MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5121303ee22abb87cec5e94bcb15f56616659fb51a37e643d32f4a2023ff4f9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5121303ee22abb87cec5e94bcb15f56616659fb51a37e643d32f4a2023ff4f9f
SHA3-384 hash: a91f2e2ec7fda7908d0973945198a875cc043b7d969a0a4ad881e6db58138535de8199871b7e786cd9eac0191fd1ccf5
SHA1 hash: 6d8c8785d05e889146b8267e70df042c79d10f1b
MD5 hash: d865981b80236a3ce7d5eca100d947e7
humanhash: mike-two-speaker-nevada
File name:5121303ee22abb87cec5e94bcb15f56616659fb51a37e643d32f4a2023ff4f9f
Download: download sample
Signature Formbook
Create hunting rule
File size:819'200 bytes
First seen:2025-04-08 08:11:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:zIj2n6ngZB5w4KEDvstIq1DYDZk9gOV+hM:8jbnuBKmvsuqC8N
Threatray 2'055 similar samples on MalwareBazaar
TLSH T199050198A398C917C6A717785570F63813BBAD9A5936D31B4FCD6CAB7F27A009D00382
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 70cca2b2b2a2cc70 (7 x Formbook, 7 x SnakeKeylogger, 5 x MassLogger)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5121303ee22abb87cec5e94bcb15f56616659fb51a37e643d32f4a2023ff4f9f
Verdict:
No threats detected
Analysis date:
2025-04-08 09:51:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/88aeb092-c7d0-46e3-856e-bdc6d5f316a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f4dc25e011fe619fad1c92
Tags:
virus shell msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67f4da6b2d430c849e0c723b/reports/1215b1a3-b215-4472-b06e-5ced6ec03ae1/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5121303ee22abb87cec5e94bcb15f56616659fb51a37e643d32f4a2023ff4f9f
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a6b182b-c8cf-4cd2-a6de-b695c6d43d0e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1659920
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1659920 Sample: PwQI29Drsj.exe Startdate: 08/04/2025 Architecture: WINDOWS Score: 100 37 www.liangfeng.cloud 2->37 41 Suricata IDS alerts for network traffic 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 5 other signatures 2->47 10 PwQI29Drsj.exe 4 2->10         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\PwQI29Drsj.exe.log, ASCII 10->35 dropped 59 Adds a directory exclusion to Windows Defender 10->59 61 Injects a PE file into a foreign processes 10->61 14 PwQI29Drsj.exe 10->14         started        17 powershell.exe 23 10->17         started        signatures6 process7 signatures8 63 Maps a DLL or memory area into another process 14->63 19 cjLa0WO4CdnjrjVnUIn2ciA.exe 14->19 injected 65 Loading BitLocker PowerShell Module 17->65 22 conhost.exe 17->22         started        24 WmiPrvSE.exe 17->24         started        process9 signatures10 49 Found direct / indirect Syscall (likely to bypass EDR) 19->49 26 secinit.exe 13 19->26         started        process11 signatures12 51 Tries to steal Mail credentials (via file / registry access) 26->51 53 Tries to harvest and steal browser information (history, passwords, etc) 26->53 55 Maps a DLL or memory area into another process 26->55 57 2 other signatures 26->57 29 cjLa0WO4CdnjrjVnUIn2ciA.exe 26->29 injected 33 firefox.exe 26->33         started        process13 dnsIp14 39 www.liangfeng.cloud 154.85.155.6, 49695, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 29->39 67 Found direct / indirect Syscall (likely to bypass EDR) 29->67 signatures15
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5121303ee22abb87cec5e94bcb15f56616659fb51a37e643d32f4a2023ff4f9f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5121303ee22abb87cec5e94bcb15f56616659fb51a37e643d32f4a2023ff4f9f/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-03-24 04:42:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
29 of 36 (80.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=keqtapxcfk5yptwf5ff4wfpvmylglh5vdi36mq6tf5fcai77j6pq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
001a72194f343369305743fd94cbd8042f3b85299bbe26ba471c1d51ab03abae
Formbook
07f8ebfa4624bb85aac0acee4b555bc9e19207a1d7fd9d369a931176ad0bde8e
Formbook
1b9ffe88ec292067ef1eafeffa284d8fb12a02b0d52f38fbe6834ab7a5c05009
Formbook
262792ce948f1bfb557a50e8326cfbead6e67d6877efc59365596997a4ffc320
Formbook
5121303ee22abb87cec5e94bcb15f56616659fb51a37e643d32f4a2023ff4f9f
Formbook
b96cfca8ea3bc4fe132e029f2743fed9d30592d6012b4fe829180a2c1457f4f1
Formbook
error
Formbook
+ 2'045 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250408-j36zds1qy2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/150d99c2-76c9-48dc-8bf1-1bcdd48bfc5d
Unpacked files
SH256 hash:
5121303ee22abb87cec5e94bcb15f56616659fb51a37e643d32f4a2023ff4f9f
MD5 hash:
d865981b80236a3ce7d5eca100d947e7
SHA1 hash:
6d8c8785d05e889146b8267e70df042c79d10f1b
Link:
https://www.unpac.me/results/56a1da7c-fef2-4f5b-8f28-dadc4b3f3043/
SH256 hash:
031deedabb54d2e126844987a7f6db9c838925b15d22d51562ec7c0a4c81ccfa
MD5 hash:
822b83fead271ca0970948cafdc56bed
SHA1 hash:
4a3163881a3550265349eec39f136e9d08a2eff0
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/56a1da7c-fef2-4f5b-8f28-dadc4b3f3043/
SH256 hash:
72bfd47266006b378f1b63658456e1fa450b4c8fa93a1e0c484f51261573257a
MD5 hash:
4966311889e08f67f7fa6bae9272372e
SHA1 hash:
6fbbd39bcdcf4891b07bab95d14e20f00ce710ce
Link:
https://www.unpac.me/results/56a1da7c-fef2-4f5b-8f28-dadc4b3f3043/
SH256 hash:
c6d3a517aaa15304fa69f01b2e3077eeb5a88f0145bb5264be10b3dbafd28184
MD5 hash:
485101d81cdd8adaf4572179e943ccad
SHA1 hash:
ec7b4b4018905a2f7c8f18e1ba666307a4cfc08f
Link:
https://www.unpac.me/results/56a1da7c-fef2-4f5b-8f28-dadc4b3f3043/
SH256 hash:
85081045a0a52967e634cbc35e9135c80b31e0ed416208349a5b0610be0cb47b
MD5 hash:
2fd21e94614e7f144ed3ac095dc76a83
SHA1 hash:
fae41e05cdbecd0a30721e0c3be8394c335250a4
Link:
https://www.unpac.me/results/56a1da7c-fef2-4f5b-8f28-dadc4b3f3043/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5121303ee22a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments