MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57792bbdb2c3382f53144b267c24ced80945b8e96a7fe39e733bc2b55368c55e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57792bbdb2c3382f53144b267c24ced80945b8e96a7fe39e733bc2b55368c55e
SHA3-384 hash: 4f6e56ce94e6e9d75c074f4d752f49f4625cdaeceef9071b2a07a1b9a8a16857407d5a8e33640b067a62db7431c91575
SHA1 hash: 1f61899407459c8a48951d27150ed50732d350a3
MD5 hash: d37b836ec57b2ad91aa25e0cd83a44f4
humanhash: thirteen-indigo-lake-november
File name:Bakiye ödeme fişi.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:769'024 bytes
First seen:2025-06-04 12:51:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:/wEUtNbot5uWGNwTcVMVlcyZFe9LixgPnobvWEBF2GSg9kwnmWbGfE+FYhGVPn1U:IEUtNbE3qBLyZk9bQqG8GcYGhP1
Threatray 3'764 similar samples on MalwareBazaar
TLSH T141F40208729E8B43C57707F62B31D1B413B9AC8C9922DB5A8FD97DEB3896F02524075B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe FormBook geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
405
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bakiye ödeme fişi.bz
Verdict:
Suspicious activity
Analysis date:
2025-06-04 08:10:24 UTC
Tags:
arch-exec netreactor
Link:
https://app.any.run/tasks/d6fb55bc-8754-4d42-9b60-72d99f6c21f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/7261/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684042798bd5d68a12e51ef7
Tags:
virus shell msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68404188e336a33801e3148e/reports/93f2630a-b731-4d32-9921-9112727e2c23/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/57792bbdb2c3382f53144b267c24ced80945b8e96a7fe39e733bc2b55368c55e
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f72ddcb-2957-435a-8656-df5abecc6b2a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1705874
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses threadpools to delay analysis
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1705874 Sample: Bakiye #U00f6deme fi#U015fi.exe Startdate: 04/06/2025 Architecture: WINDOWS Score: 100 46 www.zypraflow.xyz 2->46 48 www.autosovereignty.xyz 2->48 50 4 other IPs or domains 2->50 58 Suricata IDS alerts for network traffic 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected FormBook 2->62 66 6 other signatures 2->66 10 Bakiye #U00f6deme fi#U015fi.exe 4 2->10         started        14 svchost.exe 1 1 2->14         started        signatures3 64 Performs DNS queries to domains with low reputation 48->64 process4 dnsIp5 38 C:\...\Bakiye #U00f6deme fi#U015fi.exe.log, ASCII 10->38 dropped 68 Adds a directory exclusion to Windows Defender 10->68 17 Bakiye #U00f6deme fi#U015fi.exe 10->17         started        20 powershell.exe 23 10->20         started        22 Bakiye #U00f6deme fi#U015fi.exe 10->22         started        52 127.0.0.1 unknown unknown 14->52 file6 signatures7 process8 signatures9 54 Maps a DLL or memory area into another process 17->54 24 jo3nSCCNXvl.exe 17->24 injected 56 Loading BitLocker PowerShell Module 20->56 26 WmiPrvSE.exe 20->26         started        28 conhost.exe 20->28         started        process10 process11 30 verclsid.exe 13 24->30         started        signatures12 70 Tries to steal Mail credentials (via file / registry access) 30->70 72 Tries to harvest and steal browser information (history, passwords, etc) 30->72 74 Modifies the context of a thread in another process (thread injection) 30->74 76 3 other signatures 30->76 33 vTh9cdgKx9.exe 30->33 injected 36 firefox.exe 30->36         started        process13 dnsIp14 40 www.zypraflow.xyz 209.74.77.107, 49712, 49713, 49714 MULTIBAND-NEWHOPEUS United States 33->40 42 gqvvvjylmzsym-top.4407f158db.dns.yanwudan.com 206.119.165.20, 49708, 49709, 49710 COGENT-174US United States 33->42 44 2 other IPs or domains 33->44
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/57792bbdb2c3382f53144b267c24ced80945b8e96a7fe39e733bc2b55368c55e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57792bbdb2c3382f53144b267c24ced80945b8e96a7fe39e733bc2b55368c55e/
Threat name:
Win32.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2025-06-04 08:19:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k54sxpnsym4c6uyujmthyjgo3aeulohjnj76hhtthpblku3iyvpa._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
59cb54570d5d67d0dc406d25b3fb2413663e11eab1034ac83d3924e93205e33a
Formbook
69c5a698e5440fda15f54b2737f3125a1f5d023ce120ce8e8af29b50fb17f51b
Formbook
779065a001ee3006e880df587c823741e372eeeddbb5725dd53cb35349c79d89
Formbook
d2fcd0aa013349a6b6356132f39e7936ba6ba9d4dccc19ccee243165917bbe19
Formbook
e5b29443f0f1de210b9e5928a62afc5da1d52e4bc08fc97c741332e7721b5e16
Formbook
+ 3'754 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250604-p36lhsgl3z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/15c30582-9813-4522-a5e0-82805efe4b75
Unpacked files
SH256 hash:
57792bbdb2c3382f53144b267c24ced80945b8e96a7fe39e733bc2b55368c55e
MD5 hash:
d37b836ec57b2ad91aa25e0cd83a44f4
SHA1 hash:
1f61899407459c8a48951d27150ed50732d350a3
Link:
https://www.unpac.me/results/00c4f6fd-8aa1-4740-93f3-50587229a7e9/
SH256 hash:
0b2efd5121ae97522f291f91249f3e692fad0d06540d5f9d989389ee4982cc0c
MD5 hash:
e839e7e1d85e185ea43cd6890fab5ffa
SHA1 hash:
08de4264fdb72f3245ba41ff28381e2f3c6ee432
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/00c4f6fd-8aa1-4740-93f3-50587229a7e9/
Parent samples :
dc0eb1dd4ee4bbb3f4de84fa4dbf98cf09aee7c912c47b263dd5d704ebe2d1e0
57792bbdb2c3382f53144b267c24ced80945b8e96a7fe39e733bc2b55368c55e
876186ad1969e2f202fd93fdde333f8d042e4dd35c687a8f17723f77788d1837
6d3767d77538bda1289d139535778d0f55226481c1f5f8ee6d257cc21f968204
SH256 hash:
626e68ea84aa46ae7714523bb00ef5a1ae496c050fc7fbc58ee4eef80f297356
MD5 hash:
595911a0ef5202b8f03c30a69a248df8
SHA1 hash:
1ceab95054073d48338d7a9dee62eb7f0e120af5
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/00c4f6fd-8aa1-4740-93f3-50587229a7e9/
SH256 hash:
3e5d4b9e641334443ff1a675aa03e6793b6a74f6cec84a653a12f9a5730e6949
MD5 hash:
65916d5e026ebbd9a5d5af3b815e3a4e
SHA1 hash:
880a02376b7859b4a7dbaeaa59b5587bc7a418e8
Link:
https://www.unpac.me/results/00c4f6fd-8aa1-4740-93f3-50587229a7e9/
SH256 hash:
ae45fabf37ebd716f70a0e63412337d81c0156f2e912a42d5dc45effee9e37a4
MD5 hash:
c25c2797e5750ee2ed434f8b6f0e1db3
SHA1 hash:
681c2cb07aa45f7d6d1904ec25d4c0e25b8f7f23
Link:
https://www.unpac.me/results/00c4f6fd-8aa1-4740-93f3-50587229a7e9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57792bbdb2c3382f53144b267c24ced80945b8e96a7fe39e733bc2b55368c55e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/7261/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments