80f1b49c736
1f9e0b93f46f8d3a082b8504b723df366b34fe38c093dbf910660a259ee1761d
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4f897b135d89/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f897b135d89fd4fae9653b4ee0e7ac959c478cc12734ec5fe887d6ac92680cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 4f897b135d89fd4fae9653b4ee0e7ac959c478cc12734ec5fe887d6ac92680cc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26926/

Comments