MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62bbf3784c46f6514ba30111c94e07ec7669bb62a59ee02acae53d3707d2af1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62bbf3784c46f6514ba30111c94e07ec7669bb62a59ee02acae53d3707d2af1f
SHA3-384 hash: 31bcc663ae199c03516b812ee714a488f5a3a49678bd113fe1783908f59f19e86386964d933a00fb9463c4525f97f4c9
SHA1 hash: 1a6c8d782b841b56d66abfeb9489c158c793a72b
MD5 hash: 82c13b6e7343ca2cbf99b716b3d71764
humanhash: zulu-mountain-earth-equal
File name:62bbf3784c46f6514ba30111c94e07ec7669bb62a59ee02acae53d3707d2af1f
Download: download sample
Signature Formbook
Create hunting rule
File size:749'056 bytes
First seen:2025-04-08 08:11:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:RGjvOn6nzx88gSmoL+QXaA+X5yMBniONJRg1ninzcyDjzC8Q7WKzVLb0Cw2DAmya:Aj2n6nGfRQXaA+X5oOj2tixpfKzVn/t1
Threatray 4'006 similar samples on MalwareBazaar
TLSH T142F402986715D623CA9A1B340EA1F67013B92DCEBC15E207AFED6DEFB835E115D04382
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
357
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
62bbf3784c46f6514ba30111c94e07ec7669bb62a59ee02acae53d3707d2af1f
Verdict:
Malicious activity
Analysis date:
2025-04-08 10:19:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/56f45157-d1ed-4c77-a9a9-a43a391790d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f4dc1be011fe619fad1c6a
Tags:
stration spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67f4da6740adfb5162bbf79b/reports/74d01f8c-7291-4090-995d-0c99b2f1474a/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/62bbf3784c46f6514ba30111c94e07ec7669bb62a59ee02acae53d3707d2af1f
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7100f78c-73f1-4f34-94b1-9a2906b02700
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1659923
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1659923 Sample: vVN3yrJEwL.exe Startdate: 08/04/2025 Architecture: WINDOWS Score: 100 68 www.nolae-eu.shop 2->68 70 www.nexohealth.online 2->70 72 www.erbtechnique.dance 2->72 78 Suricata IDS alerts for network traffic 2->78 80 Antivirus / Scanner detection for submitted sample 2->80 82 Sigma detected: Scheduled temp file as task from temp location 2->82 84 6 other signatures 2->84 10 vVN3yrJEwL.exe 7 2->10         started        14 KPlYsGtDuJhxub.exe 5 2->14         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 54 C:\Users\user\AppData\...\KPlYsGtDuJhxub.exe, PE32 10->54 dropped 56 C:\...\KPlYsGtDuJhxub.exe:Zone.Identifier, ASCII 10->56 dropped 58 C:\Users\user\AppData\Local\...\tmpEC60.tmp, XML 10->58 dropped 60 C:\Users\user\AppData\...\vVN3yrJEwL.exe.log, ASCII 10->60 dropped 90 Uses schtasks.exe or at.exe to add and modify task schedules 10->90 92 Adds a directory exclusion to Windows Defender 10->92 19 vVN3yrJEwL.exe 10->19         started        22 powershell.exe 23 10->22         started        24 powershell.exe 23 10->24         started        26 schtasks.exe 1 10->26         started        94 Antivirus detection for dropped file 14->94 96 Multi AV Scanner detection for dropped file 14->96 98 Injects a PE file into a foreign processes 14->98 28 schtasks.exe 1 14->28         started        30 KPlYsGtDuJhxub.exe 14->30         started        62 127.0.0.1 unknown unknown 16->62 file6 signatures7 process8 signatures9 86 Maps a DLL or memory area into another process 19->86 32 NhVZjpsPSo4fzER0cC1kmyn.exe 19->32 injected 88 Loading BitLocker PowerShell Module 22->88 35 WmiPrvSE.exe 22->35         started        37 conhost.exe 22->37         started        39 conhost.exe 24->39         started        41 conhost.exe 26->41         started        43 conhost.exe 28->43         started        process10 signatures11 74 Found direct / indirect Syscall (likely to bypass EDR) 32->74 45 credwiz.exe 32->45         started        process12 signatures13 100 Tries to steal Mail credentials (via file / registry access) 45->100 102 Tries to harvest and steal browser information (history, passwords, etc) 45->102 104 Modifies the context of a thread in another process (thread injection) 45->104 106 3 other signatures 45->106 48 NhVZjpsPSo4fzER0cC1kmyn.exe 45->48 injected 52 firefox.exe 45->52         started        process14 dnsIp15 64 www.nolae-eu.shop 104.21.16.1, 49693, 49694, 49695 CLOUDFLARENETUS United States 48->64 66 www.nexohealth.online 185.104.28.238, 49692, 80 AS-ZXCSNL Netherlands 48->66 76 Found direct / indirect Syscall (likely to bypass EDR) 48->76 signatures16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/62bbf3784c46f6514ba30111c94e07ec7669bb62a59ee02acae53d3707d2af1f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62bbf3784c46f6514ba30111c94e07ec7669bb62a59ee02acae53d3707d2af1f/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-03-24 07:41:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mk57g6cmi33fcs5daei4stqh5r3gto3cuwpoakwk4u6tob6sv4pq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
05facf2fa75c9119aaea6867fa979d3001d48847843e776d7123a5542621ef02
Formbook
5cb52f7552376d335a4f41b086eaa369c1774a9f0c1f1c57b4a25a1bfecb30a8
Formbook
62bbf3784c46f6514ba30111c94e07ec7669bb62a59ee02acae53d3707d2af1f
Formbook
c530252005b782c3c6b4410e31fd30a15a32ba881bd4e3043ca497ca6a7280f4
Formbook
e8e945d0e6a01338aac7ba7c8b5d19bf4ad27824cd328d833a764d4b24ed7d0c
Formbook
efa962fc10045f83da36ea363c43aba7a8d5ff3ec0e3aaa4c6480c2578b8c4fa
Formbook
error
Formbook
f7a44bf4e40e0afd3fee72b9789c951b1c17cc08ff5c3eba3f8c941b91a961e7
Formbook
+ 3'996 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250408-j36nma1ydv/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fd2c109c-6fac-4f4a-86b6-6800538a6079
Unpacked files
SH256 hash:
62bbf3784c46f6514ba30111c94e07ec7669bb62a59ee02acae53d3707d2af1f
MD5 hash:
82c13b6e7343ca2cbf99b716b3d71764
SHA1 hash:
1a6c8d782b841b56d66abfeb9489c158c793a72b
Link:
https://www.unpac.me/results/6b1ec65b-6214-4ee2-b350-1ecc2bfaaac0/
SH256 hash:
cf68f822581c977624b554e9669f1dacd3ea27da419ce7d922c4fd7159a37655
MD5 hash:
ef21daeeb39441e28b0cc86cc0e23235
SHA1 hash:
1297757d3382f98c8d391ee50d0dd892ab4f4440
Link:
https://www.unpac.me/results/6b1ec65b-6214-4ee2-b350-1ecc2bfaaac0/
SH256 hash:
cb62a26fb46f003ae04ce6f3ce2b86436ae383f915e33bc4e90eb108ea9ee485
MD5 hash:
b4618bf79068403bfc77be039e7f59da
SHA1 hash:
a32f9564ee4511038c9aa532139b87f0ef9bb519
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/6b1ec65b-6214-4ee2-b350-1ecc2bfaaac0/
SH256 hash:
1fdfb9edbc18255a77c108b44bf8e2449a59719568656e7a72bd1a92514640f3
MD5 hash:
4ea0ec48bccaa7287ebbaf9d6c3258b6
SHA1 hash:
caf1c43a3f1fe35d8efacd5e18f5fd5def153ccd
Link:
https://www.unpac.me/results/6b1ec65b-6214-4ee2-b350-1ecc2bfaaac0/
SH256 hash:
6a1dc36c2840f00b1a34497d67c43ffd4f3cd9ab11a3ad29fcbead40deec952c
MD5 hash:
86c470c9bf757244c1c8ad9ea4618105
SHA1 hash:
12362e8ee91dced56b1bba9bd0ad607b9be597a1
Link:
https://www.unpac.me/results/6b1ec65b-6214-4ee2-b350-1ecc2bfaaac0/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/62bbf3784c46/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments