MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b4b450c88139337f46886a101eb5953b60c397e0d66ae72e85e7e2ab7c5e623. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b4b450c88139337f46886a101eb5953b60c397e0d66ae72e85e7e2ab7c5e623
SHA3-384 hash: ca83e99ac3c036899bb888628e49fc79991f3765351d14a2afbf1f9ad8ed935d92622a9d71177265c448d49aa48f0e0b
SHA1 hash: fcfc04dcf0d722a191b2310b95c114a30ecee204
MD5 hash: cc1220aa3dbca7fcb2db3122f51b74c3
humanhash: green-hawaii-florida-golf
File name:OVERDUE SOA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:743'936 bytes
First seen:2025-10-16 09:13:00 UTC
Last seen:2025-11-06 10:29:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:S581TIG57ctJAB836EglhKpaUHD4IBoannROW89iMJkBiOZhqqv3PuYEsqbdvnJC:S58GGuAiAUpaUMQoG4W812iBQ3N3qbF
Threatray 2'177 similar samples on MalwareBazaar
TLSH T160F412082B5AE707DAA8ABB41A72E274177D5DD9F811E2078EDC3DCF7866F024C50293
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OVERDUE SOA.exe
Verdict:
No threats detected
Analysis date:
2025-10-16 09:14:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b2372dfa-be85-4379-8785-857d3db60703

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33043/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f0b7400cffb32442984a7f
Tags:
virus spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Launching a process
Creating a file
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected snakekeylogger vbnet
Link:
https://www.filescan.io/uploads/68f0b74a057c46a471cf0950/reports/56a55e13-ba5b-4a6c-badb-edd55c6994f3/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/6b4b450c88139337f46886a101eb5953b60c397e0d66ae72e85e7e2ab7c5e623
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-14T03:52:00Z UTC
Last seen:
2025-10-18T01:53:00Z UTC
Hits:
~1000
Detections:
Trojan.MSIL.Crypt.sb HEUR:Trojan-PSW.MSIL.Agensla.gen VHO:Trojan-PSW.MSIL.Agent.gen Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb
Link:
https://opentip.kaspersky.com/6b4b450c88139337f46886a101eb5953b60c397e0d66ae72e85e7e2ab7c5e623/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f46b140e-f48d-4352-af12-df551c6f1f04
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1796384
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rundll32 Execution Without CommandLine Parameters
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1796384 Sample: OVERDUE SOA.exe Startdate: 16/10/2025 Architecture: WINDOWS Score: 100 35 www.airdropsrag.xyz 2->35 39 Suricata IDS alerts for network traffic 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 47 7 other signatures 2->47 10 OVERDUE SOA.exe 4 2->10         started        signatures3 45 Performs DNS queries to domains with low reputation 35->45 process4 file5 33 C:\Users\user\AppData\...\OVERDUE SOA.exe.log, ASCII 10->33 dropped 57 Writes to foreign memory regions 10->57 59 Allocates memory in foreign processes 10->59 61 Adds a directory exclusion to Windows Defender 10->61 63 Injects a PE file into a foreign processes 10->63 14 MSBuild.exe 10->14         started        17 powershell.exe 23 10->17         started        19 MSBuild.exe 10->19         started        signatures6 process7 signatures8 65 Maps a DLL or memory area into another process 14->65 21 Gm8rIGGR.exe 14->21 injected 67 Loading BitLocker PowerShell Module 17->67 23 conhost.exe 17->23         started        process9 process10 25 rundll32.exe 13 21->25         started        signatures11 49 Tries to steal Mail credentials (via file / registry access) 25->49 51 Tries to harvest and steal browser information (history, passwords, etc) 25->51 53 Maps a DLL or memory area into another process 25->53 55 Queues an APC in another process (thread injection) 25->55 28 Pv0ozuH5BsN.exe 25->28 injected 31 chrome.exe 25->31         started        process12 dnsIp13 37 www.airdropsrag.xyz 76.223.54.146, 49691, 80 AMAZON-02US United States 28->37
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6b4b450c88139337f46886a101eb5953b60c397e0d66ae72e85e7e2ab7c5e623
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.50 Win 32 Exe x86
Link:
https://app.malva.re/file/cc1220aa3dbca7fcb2db3122f51b74c3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b4b450c88139337f46886a101eb5953b60c397e0d66ae72e85e7e2ab7c5e623/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/6b4b450c88139337f46886a101eb5953b60c397e0d66ae72e85e7e2ab7c5e623
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-10-14 06:45:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nnfukdeicojtp5diq2qqd22zko3ayol6bvtk44xilz7cvn6f4yrq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
0002a2f7d00d1d6c5289a0c6915c6a761145586b191c03d6ae9320ac487c9ed3
Formbook
01737d303e26dbb7b5dee87076382b4d81162ae73bf4faaeaf0bf29d0c6fc66d
Formbook
268b6fdc221050949a2b624983380cd3fb268fecef2f5bb3a15d91611f3d8092
Formbook
3b1fe8fbb2e89bed49f8cfcb3d111e0b0f7a2db9dd9d18dac5d232b610572190
Formbook
44eb0ca230176e7653e8287dac64b16e4cfde7088635498e52d802d8a3dcb7e9
Formbook
60a8f087ea808e50d83e20099aa2fbedcd15bfb580f1524db4dc9e4a757d32d5
Formbook
67b1c7d222568af1d3fe24c18125eac63dad102e029fae7427b7b9a526f63699
Formbook
69a9b6e531a91d616c9d7405206f87b73b851e894e452cde8f4a16ebddd98156
Formbook
7df13306391cfb01b4552a061bcc4ef1c07494381306b7fac1b7ddba3a213063
Formbook
e54824f3c53758443e21d10af036b26e6ecf9dcfeb2179c459277325075c261c
Formbook
error
Formbook
+ 2'167 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251016-k61gfsfl6v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bc81203f-e4b8-4fec-98fb-c6e9d5836c92
Unpacked files
SH256 hash:
6b4b450c88139337f46886a101eb5953b60c397e0d66ae72e85e7e2ab7c5e623
MD5 hash:
cc1220aa3dbca7fcb2db3122f51b74c3
SHA1 hash:
fcfc04dcf0d722a191b2310b95c114a30ecee204
Link:
https://www.unpac.me/results/9a0665ac-bb97-4c8d-a145-f725e768f803/
SH256 hash:
b794ed0c0c7d4499d0a2ffff67eb5b92dba83f4be7964591e9edad2755176511
MD5 hash:
2a576318d07470206dd7c45f7d896078
SHA1 hash:
3096b2a5ccd98583949a9f57842d5547b50bbc29
Link:
https://www.unpac.me/results/9a0665ac-bb97-4c8d-a145-f725e768f803/
SH256 hash:
39892614c7e06b007c0ba628fa9e2aa78278bdac7beae0baa2765b4bc9e3cb98
MD5 hash:
587a19d4eadb28302de78968d31330d7
SHA1 hash:
5c0766ba4f9659bf24005ae60b8197c543d847e2
Link:
https://www.unpac.me/results/9a0665ac-bb97-4c8d-a145-f725e768f803/
SH256 hash:
a78ed352daaa849f689b54af3c82f62f78876e8660f1f062291d338927ebf206
MD5 hash:
cbfdb5d5c36307e62f3e6600857912cc
SHA1 hash:
84561ec38815731bc611fbe56afbb7493e6fedf5
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9a0665ac-bb97-4c8d-a145-f725e768f803/
SH256 hash:
451251293f00ad035368dc38f5ab79a19cede991f5f37fbccffa453143cb2c89
MD5 hash:
6b3818d0e59248155a89363a9aa20bbd
SHA1 hash:
f2ac38eeb4eeca22787c83cbf6fce64af72f84cd
Link:
https://www.unpac.me/results/9a0665ac-bb97-4c8d-a145-f725e768f803/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b4b450c8813/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b4b450c88139337f46886a101eb5953b60c397e0d66ae72e85e7e2ab7c5e623

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip a224f6b1c49449188b592e338b73bf952d3e424703ac884d54cbded2075376e3

Formbook

Executable exe 6b4b450c88139337f46886a101eb5953b60c397e0d66ae72e85e7e2ab7c5e623

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 a224f6b1c49449188b592e338b73bf952d3e424703ac884d54cbded2075376e3
Cape
Cape
https://www.capesandbox.com/analysis/33043/
  
Dropped by
MD5 63034398a7114aa20c4a098fcca8743c

Comments