MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51c8330454a219e7a33c65f0dc63deef85785db94c42591961ee65e80d59fca3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51c8330454a219e7a33c65f0dc63deef85785db94c42591961ee65e80d59fca3
SHA3-384 hash: 302d5dc97e70c630e13b1e17b6ad6f6cea12c30b1b5cb52d29c692b054e6ff868ed85e908972282eb3ff88c5c039b2e1
SHA1 hash: 90b36e1591fe6470fe7eb04c77438d8371c59de8
MD5 hash: bed60acc09ba30c16df109a0a39d3e06
humanhash: oranges-mars-grey-arkansas
File name:SecuriteInfo.com.Win32.MalwareX-gen.3274.20197
Download: download sample
Signature Formbook
Create hunting rule
File size:229'376 bytes
First seen:2025-06-01 08:31:04 UTC
Last seen:2025-06-01 09:30:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2fd6552813b68acd0ea0374612a67b (1 x Formbook)
ssdeep 3072:C18RwaGleGQ76ea4gIQhc5LuGXelY120LEAkvOxNn5Itl:C+Rw4bSdrGXwY120LEpOnn5I
TLSH T185248C3955E15B33C5DD92718DE12723AC016D232742ADE786B43F0928BA1EBFCA53C9
TrID 70.2% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
9.0% (.EXE) Win64 Executable (generic) (10522/11/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 002e2091cef43142 (1 x Formbook)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
419
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.MalwareX-gen.3274.20197
Verdict:
Malicious activity
Analysis date:
2025-06-01 08:40:51 UTC
Tags:
auto-reg
Link:
https://app.any.run/tasks/0ddda637-093f-479f-941f-9d95f05986d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6666/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.3274.20197.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683c10fcacf88f5815ea776d
Tags:
vmdetect dropper spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Restart of the analyzed sample
Creating a process with a hidden window
Connection attempt to an infection source
Sending a TCP request to an infection source
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm lolbin packed packed packer_detected regasm visual_basic
Link:
https://www.filescan.io/uploads/683c0fdfe336a33801e14047/reports/2d98908a-2ba8-49ff-ae79-aaf79341b89f/overview
Verdict:
Malicious
Labled as:
Nadrac.Generic
Link:
https://www.hybrid-analysis.com/sample/51c8330454a219e7a33c65f0dc63deef85785db94c42591961ee65e80d59fca3
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c5da73c8-d538-4b5e-a6e3-4bbd7f6c8f3f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1703295
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contain functionality to detect virtual machines
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1703295 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 01/06/2025 Architecture: WINDOWS Score: 100 52 secretariaa.shop 2->52 54 scorpioprotector.store 2->54 56 5 other IPs or domains 2->56 66 Suricata IDS alerts for network traffic 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 3 other signatures 2->72 11 SecuriteInfo.com.Win32.MalwareX-gen.3274.20197.exe 1 1 2->11         started        14 SecuriteInfo.com.Win32.MalwareX-gen.3274.20197.exe 1 2->14         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 96 Contain functionality to detect virtual machines 11->96 98 Adds a directory exclusion to Windows Defender 11->98 19 SecuriteInfo.com.Win32.MalwareX-gen.3274.20197.exe 11->19         started        23 SecuriteInfo.com.Win32.MalwareX-gen.3274.20197.exe 14->23         started        50 127.0.0.1 unknown unknown 16->50 signatures6 process7 dnsIp8 58 scorpioprotector.store 104.21.112.1, 443, 49698, 49708 CLOUDFLARENETUS United States 19->58 74 Writes to foreign memory regions 19->74 76 Allocates memory in foreign processes 19->76 78 Adds a directory exclusion to Windows Defender 19->78 80 Injects a PE file into a foreign processes 19->80 25 RegAsm.exe 19->25         started        28 powershell.exe 23 19->28         started        82 Sample uses process hollowing technique 23->82 30 powershell.exe 23->30         started        32 RegAsm.exe 23->32         started        signatures9 process10 signatures11 84 Maps a DLL or memory area into another process 25->84 34 HRM1lSgiX81.exe 25->34 injected 86 Loading BitLocker PowerShell Module 28->86 36 conhost.exe 28->36         started        38 conhost.exe 30->38         started        40 WerFault.exe 2 32->40         started        process12 process13 42 mcbuilder.exe 13 34->42         started        signatures14 88 Tries to steal Mail credentials (via file / registry access) 42->88 90 Tries to harvest and steal browser information (history, passwords, etc) 42->90 92 Modifies the context of a thread in another process (thread injection) 42->92 94 3 other signatures 42->94 45 oL0ufZLm.exe 42->45 injected 48 firefox.exe 42->48         started        process15 dnsIp16 60 secretariaa.shop 84.32.84.32, 49716, 49717, 49718 NTT-LT-ASLT Lithuania 45->60 62 www.herpich.one 130.185.109.77, 49720, 49721, 80 XIRRADE Germany 45->62 64 2 other IPs or domains 45->64
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/51c8330454a219e7a33c65f0dc63deef85785db94c42591961ee65e80d59fca3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51c8330454a219e7a33c65f0dc63deef85785db94c42591961ee65e80d59fca3/
Threat name:
Win32.Trojan.Sonbokli
Create hunting rule
Status:
Malicious
First seen:
2025-06-01 06:08:05 UTC
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=khedgbcuuim6piz4mxynyy6656cxqxnzjrbfsglb5zs6qdkz7srq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250601-keq4psvqv2/
Behaviour
Enumerates system info in registry
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/beb0939c-e2eb-4ce2-860f-879ec7c76cb3
Unpacked files
SH256 hash:
51c8330454a219e7a33c65f0dc63deef85785db94c42591961ee65e80d59fca3
MD5 hash:
bed60acc09ba30c16df109a0a39d3e06
SHA1 hash:
90b36e1591fe6470fe7eb04c77438d8371c59de8
Link:
https://www.unpac.me/results/ca443386-3751-49db-90af-9715bb54a796/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/51c8330454a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51c8330454a219e7a33c65f0dc63deef85785db94c42591961ee65e80d59fca3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 51c8330454a219e7a33c65f0dc63deef85785db94c42591961ee65e80d59fca3

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/6666/
  
URLhaus
https://urlhaus.abuse.ch/url/3556108/
  
Delivery method
Distributed via web download

Comments