MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64b9f04e500e377972f23c923e678d2d3ec4aecc42d0634de4e09570b1d58d35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64b9f04e500e377972f23c923e678d2d3ec4aecc42d0634de4e09570b1d58d35
SHA3-384 hash: 176ed33061d2505f8bd56a687dbd977ee7fb70329e64f2a25d757eb4a2dde0d69e67e9cbfb568a585263b324e46bc09e
SHA1 hash: e1b37eaba8fd77fc8aabbc5dfe2bc7b06943ef98
MD5 hash: 7e31f4f040cec802a5608cdd9b356f5c
humanhash: kitten-sweet-ceiling-eleven
File name:Documents_pdf03243232 SHPMT.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:998'912 bytes
First seen:2025-02-06 06:56:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:vfVoFufS+s4AG5pZxln2hJoGlIF22Gk2PSGQOs8D:HaFurAGpZxd+tlIF2m2aGd
Threatray 4 similar samples on MalwareBazaar
TLSH T10025D0C1B6844B56ED675BF24935995002B33E6DA5A4F20C3CE6BED736F33820066E4B
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 1d199b5a1b2d575b (5 x AgentTesla, 4 x Formbook, 3 x HawkEye)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
493
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Documents_pdf03243232 SHPMT.exe
Verdict:
Malicious activity
Analysis date:
2025-02-06 07:22:33 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/bf041ca7-8a50-494c-8106-4b616bf7dec2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.17641.UNOFFICIAL
Create hunting rule

Win.Dropper.LokiBot-10023755-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a45f402dcee78dd819ae78
Tags:
trojan virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67a45d4dc8125b0e0418dc80/reports/48bf0c95-421d-4b5e-9a23-c586a2cb84d2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/64b9f04e500e377972f23c923e678d2d3ec4aecc42d0634de4e09570b1d58d35
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Rubeus
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8cedf024-ac1f-4822-8b66-e24ce749808e
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1608051
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1608051 Sample: Documents_pdf03243232 SHPMT.exe Startdate: 06/02/2025 Architecture: WINDOWS Score: 100 61 www.electrosle.xyz 2->61 63 www.directbizlending.xyz 2->63 65 22 other IPs or domains 2->65 83 Suricata IDS alerts for network traffic 2->83 85 Found malware configuration 2->85 87 Malicious sample detected (through community Yara rule) 2->87 91 19 other signatures 2->91 11 Documents_pdf03243232 SHPMT.exe 7 2->11         started        15 itovgklgs.exe 5 2->15         started        signatures3 89 Performs DNS queries to domains with low reputation 63->89 process4 file5 53 C:\Users\user\AppData\Roaming\itovgklgs.exe, PE32 11->53 dropped 55 C:\Users\...\itovgklgs.exe:Zone.Identifier, ASCII 11->55 dropped 57 C:\Users\user\AppData\Local\...\tmp7818.tmp, XML 11->57 dropped 59 C:\...\Documents_pdf03243232 SHPMT.exe.log, ASCII 11->59 dropped 93 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->93 95 Adds a directory exclusion to Windows Defender 11->95 17 Documents_pdf03243232 SHPMT.exe 11->17         started        20 powershell.exe 23 11->20         started        22 powershell.exe 23 11->22         started        24 schtasks.exe 1 11->24         started        97 Antivirus detection for dropped file 15->97 99 Multi AV Scanner detection for dropped file 15->99 101 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->101 103 4 other signatures 15->103 26 itovgklgs.exe 15->26         started        28 schtasks.exe 15->28         started        signatures6 process7 signatures8 71 Modifies the context of a thread in another process (thread injection) 17->71 73 Maps a DLL or memory area into another process 17->73 75 Sample uses process hollowing technique 17->75 77 Queues an APC in another process (thread injection) 17->77 30 explorer.exe 56 1 17->30 injected 79 Loading BitLocker PowerShell Module 20->79 34 conhost.exe 20->34         started        36 WmiPrvSE.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        81 Found direct / indirect Syscall (likely to bypass EDR) 26->81 42 conhost.exe 28->42         started        process9 dnsIp10 67 www.driveubertexas.com 204.74.99.101, 50008, 80 ULTRADNSUS United States 30->67 69 pickleballgiant.info 76.223.67.189, 50009, 80 AMAZON-02US United States 30->69 113 System process connects to network (likely due to code injection or exploit) 30->113 44 svchost.exe 30->44         started        47 svchost.exe 30->47         started        signatures11 process12 signatures13 105 Modifies the context of a thread in another process (thread injection) 44->105 107 Maps a DLL or memory area into another process 44->107 109 Tries to detect virtualization through RDTSC time measurements 44->109 111 Switches to a custom stack to bypass stack traces 44->111 49 cmd.exe 44->49         started        process14 process15 51 conhost.exe 49->51         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/64b9f04e500e377972f23c923e678d2d3ec4aecc42d0634de4e09570b1d58d35
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/64b9f04e500e377972f23c923e678d2d3ec4aecc42d0634de4e09570b1d58d35/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-13 01:55:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ms47atsqby3xs4xshsjd4z4nfu7mjlwmiliggtpe4ckxbmovru2q._file
Verdict:
malicious
Label(s):
unknown_loader_010
Create hunting rule
formbook
Create hunting rule
Similar samples:
823eee47b2bea6b3c81dd6d97359288b6e8b65fbb2eebf8f2fab7de608f05c2b
Formbook
ae74b8c9e1f56b45a7cd04935a720d3bb42a5e58d257a648474c89def6b54a01
Formbook
error
Formbook
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n8it defense_evasion discovery execution loader rat
Link:
https://tria.ge/reports/250206-hq291aypan/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Command and Scripting Interpreter: PowerShell
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Xloader payload
Xloader
Xloader family
Verdict:
Malicious
Tags:
Win.Dropper.LokiBot-10023755-0
YARA:
n/a
Link:
https://app.threat.zone/submission/6baa1d0f-7cb1-451b-9353-95213f3e82b7
Unpacked files
SH256 hash:
64b9f04e500e377972f23c923e678d2d3ec4aecc42d0634de4e09570b1d58d35
MD5 hash:
7e31f4f040cec802a5608cdd9b356f5c
SHA1 hash:
e1b37eaba8fd77fc8aabbc5dfe2bc7b06943ef98
Link:
https://www.unpac.me/results/efb5b9b3-735b-47c3-859c-b674672bf835/
SH256 hash:
ea801ddd1ea57f52ae69533038861744365d8d9c05c3a9c1190dba32d07dc6b6
MD5 hash:
4d0e9bfe94004ceb16e9b63c7c03067d
SHA1 hash:
05e3fb4119f85cc6b6543d8624191a7000d856cd
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/efb5b9b3-735b-47c3-859c-b674672bf835/
SH256 hash:
8b8d0be1e3b3c35c7643050dcfd8cf2485043e83f6fb0b459a62501751dd3ffe
MD5 hash:
bb31858fdce6f802c78cf6cb49f494a7
SHA1 hash:
3df40e7e7952670445034f653f0d8b4e62137f79
Link:
https://www.unpac.me/results/efb5b9b3-735b-47c3-859c-b674672bf835/
SH256 hash:
5922f2c47ddcb37db7a1db2838f06d545a477fa824979aa1a796b7dd923b828e
MD5 hash:
d5ca9ead809824561b0087dcae070b79
SHA1 hash:
3fad58d7a9f07cd5d799b5733757714d634f0ea6
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/efb5b9b3-735b-47c3-859c-b674672bf835/
SH256 hash:
883b63ef84c6b1cc09687962beca56e4f4b7960df7c5459e29998befaa3ccf15
MD5 hash:
ecb3f27eb8279c51608c8ea8f8050655
SHA1 hash:
82385d75444ab5fccacf37e2746c7dce73faa7f3
Link:
https://www.unpac.me/results/efb5b9b3-735b-47c3-859c-b674672bf835/
SH256 hash:
05a8ab9bfc1a265caeb257b4edee8feb7a5b3b653e6acb0f40bec9b1f15dd932
MD5 hash:
1d49791abb6a5558c95ddfa97fc2d205
SHA1 hash:
f525de3dceb15a4916c117638e82bc594c33fe4e
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
XLoader
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/efb5b9b3-735b-47c3-859c-b674672bf835/
Parent samples :
1cbd3337b16b5bc9cf9a448349daf9b7d1667bc689d992af9d15c5af950852f9
154325f60d87e33962f45610a84bce0ec784d7e9bbcd584c34429b3e98b07ca7
d68fa1001c7c79b3a4c142875ded35be6b07025eabe4b6ad576c1c3d11054ac8
e6ced08f9d33a491dbfd37d5a8d81766fa63dda41f619eb8c7edb0ed3116047a
64b9f04e500e377972f23c923e678d2d3ec4aecc42d0634de4e09570b1d58d35
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/64b9f04e500e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64b9f04e500e377972f23c923e678d2d3ec4aecc42d0634de4e09570b1d58d35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments