MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53fbed42c919ae2818899979a637b0d9d9b7df437ee239c2bc60945053b9ed07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53fbed42c919ae2818899979a637b0d9d9b7df437ee239c2bc60945053b9ed07
SHA3-384 hash: de7d3d401d7dc59358b739c014d2ec91fc1c07443b534f3ce6a4116a67d52d5ffea22504e137826bb8af91ce80f4e72e
SHA1 hash: ff83e0008793376d57fcba544eb7d28304a127c3
MD5 hash: c5681b082c29a3332396a0cff54f24a6
humanhash: fruit-michigan-muppet-blue
File name:BRKT drawing.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:726'016 bytes
First seen:2025-04-10 03:20:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:ONnD05n/DC61qkjOAj+UOm1FQOlhk+Ij0/o9UiTasL6UgYlkDX7GwN:ONw57CobOsOm1Fdfo9usLBgYaT7G
Threatray 235 similar samples on MalwareBazaar
TLSH T1D1F4224EFF09C641DB4E413EDA83652C4BA48A64FA31D1BB20E870F65E76D49C40FB66
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 60e09696f01717e0 (5 x Formbook, 5 x MassLogger, 2 x Neshta)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
503
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BRKT drawing.exe
Verdict:
Suspicious activity
Analysis date:
2025-04-10 03:23:49 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/cbe00a5e-c77f-44a3-894f-f8a3fd282feb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/1445/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f740fff9ba909217ce815c
Tags:
virus spawn msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/53fbed42c919ae2818899979a637b0d9d9b7df437ee239c2bc60945053b9ed07
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f459904-ee5d-40ca-9357-38d694c6d98c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1661431
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1661431 Sample: BRKT drawing.exe Startdate: 10/04/2025 Architecture: WINDOWS Score: 100 61 www.vczuahand.xyz 2->61 63 www.irebel.xyz 2->63 65 16 other IPs or domains 2->65 79 Suricata IDS alerts for network traffic 2->79 81 Antivirus detection for URL or domain 2->81 83 Antivirus / Scanner detection for submitted sample 2->83 87 10 other signatures 2->87 10 BRKT drawing.exe 7 2->10         started        14 zwrUIe.exe 5 2->14         started        signatures3 85 Performs DNS queries to domains with low reputation 63->85 process4 file5 53 C:\Users\user\AppData\Roaming\zwrUIe.exe, PE32 10->53 dropped 55 C:\Users\user\...\zwrUIe.exe:Zone.Identifier, ASCII 10->55 dropped 57 C:\Users\user\AppData\Local\...\tmp8EC4.tmp, XML 10->57 dropped 59 C:\Users\user\...\BRKT drawing.exe.log, ASCII 10->59 dropped 101 Adds a directory exclusion to Windows Defender 10->101 103 Injects a PE file into a foreign processes 10->103 16 BRKT drawing.exe 10->16         started        19 powershell.exe 23 10->19         started        21 schtasks.exe 1 10->21         started        23 svchost.exe 10->23         started        105 Antivirus detection for dropped file 14->105 107 Multi AV Scanner detection for dropped file 14->107 25 zwrUIe.exe 14->25         started        27 schtasks.exe 1 14->27         started        signatures6 process7 signatures8 73 Maps a DLL or memory area into another process 16->73 29 9KJcNnk9phz.exe 16->29 injected 75 Loading BitLocker PowerShell Module 19->75 31 WmiPrvSE.exe 19->31         started        33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 9KJcNnk9phz.exe 25->37 injected 40 conhost.exe 27->40         started        process9 signatures10 42 raserver.exe 13 29->42         started        89 Maps a DLL or memory area into another process 37->89 91 Found direct / indirect Syscall (likely to bypass EDR) 37->91 45 raserver.exe 37->45         started        process11 signatures12 93 Tries to steal Mail credentials (via file / registry access) 42->93 95 Tries to harvest and steal browser information (history, passwords, etc) 42->95 97 Modifies the context of a thread in another process (thread injection) 42->97 99 3 other signatures 42->99 47 9KJcNnk9phz.exe 42->47 injected 51 firefox.exe 42->51         started        process13 dnsIp14 67 zohrablends.shop 162.0.232.14, 49698, 49699, 49700 NAMECHEAP-NETUS Canada 47->67 69 dns.e5v38ipjx.top 38.165.44.243, 49730, 49731, 49732 COGENT-174US United States 47->69 71 8 other IPs or domains 47->71 77 Found direct / indirect Syscall (likely to bypass EDR) 47->77 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/53fbed42c919ae2818899979a637b0d9d9b7df437ee239c2bc60945053b9ed07
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53fbed42c919ae2818899979a637b0d9d9b7df437ee239c2bc60945053b9ed07/
Threat name:
ByteCode-MSIL.Backdoor.njRAT
Create hunting rule
Status:
Malicious
First seen:
2025-04-10 02:48:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kp562qwjdgxcqgejtf42mn5q3hm3px2dp3rdtqv4mckfau5z5udq._file
Verdict:
malicious
Label(s):
captiveaaloader
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
7ac2afbdd0bdfed4481c49171a5c4e814a3ad878b8887fa2594a011620e49b3d
Formbook
8c05d622b2d534ad16dfe3b7c895dad48b3fb9faa5bde32e022a55cef4c2bba4
Formbook
a219e517e4f68db96fa6c7bf2d044b991043884cb1ac1dbd5de22ec5f08ddb00
Formbook
fc523562bc368e6ab9c0106a1f3d6e23c4104f120c65c65b9c9adb2ee57c63ca
Formbook
+ 225 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250410-dwc5vazvgw/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1697e11d-e07b-4e56-8694-2addad36f6de
Unpacked files
SH256 hash:
53fbed42c919ae2818899979a637b0d9d9b7df437ee239c2bc60945053b9ed07
MD5 hash:
c5681b082c29a3332396a0cff54f24a6
SHA1 hash:
ff83e0008793376d57fcba544eb7d28304a127c3
Link:
https://www.unpac.me/results/a6e18464-e61b-42a6-a941-90e911ce3317/
SH256 hash:
a2abe9eaf5f3880fec5e7ffc816fd261e2953f26846daace4af5cc44e1d023e3
MD5 hash:
0a8f19019140b9cebeefcee9e0ee3012
SHA1 hash:
2f8177a6e4356d00af44ca2da7d355335fcaf8f3
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a6e18464-e61b-42a6-a941-90e911ce3317/
SH256 hash:
fc6a7b7434959c332e8b7317dee8a2a58afaec69cf9b082efc66b0147cd2d213
MD5 hash:
dc9eab82ccf334b0074a9cdec0674a37
SHA1 hash:
6e8b3478e7b5983f6902e6fd46a8a7bfbf3d1015
Link:
https://www.unpac.me/results/a6e18464-e61b-42a6-a941-90e911ce3317/
SH256 hash:
d1565b7e500f1d93873d3a5d622385a03278f79dbb35281ab4aea1896e2ac030
MD5 hash:
af69bcbcf5c38f9e1b050b199a8a0d3b
SHA1 hash:
7d5b9e7c687e091651b5aac0c0196e1ce82516c5
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a6e18464-e61b-42a6-a941-90e911ce3317/
Parent samples :
2a70db0a80475b95076e3ac773bf31a512eac29e3bc6f2742146815dd209f5e9
804ca58e99fe47f33eb0ee7db9b0e4794dbe30c165f219bd85884f0f84ac7846
8a83249f26da9d22a6f3c1de677e98b4872368f013d21e87391417bf31da0b98
af33ab150d8a4076d522d235ff3b77508ec19e52b6ac17bdb6eccd842f6babc4
a6d1bf193f5a5f2f6f9e766dffb51b66122e96dc8d2b76c3674fe2968d32c811
41d7369f717e33a88918da397a21fdc2a1db9c76629b7d5c6be1786f8cee9d5a
a05882d8e179d3a1a3ac69ce4b81bc72ee80f026d921e2598a5eddefd803511b
1b9ddbe7a21e44c82dc78c8e8361baca31adea4d8a8e673536b249b46305860c
2c815316f091040c2f89bcbaae0464cd89a9bfd5225f917ac01fabb9136a3fd4
fc523562bc368e6ab9c0106a1f3d6e23c4104f120c65c65b9c9adb2ee57c63ca
fd4c4d051a2d6a69a40e1e8f2f4a1cbcd54a4f27fd7ab4843452c98611aad9c7
c7d5e01e287cfc5c4c967c1ec895659bf25a80fbe8266a87f083bc80ddc82cce
46b9ea7cdf572a0e0128450f141ab2c31922dbbea4b632401fe42d85ba21cbcd
88d63b81ce4d25ca852251449940416ac2a8c61f5cf4a452ab690d26dc372876
72be9fedc41813b76d9a0707925542a7919f9192ca9cdc8ef82b952dce22da4f
4ac15244ddd64dbbf277c8d20628a9593dc0df8feafd932a7746d1b99c2ba826
17445fc3b78c7a08d5c4bc4164d04f99a4906ca50fc7552c1420c9efbebfe215
ef31c771e1f44656fdc9e84c3745d8bef369879697c144110edac6b814878ee3
071ecee4bd6564ec46147d2cf3f94c230f6da364a7eca4305e2f69f56e8ac4e4
30d5fcd7da81bc0b8d77d5b3547a227bac06bc781990f528c0bd78d696235779
90c33f008fb667cf96ff92b14f8834e702e3f4444d195328c9be186e801e6823
4dce97ef955a132177e7043fc0d11e35c3e1d03f833b3b30951d7b2ce6db735e
094c46819bcd5e6fb0d7cc1415452e1ad1654da29a54685ecb8f92c751bb0822
d3b0e954250d481d37ce371255c6eb7deb4bb53c1784f2a7111487bb42f4ee5e
1ebc38bc1bd49c8564e94d2242c4deed0bd0d69c0086ab7cc2dc180c77a989ce
b4391a76a1e786d93c45cb78576609d9f75ce63d9253edac9c66ef921b5a7de6
909759c61b9cc4ea2307f313c5d944e3cc6c5210aabb7d53477262b725aa086e
15a7845256801920c72d8eb0b8be091fc8e6bc2461bf1cc53db2cf2b3c76b315
53fbed42c919ae2818899979a637b0d9d9b7df437ee239c2bc60945053b9ed07
82ebf6faf3f97b1fdc2508ef2fb4c22c5e39bd2572c95d358574d2bfe280aa3a
dbb10cc6fb3fc9fca393ff312d53af0d938aae2099e23dd69d1fb9ce6828f3b8
f8984264632a0aba48bcd90967988aa1d2c10f9381d00abc08456431ea46d208
e594f00895dd29d763379ee4aa87c6004e811385f71077959674c4ef636f5a2e
761766237d7a8d58a5cdf2aa5ccace247b724d033d3196bc441c6a9c31717561
b1e2b8b0806852aa586a0491fc91a832babfff3882eaed12a6b7d2e7b776d4c4
b259302d7ea5bfb1f2ad8f50e8de4df48d96021070ee77c5b7819583ec43f372
6bb21551577d98edc3a3c4db8d941258f86c89db185fa2095f54ad4944a62b87
0ca81feea4b45d3c004c6f98c4d092227dd5c0a32044f19956117f9ee4dbc749
0103b1c78fd2b588d3df5c688369fce8621e8c22d3207faaa1e8404c0ac860c9
f2392e04e5ffb9bcee95ce763a7686322a9abd7210af28ef3f653402515a6013
8357f957b093fda087166e77b0e6a59d8d0d2fde1002d0be9ce5f99db26d63bb
be4448d373ea201e390e0bb158bba4f3ceb111ff37cd586c770a3d0e887d5bf1
c36369fab2df20ecfe48904d1e740c361fbf72f7f06221cefcbb1586d696506a
f91c4c7fd22d1d1ad83e7b8984b7b317689c6c75b3dc5ad29292a72161ab2164
d00a21bc17cc36be9b55a6c36f6c51e3f8f5300bfcd80246cfaadc4d3b638a99
db54fbe35d83bb19deaf215649ce9c33974913b4a03fb0060f6afec3a33d1d42
2fa30c4928317befeb052607fb0181fbd4be52f5b2c37cbe4bdb42e743355449
b155dd58a04167ae2b542b3e84c60e2761bd66e7a96f66476d5568b84b801936
c7bdef6f72689a3279cfbd4a47882019055e0138cdb2ab229cdb96f9ed541196
1630e8b9995d554a7b791dfa929f77c659c48e0358008fb7eb66fe54d63d86b3
2bc972f3ec09f8d1bdc1b25a3fe57db9a08577117d3a0d0ce5e5282e976d9111
5506f23308b0b3dff288866ab0b560f2fe5d61f53f4730428ab145f5ee033f84
8734c94b5ebc9260065d6ac359500b8f17f290be6c74bb72b9c0cacccf9b7d63
dbbf0fd1d25e6411faddab4b2f689dcffd04ce06642e1319f9d6fb00a2c343ca
b8c36a5b681b071cc8c8a34fa1d1656b705dbe1f433706b386b78fd73ef6e884
bd786fd63a731d3b49654aa94045c0b9c11c5c7112636befa6ecee7ff91d4c51
99af728a80e56652b6622bc371fd9a6cc4702e2c5598918c42eee05681850d2b
a9d818bc38d2a84ff40e54a062a9fba01a0648300fb1a892432547bc5b85e158
9c50c6516f166d7975bfb56b0a41cffb52844eb63c1c9ef2fd3502305d075a96
ddbf042dcfbeef6cf190530ca077b62d1366ef54356d0ed63814e8b9b07ca8de
31699232fd5243c9ed94a774b8b36fe40211590ba9460d8eca4251c24618beb9
5d8ae2e91d0e7c2dfb51972bc8f825ed37a76ab49d70809a446bcf3dd9dc9759
c0834472538b4521860ce0d38b7fb302e06da7fb0f328d2ce1614b176b44f5f9
c90b2d72296b49c72b221773c6fcc65648e0f0aa7ffc62611681c9cd07e6bf32
84d88aa331513f6d7e41095e2187e4571dd08b9aedd52202dbb39fa1e9fd5565
ee38d1b102d49efb131e686f67a3499b35eb4e412ed8c9bd6a5fe8a22320b3d6
e1c7a0142096027135342d53d50e982ca0db4683cb578fa7528f7da6394397d6
59c68aa4d3b5e77347aa69a31f2592220359ff8f45c18bf9ef5ad047e072534d
3eab5d3870693e704bdf913c10eb1b7a2a9dfbc3e85c58d2e3685ccbb5a1114a
6714c82529a444b8ce3f8bfae085604f2618954394d7812e68f473ebfca78a26
a6595037149574b9ef6ac2be554fda95aef17dac424a214f8582031112a43f56
dd762de25b94a493d115906421412af660db77916a2a09baa40be5a9fcbf63d1
d5bd67edddb02aaf59ac0743bc2ad8fe235ee8b4cda045e2475193cb8ccca8ff
SH256 hash:
a34a4b4bb8b8f45e9251c9dc0e92355d063c819ff20edefd6eb441425f046c2b
MD5 hash:
7f07d604440c428ec60a04695eff27e2
SHA1 hash:
78be8d36074eaaf39e9aa13436e7fb2b0bab0d7e
Link:
https://www.unpac.me/results/a6e18464-e61b-42a6-a941-90e911ce3317/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/53fbed42c919/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53fbed42c919ae2818899979a637b0d9d9b7df437ee239c2bc60945053b9ed07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 53fbed42c919ae2818899979a637b0d9d9b7df437ee239c2bc60945053b9ed07

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/1445/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments