MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 597f85e07140fd0564539538b3013a27ae2ef80f5ca86ecf2968cbcd0453fa93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 6 File information Comments

SHA256 hash:	597f85e07140fd0564539538b3013a27ae2ef80f5ca86ecf2968cbcd0453fa93
SHA3-384 hash:	1c8c24ad669617e5af4fffd8332ae50489d47397d8eb8d695ba5f7f78d84902455e7dac8542578042d3ff21eb5382e53
SHA1 hash:	484365e5a8aab2186eab0e9bbb4d27529931b491
MD5 hash:	c7bf0ba3957cd19011dbe9f047061286
humanhash:	mike-double-carpet-lima
File name:	597f85e07140fd0564539538b3013a27ae2ef80f5ca86ecf2968cbcd0453fa93
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'396'736 bytes
First seen:	2025-04-08 07:19:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:t09RoWW6RcA2xgya73LmoBnSDIkRH1EDm+5K4Q6esb/j0pjr:t07jW6CohODIkPEDmn4ZbL6
Threatray	2'788 similar samples on MalwareBazaar
TLSH	T156552327BBCAC5A1C7511BBBF9BB984103ACD74AF717C75E7089232C49033BAA15524B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

398

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

597f85e07140fd0564539538b3013a27ae2ef80f5ca86ecf2968cbcd0453fa93

Verdict:

No threats detected

Analysis date:

2025-04-08 07:43:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fb577d29-b3f0-4672-b050-35a3db8c071b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/1246/

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67f4cf43a695a0cd1fac9aee

Tags:

virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

net_reactor obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/67f4cdf32d430c849e0c5364/reports/6c174f81-c3cd-4270-b562-a0cad1af6eba/overview

Verdict:

Malicious

Labled as:

Jalapeno.Generic

Link:

https://www.hybrid-analysis.com/sample/597f85e07140fd0564539538b3013a27ae2ef80f5ca86ecf2968cbcd0453fa93

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/01ad8617-2190-4169-9b16-6563765b55f2

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1659002

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found direct / indirect Syscall (likely to bypass EDR)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/597f85e07140fd0564539538b3013a27ae2ef80f5ca86ecf2968cbcd0453fa93

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/597f85e07140fd0564539538b3013a27ae2ef80f5ca86ecf2968cbcd0453fa93/

Threat name:

Win32.Trojan.Jalapeno

Status:

Malicious

First seen:

2025-03-21 18:05:56 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 36 (63.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lf7ylydrid6qkzctsu4lgaj2e6xc56aplsug5tzjndf42bct7kjq._file

Verdict:

malicious

Label(s):

formbook

Formbook

722128dea3f7a05aaa9f30656ab312fede67f07c8786f79d7ed4bbc894feaf2c

Formbook

8098c40545788f51d9255f9ec41960947cb8e42a4d297b89ae0ab4cee1145fb6

Formbook

80d82a8d5d67347b0e4d5de53f5849ead260a28ac74b347aab00520293ae2b4e

Formbook

99351a410e1b6ac260947ffb4b9d3c1716d48ebd369c38e0082d2bfca3354a95

Formbook

ddcb6ff5ce9cd75b9b7457b787b165000fab3bf4441509d5a1394983dd0bcbcc

Formbook

dfdf779de8ed55ff56d64a775147a2f1396b204c73834a88c64af6a7a61fca21

Formbook

error

Formbook

+ 2'778 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery

Link:

https://tria.ge/reports/250408-h5msvsznz4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a28cfb8d-0d67-4490-91aa-127b250bbbac

Unpacked files

SH256 hash:

597f85e07140fd0564539538b3013a27ae2ef80f5ca86ecf2968cbcd0453fa93

MD5 hash:

c7bf0ba3957cd19011dbe9f047061286

SHA1 hash:

484365e5a8aab2186eab0e9bbb4d27529931b491

Link:

https://www.unpac.me/results/1dca139d-e8b3-4bbd-a34e-c6b8b0a9503c/

SH256 hash:

1c86a54b35f39675e4d61517fafa7a47af8ed74274772df906f02657f50b072d

MD5 hash:

df037c30d114ad69e1748748264146af

SHA1 hash:

0370becc56e8838454ae9cbbf36045b7853b2425

Link:

https://www.unpac.me/results/1dca139d-e8b3-4bbd-a34e-c6b8b0a9503c/

SH256 hash:

def38fb84bee168c160c9b3085a7b389e661ab5d56bc146d46ce7de4ca41cbfb

MD5 hash:

beab93635a6e26523cd476ac375e12c5

SHA1 hash:

0e011c9143f1fc5743617b0341f4b744dc24fde7

Link:

https://www.unpac.me/results/1dca139d-e8b3-4bbd-a34e-c6b8b0a9503c/

SH256 hash:

78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677

MD5 hash:

f9d2985aa1c41cca281321fffb5ed424

SHA1 hash:

3a7a58d2dcae2762882357ae34d372744b1dbb9d

Link:

https://www.unpac.me/results/1dca139d-e8b3-4bbd-a34e-c6b8b0a9503c/

SH256 hash:

19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372

MD5 hash:

4e29f75c0c51b9dec76955f0382d9541

SHA1 hash:

4899aa8e3f57339cbaec8faab777897a76fe1c3a

Link:

https://www.unpac.me/results/1dca139d-e8b3-4bbd-a34e-c6b8b0a9503c/

SH256 hash:

550c1ed7214f23d029b9aec3fae763bd3d3c33af846e06c9d07953a75d609c0f

MD5 hash:

9234fcaa96042f8125c286497257bc87

SHA1 hash:

f2a00a414c0b2212f893d779f5399088c60a666f

Link:

https://www.unpac.me/results/1dca139d-e8b3-4bbd-a34e-c6b8b0a9503c/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/597f85e07140/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/597f85e07140fd0564539538b3013a27ae2ef80f5ca86ecf2968cbcd0453fa93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/1246/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample