MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fd9c6bfabb7d59ece6435c1b797619e2149353a1e5849766c5688c7da59c77b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fd9c6bfabb7d59ece6435c1b797619e2149353a1e5849766c5688c7da59c77b
SHA3-384 hash: eea86a761c9883309226c01ad2baa879b84d3ea3f99d9580d695fd1d66551b67d7f5d22647001171bc70074702539ddc
SHA1 hash: bb23f6c23ce11f72aced21026704c577e6dbe475
MD5 hash: 0f8b25c9345e2ed5260be4bf5b211afa
humanhash: neptune-maine-california-florida
File name:Salary Overpayment_pdf.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:973'832 bytes
First seen:2025-02-05 07:06:34 UTC
Last seen:2025-02-05 07:49:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:vjU5g0H7t3qc6KcVjcEjUX0AjBVPzli5SymgxScOqIrS:vjH0bt3D6fJUXZjP7E5SyxxUfS
Threatray 49 similar samples on MalwareBazaar
TLSH T1CD25F17CE3E7AF22D7A85632C9E25C1007B2B0856432F34E64C560D99E1DFED2951B2B
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 8018b49492b41880 (13 x Formbook, 4 x AgentTesla, 4 x MassLogger)
Reporter abuse_ch
Tags:exe FormBook scr

Intelligence

File Origin
# of uploads :
2
# of downloads :
443
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Salary Overpayment_pdf.scr
Verdict:
Malicious activity
Analysis date:
2025-02-05 07:26:44 UTC
Tags:
netreactor formbook stealer xloader
Link:
https://app.any.run/tasks/355465c0-291a-4043-9d16-926485f46149

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.5762.7148.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Launching cmd.exe command interpreter
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature masquerade net_reactor obfuscated obfuscated obfuscated packed packed packer_detected signed vbnet
Link:
https://www.filescan.io/uploads/67a30e2b288b2a13362b8bc5/reports/e6319ff0-61f6-47b0-8bb1-56412c567b77/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6fd9c6bfabb7d59ece6435c1b797619e2149353a1e5849766c5688c7da59c77b
Result
Verdict:
MALICIOUS
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff134e69-8446-4220-b2ba-879cb4a7bdfa
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1607165
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1607165 Sample: Salary Overpayment_pdf.scr.exe Startdate: 05/02/2025 Architecture: WINDOWS Score: 100 62 www.news-xzurufo.xyz 2->62 64 www.ytmp3.town 2->64 66 11 other IPs or domains 2->66 86 Suricata IDS alerts for network traffic 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 94 15 other signatures 2->94 11 Salary Overpayment_pdf.scr.exe 7 2->11         started        15 CtZuTA.exe 5 2->15         started        signatures3 92 Performs DNS queries to domains with low reputation 62->92 process4 file5 54 C:\Users\user\AppData\Roaming\CtZuTA.exe, PE32 11->54 dropped 56 C:\Users\user\...\CtZuTA.exe:Zone.Identifier, ASCII 11->56 dropped 58 C:\Users\user\AppData\Local\...\tmp7AA6.tmp, XML 11->58 dropped 60 C:\...\Salary Overpayment_pdf.scr.exe.log, ASCII 11->60 dropped 104 Writes to foreign memory regions 11->104 106 Allocates memory in foreign processes 11->106 108 Adds a directory exclusion to Windows Defender 11->108 17 RegSvcs.exe 11->17         started        20 powershell.exe 23 11->20         started        22 powershell.exe 22 11->22         started        24 schtasks.exe 1 11->24         started        110 Multi AV Scanner detection for dropped file 15->110 112 Machine Learning detection for dropped file 15->112 114 Injects a PE file into a foreign processes 15->114 26 RegSvcs.exe 15->26         started        28 schtasks.exe 15->28         started        signatures6 process7 signatures8 74 Modifies the context of a thread in another process (thread injection) 17->74 76 Maps a DLL or memory area into another process 17->76 78 Sample uses process hollowing technique 17->78 84 2 other signatures 17->84 30 explorer.exe 83 1 17->30 injected 80 Loading BitLocker PowerShell Module 20->80 33 conhost.exe 20->33         started        35 WmiPrvSE.exe 20->35         started        37 conhost.exe 22->37         started        39 conhost.exe 24->39         started        82 Found direct / indirect Syscall (likely to bypass EDR) 26->82 41 conhost.exe 28->41         started        process9 dnsIp10 68 www.senior-living-17169.bond 185.53.179.90, 49981, 80 TEAMINTERNET-ASDE Germany 30->68 70 www.heavydutyweld.shop 104.21.16.148, 49983, 80 CLOUDFLARENETUS United States 30->70 72 2 other IPs or domains 30->72 43 colorcpl.exe 30->43         started        46 autoconv.exe 30->46         started        48 colorcpl.exe 30->48         started        process11 signatures12 96 Modifies the context of a thread in another process (thread injection) 43->96 98 Maps a DLL or memory area into another process 43->98 100 Tries to detect virtualization through RDTSC time measurements 43->100 102 Switches to a custom stack to bypass stack traces 43->102 50 cmd.exe 43->50         started        process13 process14 52 conhost.exe 50->52         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6fd9c6bfabb7d59ece6435c1b797619e2149353a1e5849766c5688c7da59c77b
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6fd9c6bfabb7d59ece6435c1b797619e2149353a1e5849766c5688c7da59c77b/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2025-02-05 07:07:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n7m4np5lw7kz5ttegxa3pf3btyqusnj2dzmes5tmk2empwszy55q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
36c3f143edb273d0d6cd6738e0357ddc19b86857de46871ba96bcb1a8256b1ac
Formbook
683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9
Formbook
7157f19969ea92bb660c62b91144ca8be1d6f1631252c7d1f7125fd957a1cde6
Formbook
78e8787616a4d7be2eb5c127e75e3326de2c3e2dbf2a2533163f9594c0214b16
Formbook
b2fe57ff7504883c1a5050ccf0a6cfe45087a43bea4ce92aec075be6f1852a29
Formbook
error
Formbook
fa3e852fa9dde2dde0c1e2254f81059f8c2f1088596e0fb9aa2e37583c26ead5
Formbook
+ 39 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:g43m discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250205-hxqvjsxkgm/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/31042cc6-a2ac-4a43-b18a-fca01fda8cd2
Unpacked files
SH256 hash:
6fd9c6bfabb7d59ece6435c1b797619e2149353a1e5849766c5688c7da59c77b
MD5 hash:
0f8b25c9345e2ed5260be4bf5b211afa
SHA1 hash:
bb23f6c23ce11f72aced21026704c577e6dbe475
Link:
https://www.unpac.me/results/b1f29cf8-5dfb-465b-909a-411c34daa07c/
SH256 hash:
2e755d0e66ac8390d8f404f6a02fb3a2568dc8761ccfe19c5cafbce89716e137
MD5 hash:
2a049ad59e7c2913c36f5de465d2eeb0
SHA1 hash:
6d83943803f4a7568436adb08dd8e968bc756430
Link:
https://www.unpac.me/results/b1f29cf8-5dfb-465b-909a-411c34daa07c/
SH256 hash:
a3b1f2e1ce0d3d38de636bf0d6f17701f5f699b15a5b6312e566ec6ee0f8895d
MD5 hash:
3858b99b0f98d32aaf4dd051fa7725a1
SHA1 hash:
a4abca6963b27da8725f715a017a0f7f82abd991
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b1f29cf8-5dfb-465b-909a-411c34daa07c/
SH256 hash:
e712bcd56fe64742c0f674f3acff83490f8103c260ea3389f56151b5066b7cd3
MD5 hash:
7bad4197d1ae020c9049a782eb9a71d2
SHA1 hash:
e1253047ea92beb7d161b106765ad8b03bc86b1e
Link:
https://www.unpac.me/results/b1f29cf8-5dfb-465b-909a-411c34daa07c/
SH256 hash:
9dfe6a54438c3252dd815fce43befc15d591ec59b1e16983a1d0cd51569cea66
MD5 hash:
4f0dcd52cddb6a7fcb1de93d8efb28e9
SHA1 hash:
e53cec61c809f9e9dbce49d93bd857616709636e
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/b1f29cf8-5dfb-465b-909a-411c34daa07c/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6fd9c6bfabb7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6fd9c6bfabb7d59ece6435c1b797619e2149353a1e5849766c5688c7da59c77b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments