MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68fae3525daf2f34468abf08649f38ae82b7d0adbe3c0714476702bd58c39fa8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68fae3525daf2f34468abf08649f38ae82b7d0adbe3c0714476702bd58c39fa8
SHA3-384 hash: 513150b7b101add0ccff670468e3e452d89504dc9c3ddb1f7a978fe9161bdcbfa2213e733cf298b080aa55a19e8b3d5b
SHA1 hash: 225f1daed3ab1a51b1366f673f7fc40fb464f50d
MD5 hash: 2b9bad632d2dc09234f72c4818a717eb
humanhash: skylark-black-tango-diet
File name:Quotation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:753'664 bytes
First seen:2025-06-05 13:34:46 UTC
Last seen:2025-06-14 10:48:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:4dR0BFNBqbF3ms1MUzb3WENi26duArvfUlgsXc3Yx1oPoO5dcCQ:4dkNBknjJCvfUlgscIx1ZMK
Threatray 131 similar samples on MalwareBazaar
TLSH T14BF4124635A6D907E9B71BB10A60C2B423F17DDD9802CB5B9FE62CEB7DB13421260397
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon 07111534283c3927 (4 x Formbook, 1 x SnakeKeylogger)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
7
# of downloads :
566
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Quotation.exe
Verdict:
Malicious activity
Analysis date:
2025-06-05 13:36:36 UTC
Tags:
netreactor formbook xloader
Link:
https://app.any.run/tasks/cf92beca-8f8c-415c-ab07-300af3e95603

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/7489/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.8061.27817.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68419ee207b5e8c1cfe4e7de
Tags:
virus micro msil
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68419d062d1d8b12425edeca/reports/93f7ae05-265a-49a2-89b0-a2b1a899fccf/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/68fae3525daf2f34468abf08649f38ae82b7d0adbe3c0714476702bd58c39fa8
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c604e830-1459-4438-a00c-9a6b77ad4f60
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1707238
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses threadpools to delay analysis
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1707238 Sample: Quotation.exe Startdate: 05/06/2025 Architecture: WINDOWS Score: 100 29 www.swordsandbox.xyz 2->29 31 www.expertscloud.xyz 2->31 33 22 other IPs or domains 2->33 41 Suricata IDS alerts for network traffic 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected FormBook 2->45 49 3 other signatures 2->49 10 Quotation.exe 3 2->10         started        signatures3 47 Performs DNS queries to domains with low reputation 31->47 process4 file5 27 C:\Users\user\AppData\...\Quotation.exe.log, ASCII 10->27 dropped 59 Injects a PE file into a foreign processes 10->59 61 Uses threadpools to delay analysis 10->61 14 Quotation.exe 10->14         started        signatures6 process7 signatures8 63 Maps a DLL or memory area into another process 14->63 17 RAHaPIRM4agepR.exe 14->17 injected process9 process10 19 write.exe 13 17->19         started        signatures11 51 Tries to steal Mail credentials (via file / registry access) 19->51 53 Tries to harvest and steal browser information (history, passwords, etc) 19->53 55 Modifies the context of a thread in another process (thread injection) 19->55 57 3 other signatures 19->57 22 Rm6slIu6HCd.exe 19->22 injected 25 firefox.exe 19->25         started        process12 dnsIp13 35 f4v01.coalmo.com.cdngtm.com 103.250.7.118, 49693, 49694, 49695 MYTEK-AS-APDefenseAustraliaNetworkAU Hong Kong 22->35 37 livesofimpact.org 67.20.76.160, 49705, 49706, 49707 UNIFIEDLAYER-AS-1US United States 22->37 39 7 other IPs or domains 22->39
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/68fae3525daf2f34468abf08649f38ae82b7d0adbe3c0714476702bd58c39fa8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68fae3525daf2f34468abf08649f38ae82b7d0adbe3c0714476702bd58c39fa8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-06-05 10:26:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nd5ogus5v4xtirukx4egjhzyv2blpufnxy6aofchm4bl2wgdt6ua._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
0bc24152db0f975574e94db1827007947731d0d95fed9927d27515475e8f1f47
Formbook
219e4aeab73f5d4dc1f1b9bcd9a870aaa46456b61d767339163c867a9e8d8446
Formbook
2664ab63ac8ed6dec7df1f8e0ea2d707c40bfb25335a43a721a8922a55375158
Formbook
5db250fb2ab758b4a3eaefe43070c2bf4be8ccd1fef3094b537ca602327220e7
Formbook
9457c57f87426deb09c61c3d665d58120b8007a004a09777aae236a74526ff2f
Formbook
error
Formbook
f05c1eb2caa8096345ebe0e944c24a81cc0ca0668458d9bdde758a9b17f010c4
Formbook
+ 121 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250605-qw9v2axydv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5ec3db8b-7680-41a1-a1f1-5e1fa813ebf8
Unpacked files
SH256 hash:
68fae3525daf2f34468abf08649f38ae82b7d0adbe3c0714476702bd58c39fa8
MD5 hash:
2b9bad632d2dc09234f72c4818a717eb
SHA1 hash:
225f1daed3ab1a51b1366f673f7fc40fb464f50d
Link:
https://www.unpac.me/results/7c981a8f-a7e6-4472-bd97-4a58831beb55/
SH256 hash:
10f257d1f8acb840fed595a7a9eb87fc15eb17a3bbea928e32a4db42e41c8922
MD5 hash:
1ed5c56400fafdf113ace56c29b1f538
SHA1 hash:
30e1d9ae59abb291d2057c6d160726c98ce8cb28
Link:
https://www.unpac.me/results/7c981a8f-a7e6-4472-bd97-4a58831beb55/
SH256 hash:
cdd12566af7e180945bc7573f5113fa2bb3b9b4ac4e1fb0b3174bb1f69bc099d
MD5 hash:
cc5a1404cf9fa4da0478e2b1ec2915ca
SHA1 hash:
4812e5376682c1f4083313b5070dcdf6875051da
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/7c981a8f-a7e6-4472-bd97-4a58831beb55/
Parent samples :
a144cd130e495dd2aff83c1439ad7ee3fbaeea012539adeb120f54a81e421fc1
9a369f0a8ccad9c7a741dcaa3670b18cab47518e5758866b74145f945c30ec19
9457c57f87426deb09c61c3d665d58120b8007a004a09777aae236a74526ff2f
68fae3525daf2f34468abf08649f38ae82b7d0adbe3c0714476702bd58c39fa8
SH256 hash:
deeadca493eeae43bbaa043f638b0f9368f973a10e507b5f237ef986bea8e409
MD5 hash:
4787e3a73627de9d9e9c8ff5633d73b0
SHA1 hash:
e6e83b6a9cd0b128953ed9c4577abe0dcc6eea92
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/7c981a8f-a7e6-4472-bd97-4a58831beb55/
SH256 hash:
d1a7f6b27e2ac740b34908aec2c0114e857688fc086544b4dfbc4f5a09a1cfda
MD5 hash:
74fdc1527a8c234a4b3192047f6aee34
SHA1 hash:
173df60e8d07278cc990d0eddf092ee7ef5195c4
Link:
https://www.unpac.me/results/7c981a8f-a7e6-4472-bd97-4a58831beb55/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/68fae3525daf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68fae3525daf2f34468abf08649f38ae82b7d0adbe3c0714476702bd58c39fa8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 68fae3525daf2f34468abf08649f38ae82b7d0adbe3c0714476702bd58c39fa8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/7489/

Comments