MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67cf102e88514bfbf457f6dc24925a32fc33324bfa0112d0a74ad888bd0bb13e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	67cf102e88514bfbf457f6dc24925a32fc33324bfa0112d0a74ad888bd0bb13e
SHA3-384 hash:	ad7e83890bf15cca103bf61b18207c4bbc877ff5f3dfb8c592b3c72a96497e9217107adfb70c298873553dec704d1543
SHA1 hash:	33f58d79d70e77642d7453d3b958c3cc53075b47
MD5 hash:	0e3b1abf926477cf228dfa8652cece02
humanhash:	zulu-grey-mobile-mars
File name:	67cf102e88514bfbf457f6dc24925a32fc33324bfa0112d0a74ad888bd0bb13e
Download:	download sample
Signature	Formbook Create hunting rule
File size:	681'472 bytes
First seen:	2025-07-07 15:11:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:Kgr+nbvJJ3BAeF/hZWAGSpNTvZ/9oFtdwzAPHhW9qwIwcztdQ0lMZOH:inbDxNbEbSzTFSFtdwzEhWuwmbQd
Threatray	5'250 similar samples on MalwareBazaar
TLSH	T144E4F12C329B9B02C6BA0BF91901D0B553B9BDEEA451E35A4FC56CFB3C723514906B27
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/13249/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686be3f3900df8e7f8685387

Tags:

micro spawn msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Creating a file

Launching cmd.exe command interpreter

Setting browser functions hooks

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed packed vbnet

Link:

https://www.filescan.io/uploads/686be3d40737c4165a928a0d/reports/0a849e3a-6c57-4d94-959e-1b57bd0b6621/overview

Verdict:

Malicious

Labled as:

Genie.8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/67cf102e88514bfbf457f6dc24925a32fc33324bfa0112d0a74ad888bd0bb13e

Gathering data

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/67cf102e88514bfbf457f6dc24925a32fc33324bfa0112d0a74ad888bd0bb13e

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/67cf102e88514bfbf457f6dc24925a32fc33324bfa0112d0a74ad888bd0bb13e/

Threat name:

ByteCode-MSIL.Backdoor.FormBook

Status:

Malicious

First seen:

2025-06-26 10:55:27 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m7hraluikff7x5cx63ocjes2gl6dgmsl7iarfufhjlmirpilwe7a._file

Verdict:

malicious

Label(s):

unc_loader_037

formbook

Formbook

7e545a76c16dee6d24d3e86c6667c07bcd0f76064f232463b58fd4ec6d930090

Formbook

d10865bd6526c7578c27e6c1d76fd3c6feb3b11fff8e0d0a3b41090a525b8bc1

Formbook

ee2c474d321d710e3e3d5808bde560a2bd3e94cef6d9b457149a2c3300972228

Formbook

error

Formbook

f10dcedfa178a0bce77e909b072ff0deb66ab588db90b7f5eb3d0bbe8c75215b

Formbook

+ 5'240 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:kk14 discovery execution persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/250707-skstgstmz9/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Formbook payload

Formbook

Formbook family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a82db8a3-47a2-460f-8dc4-6ee6566aa95a

Unpacked files

SH256 hash:

67cf102e88514bfbf457f6dc24925a32fc33324bfa0112d0a74ad888bd0bb13e

MD5 hash:

0e3b1abf926477cf228dfa8652cece02

SHA1 hash:

33f58d79d70e77642d7453d3b958c3cc53075b47

Link:

https://www.unpac.me/results/db4f8dd5-c1a2-4b4c-a346-fe154de42647/

SH256 hash:

eff3a2d4f334535473a963a67ecad403788a16d03ae413d438e826367ac55bdf

MD5 hash:

c4acc04dec0f7c3941018a3f5663ffad

SHA1 hash:

53829cba5820ccb3f0b7fa1a8c3f54c62c244db4

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/db4f8dd5-c1a2-4b4c-a346-fe154de42647/

SH256 hash:

444a2521990f9ea270168b989fe5932567b2addbde24a542888488d030b2042d

MD5 hash:

992d8b731f583d2349d1f179d10c1d63

SHA1 hash:

c5d8b73b68f4713627fa6af079707c1362f521a0

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/db4f8dd5-c1a2-4b4c-a346-fe154de42647/

SH256 hash:

e220cb9084ebd57c7f1d9bbd8dd7d1125de0a4e2cbc1c275fef0f28d48bc7e86

MD5 hash:

d2e060aa99db9c12af94f5d7e6a85c57

SHA1 hash:

405d460f9b015f7b114b884e65b44a7603aa1af3

Detections:

win_formbook_w0

win_formbook_g0

win_formbook_auto

FormBook

Windows_Trojan_Formbook

Formbook

Link:

https://www.unpac.me/results/db4f8dd5-c1a2-4b4c-a346-fe154de42647/

Parent samples :

1077313e39d5064c18f7c544fef3c9e53b35ec2c80bc406ded414d645e74649d
38a4d9f237a7a43c30064b9013215249ba0245abeb39428eadb28d120a7e0087
7f44edb791af09f8161a6b292d6fc82cf3601e56e1996228133081914a660d50
67cf102e88514bfbf457f6dc24925a32fc33324bfa0112d0a74ad888bd0bb13e

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/67cf102e88514bfbf457f6dc24925a32fc33324bfa0112d0a74ad888bd0bb13e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/13249/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample