MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52b4d7823920d16c025377a31d30c8241919f4c435ee9e973e1e4e7e10301175. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52b4d7823920d16c025377a31d30c8241919f4c435ee9e973e1e4e7e10301175
SHA3-384 hash: 213d8caddb43c05e3466baf508f7ff835c9e727462d84fc2d0a1725c065ad19b230bd2ecd99e4428924ff028b430cf97
SHA1 hash: 7840838b52c526964c409d65ad2e17e1abef3d2e
MD5 hash: 609e560a4e98077d31743b719bf0c383
humanhash: blossom-fillet-twelve-glucose
File name:SC-906-GVA DESHBANDHU.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:705'024 bytes
First seen:2025-03-19 19:21:59 UTC
Last seen:2025-03-19 20:19:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:JnXLCspj81oEZO2GFI+7r6VbHb16EWq35CumuqdLiuihLcWZK4PJ/0o:9XLCsh81VS6lbcE935dqh/7WHP
Threatray 7 similar samples on MalwareBazaar
TLSH T188E423E856A4C816DEA543B12972F772237DDE5FF9229323DAEDEC53BC05225391C280
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
404
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SC-906-GVA DESHBANDHU.exe
Verdict:
No threats detected
Analysis date:
2025-03-19 20:35:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5443a645-830a-4704-907a-694884690c66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67db196d9388e75d078eb5a8
Tags:
shell virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67db19676070b69e854cb108/reports/7f3bc4d0-b4bc-46c2-82f9-b0b215924f80/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/52b4d7823920d16c025377a31d30c8241919f4c435ee9e973e1e4e7e10301175
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d38eecf8-126a-4703-8d7c-9dc9e5cb5680
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1643443
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1643443 Sample: SC-906-GVA DESHBANDHU.exe Startdate: 19/03/2025 Architecture: WINDOWS Score: 100 34 www.quantumxr.xyz 2->34 36 www.lingkungan.xyz 2->36 38 16 other IPs or domains 2->38 46 Antivirus detection for URL or domain 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 Multi AV Scanner detection for submitted file 2->50 54 5 other signatures 2->54 10 SC-906-GVA DESHBANDHU.exe 4 2->10         started        signatures3 52 Performs DNS queries to domains with low reputation 36->52 process4 file5 32 C:\Users\...\SC-906-GVA DESHBANDHU.exe.log, ASCII 10->32 dropped 58 Adds a directory exclusion to Windows Defender 10->58 14 SC-906-GVA DESHBANDHU.exe 10->14         started        17 powershell.exe 23 10->17         started        19 SC-906-GVA DESHBANDHU.exe 10->19         started        signatures6 process7 signatures8 68 Maps a DLL or memory area into another process 14->68 21 jphNeOYYjy6yQL.exe 14->21 injected 70 Loading BitLocker PowerShell Module 17->70 25 conhost.exe 17->25         started        process9 dnsIp10 40 www.lingkungan.xyz 13.248.169.48, 49723, 49726, 49727 AMAZON-02US United States 21->40 42 www.klass.team 77.222.42.122, 49774, 49775, 49776 SWEB-ASRU Russian Federation 21->42 44 10 other IPs or domains 21->44 56 Found direct / indirect Syscall (likely to bypass EDR) 21->56 27 help.exe 13 21->27         started        signatures11 process12 signatures13 60 Tries to steal Mail credentials (via file / registry access) 27->60 62 Tries to harvest and steal browser information (history, passwords, etc) 27->62 64 Modifies the context of a thread in another process (thread injection) 27->64 66 2 other signatures 27->66 30 firefox.exe 27->30         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/52b4d7823920d16c025377a31d30c8241919f4c435ee9e973e1e4e7e10301175
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52b4d7823920d16c025377a31d30c8241919f4c435ee9e973e1e4e7e10301175/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-03-19 13:53:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kk2nparzediwyasto6rr2mgieqmrt5gegxxj5fz6dzhh4ebqcf2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
0d173d647ff21c983845365edb6cfaab515479dd8eb6cb47f3c2295afffe1004
Formbook
0ffb85454f582cc85ee5b77282c62c16c3f845706a850fb2b096ce287494073f
Formbook
52b4d7823920d16c025377a31d30c8241919f4c435ee9e973e1e4e7e10301175
Formbook
ce0656d79699a86c7a59333646e0248408e03e9b8e157289fb8e04e520a251c3
Formbook
error
Formbook
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250319-x3ag3s1scy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0a3b0329-d485-4c12-b43d-90fbd584ddf4
Unpacked files
SH256 hash:
6baa0004a04fc2df7881b1731405768317c93ae0023357a2f16aae14b65622b4
MD5 hash:
5cdfbe36551b6b339ccef65d393a896d
SHA1 hash:
3591655c34f92b7042759f5fb0978bc292a2a252
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/808acc80-0e2b-44bc-aebe-3f1a40b4a151/
SH256 hash:
6cc675383d39a3e65382c233178eff7d36028ce1e7c0cb49e6ba7028801ea88f
MD5 hash:
f28afb1dbf2153165c7deacc59d652b5
SHA1 hash:
492b84fcd0f99abf787fd3e6e3c5c7c1138f23c0
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/808acc80-0e2b-44bc-aebe-3f1a40b4a151/
Parent samples :
23fa78e02d1a9efdc334e21810403ca734bf6d874fb8953969c3819ebe6e9d64
48e453efa8b657ca3d61c6f287bf0c9f8c1b58a226558eaf5170d4f8aeffa80a
2bddc691ac1e13d8f9c9dcf3bbee24b74f058d009eca808565713e8584935336
52b4d7823920d16c025377a31d30c8241919f4c435ee9e973e1e4e7e10301175
e8bbe027f2c39bba3aceb23f86f97ceda9eeb24fc3d4ae3cb9ebf4cd5ee8cd2b
311a1b25e9e43bad0b8e042cc70f13dc836775cbeb2ba8dc534e55830eb43d5c
074b2b30aaa8e0e7eb1c9362a7f995e69ff229cd202016d39aedd7151cbb4f3c
5f3847aaddec3a20df952aab271926683dd771643ad091b0fd5ba8f359f54589
SH256 hash:
f2a7fae9ce4f7589d654288a312d652af993b04ca98eeb4a8cf4d6b9c4681db7
MD5 hash:
1d31d06a7d7cf043aeaf67fc1b28c7c7
SHA1 hash:
81fe0d40d2c54e1f2a03fcc3bea0f17f57cc9938
Link:
https://www.unpac.me/results/808acc80-0e2b-44bc-aebe-3f1a40b4a151/
SH256 hash:
830117dcfccc35dad0b417ab32eadd2f2a088a712909cd011cc8b3a401575f56
MD5 hash:
8cb29ed6e417f1ee38bef18fd8e42510
SHA1 hash:
c6ab57deddd73c75e4412001983f9908cfa1ed0b
Link:
https://www.unpac.me/results/808acc80-0e2b-44bc-aebe-3f1a40b4a151/
SH256 hash:
52b4d7823920d16c025377a31d30c8241919f4c435ee9e973e1e4e7e10301175
MD5 hash:
609e560a4e98077d31743b719bf0c383
SHA1 hash:
7840838b52c526964c409d65ad2e17e1abef3d2e
Link:
https://www.unpac.me/results/808acc80-0e2b-44bc-aebe-3f1a40b4a151/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/52b4d7823920/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52b4d7823920d16c025377a31d30c8241919f4c435ee9e973e1e4e7e10301175

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 52b4d7823920d16c025377a31d30c8241919f4c435ee9e973e1e4e7e10301175

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments