MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70e7f14115d0d8e51a9a097b9a0fdaf2a63bd04b642271abb83908b31989c71a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70e7f14115d0d8e51a9a097b9a0fdaf2a63bd04b642271abb83908b31989c71a
SHA3-384 hash: 143d2d7011016eaf1267394fcf8eea306d3926bb21d22ed58c2d8c276b22baabb46f48d1df60f33ae42eb1c981baac66
SHA1 hash: 5a704b7b29c2f7cb6e47ca8c7238bf357f896b9a
MD5 hash: bfd84de7cb57e501ccbcd083ef21b8fb
humanhash: three-freddie-nevada-lemon
File name:Invoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:952'840 bytes
First seen:2025-06-09 13:31:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:cJEJo3JSE8zETOWUngfJbi5qUm8vtQ87zyogkEJbe3:m3JSE8zETOXgfAn9Q8nQJJq3
Threatray 128 similar samples on MalwareBazaar
TLSH T15C15D084F7407993CA79377614AAD2BC4A7A29E82948BA13F2C7DD73BCD920907353D1
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon b2b68cb2b28cb6b2 (4 x Formbook, 2 x AgentTesla)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
584
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice.exe
Verdict:
Malicious activity
Analysis date:
2025-06-09 21:06:51 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/7597565a-909f-419e-b3f4-f121dc99e7e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/8096/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.31694.22301.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6846e2888bd5d68a12e7139a
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expired-cert invalid-signature masquerade obfuscated packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/6846e2ac2d1d8b12425f7cac/reports/a3122773-4242-43b4-bff6-c853eec58029/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/70e7f14115d0d8e51a9a097b9a0fdaf2a63bd04b642271abb83908b31989c71a
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27ebd2f6-34ed-418a-b8f7-236930d1a574
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1709666
Signature
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses threadpools to delay analysis
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1709666 Sample: Invoice.exe Startdate: 09/06/2025 Architecture: WINDOWS Score: 100 34 www.voxedrip.xyz 2->34 36 www.valleycopilots.xyz 2->36 38 24 other IPs or domains 2->38 48 Suricata IDS alerts for network traffic 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected FormBook 2->52 56 4 other signatures 2->56 10 Invoice.exe 3 2->10         started        signatures3 54 Performs DNS queries to domains with low reputation 36->54 process4 file5 32 C:\Users\user\AppData\...\Invoice.exe.log, ASCII 10->32 dropped 66 Uses threadpools to delay analysis 10->66 14 RegSvcs.exe 10->14         started        signatures6 process7 signatures8 68 Modifies the context of a thread in another process (thread injection) 14->68 70 Maps a DLL or memory area into another process 14->70 72 Queues an APC in another process (thread injection) 14->72 74 Found direct / indirect Syscall (likely to bypass EDR) 14->74 17 RAVCpl64.exe 14->17 injected 20 hCh4XAC0i7qUT.exe 14->20 injected 22 H6xvJAJg.exe 14->22 injected process9 signatures10 46 Found direct / indirect Syscall (likely to bypass EDR) 17->46 24 dxdiag.exe 13 17->24         started        process11 signatures12 58 Tries to steal Mail credentials (via file / registry access) 24->58 60 Tries to harvest and steal browser information (history, passwords, etc) 24->60 62 Modifies the context of a thread in another process (thread injection) 24->62 64 2 other signatures 24->64 27 751UwCCC0C8lV4.exe 24->27 injected 30 firefox.exe 24->30         started        process13 dnsIp14 40 damanlive.live 15.197.148.33, 49773, 49774, 49775 TANDEMUS United States 27->40 42 mindbodygreen.netlifyglobalcdn.com 15.197.167.90, 49768, 49817, 80 TANDEMUS United States 27->42 44 7 other IPs or domains 27->44
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/70e7f14115d0d8e51a9a097b9a0fdaf2a63bd04b642271abb83908b31989c71a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70e7f14115d0d8e51a9a097b9a0fdaf2a63bd04b642271abb83908b31989c71a/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/70e7f14115d0d8e51a9a097b9a0fdaf2a63bd04b642271abb83908b31989c71a
Threat name:
ByteCode-MSIL.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2025-06-09 09:20:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=odt7cqiv2dmokgu2bf5zud626ktdxuclmqrhdk5yheelggmjy4na._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
3ed4bc75f282f2343cc408d81b790d84fc1d39e11709cd3cb3496217ded30dad
Formbook
4c7e5c9b9468a7c8749b000d83e22da94a2252d45965163e8a744d9fde4fa6ab
Formbook
70e7f14115d0d8e51a9a097b9a0fdaf2a63bd04b642271abb83908b31989c71a
Formbook
73dafff95640b7ab25cf78c3761448ae1ac0777df5ab6037e37b5ec9b7bd1f96
Formbook
88a7bff3bd2e5f36931147100b7f628add1ecffb6d3c65f100762f6f22d1d393
Formbook
8a787110b98a97ec7991dc418ff2ea45a03b93d8926f31f3cdd5cd3630678b5a
Formbook
b8b09c647ff87def8475c41e075619f2c34071681ca892ec25cdafcf49a38100
Formbook
d4980a2c4b12511d3b4d42b321f438d239772eae4ea9806f3b2ffc11f707bbd6
Formbook
error
Formbook
fd3141f160c3e5782f6d2ce06b10f90af52dd438856295a925820ee0dfe23a96
Formbook
fd55dac59db1d3b1537ed0668b0dabaaa1cc6b178ef5c8cb758b7290f7e34030
Formbook
+ 118 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250609-qsz7esyybz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9e32f25c-d321-4b0c-b2ba-343ca01fe66f
Unpacked files
SH256 hash:
70e7f14115d0d8e51a9a097b9a0fdaf2a63bd04b642271abb83908b31989c71a
MD5 hash:
bfd84de7cb57e501ccbcd083ef21b8fb
SHA1 hash:
5a704b7b29c2f7cb6e47ca8c7238bf357f896b9a
Link:
https://www.unpac.me/results/9f9d67b5-6599-4a85-8bd8-6b1ed474a9ea/
SH256 hash:
4a67f176b0e2aa57e76c48c31bcc880729cedbad29b0e67c97d3c1072efa823f
MD5 hash:
7a023e91b662219cb2e51701d9f92f93
SHA1 hash:
0b843d6983f1b87de00b458cf50f2a6632c09229
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9f9d67b5-6599-4a85-8bd8-6b1ed474a9ea/
SH256 hash:
576a483ca1b9cdc5cb3ee010c2b5a2b179b80151d6eaa8bee07efeb2e735aadc
MD5 hash:
0d687aad2a7b379760e6fb9438bfd18d
SHA1 hash:
ba941cda3d71bbea003f3534bf26894a5f001e1d
Link:
https://www.unpac.me/results/9f9d67b5-6599-4a85-8bd8-6b1ed474a9ea/
SH256 hash:
b8adaf9cfbbf091ba62bb3bcb7244136d395f4bbe871dba7de1c4fbbcd17efdf
MD5 hash:
3fe716d58aa325ce78adebe246322d4d
SHA1 hash:
cdfe38abb157e47c77589cfe8386b483c5d4106d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9f9d67b5-6599-4a85-8bd8-6b1ed474a9ea/
SH256 hash:
4d15198a24b429132768a3e7a6dc29f98ea0f198cb413d9a2af97da7554ccaac
MD5 hash:
85423ef9fac965c68290b52ffffff920
SHA1 hash:
be8714587b28d4367103e84d3f99168670fc873a
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/9f9d67b5-6599-4a85-8bd8-6b1ed474a9ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70e7f14115d0d8e51a9a097b9a0fdaf2a63bd04b642271abb83908b31989c71a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/8096/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments