MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 775fe2ed0542656527ad966042e01e62520026381dc10364fbe8d7ece148eec1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 775fe2ed0542656527ad966042e01e62520026381dc10364fbe8d7ece148eec1
SHA3-384 hash: 8597838e6bb0c9f3cfa78ec9dd4c9873fa5355b8a0ec8a5291f9032970f569e86440b5564ca6f5596ef2b2175d9a5e4b
SHA1 hash: 34a55b9a5c0fe25441a17a9ba44d995f7f86132d
MD5 hash: 43c66ff8a4a750d03ca2587d91786149
humanhash: hydrogen-ohio-winter-pennsylvania
File name:Thông báo về việc nhận hàng của bưu kiện.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:813'568 bytes
First seen:2025-06-17 06:03:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:uy0URQ9o+iSjn9KdvVLtOvFrCH0sLBXcOiz:h0Bo+ZOBcro0sFXcOi
Threatray 3'189 similar samples on MalwareBazaar
TLSH T1F605D0AC7314B5DEC867C2729AA4CD74AA616DAB5317C20790D748EFB90CA879F140F3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
425
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Thông báo về việc nhận hàng của bưu kiện.exe
Verdict:
No threats detected
Analysis date:
2025-06-17 06:22:55 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/f82d0abd-c2a4-449b-935e-ce4498a55e83

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/9781/
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68510538fd02ed5e05aedc62/reports/64cffbd5-5bd9-43da-9def-73e1daaf6986/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/775fe2ed0542656527ad966042e01e62520026381dc10364fbe8d7ece148eec1
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22545fa2-3448-48d3-981b-9a2d1a973b7c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1716126
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1716126 Sample: Th#U00f4ng b#U00e1o v#U1ec1... Startdate: 17/06/2025 Architecture: WINDOWS Score: 100 33 www.031234245.xyz 2->33 35 www.rtprubikslot-asli.xyz 2->35 37 18 other IPs or domains 2->37 45 Suricata IDS alerts for network traffic 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected FormBook 2->49 53 3 other signatures 2->53 10 Th#U00f4ng b#U00e1o v#U1ec1 vi#U1ec7c nh#U1eadn h#U00e0ng c#U1ee7a b#U01b0u ki#U1ec7n.exe 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 35->51 process4 file5 31 Th#U00f4ng b#U00e1...u ki#U1ec7n.exe.log, ASCII 10->31 dropped 63 Injects a PE file into a foreign processes 10->63 14 Th#U00f4ng b#U00e1o v#U1ec1 vi#U1ec7c nh#U1eadn h#U00e0ng c#U1ee7a b#U01b0u ki#U1ec7n.exe 10->14         started        17 svchost.exe 10->17         started        19 Th#U00f4ng b#U00e1o v#U1ec1 vi#U1ec7c nh#U1eadn h#U00e0ng c#U1ee7a b#U01b0u ki#U1ec7n.exe 10->19         started        signatures6 process7 signatures8 65 Maps a DLL or memory area into another process 14->65 21 5CoDA1kObKGV1g.exe 14->21 injected process9 process10 23 iexpress.exe 13 21->23         started        signatures11 55 Tries to steal Mail credentials (via file / registry access) 23->55 57 Tries to harvest and steal browser information (history, passwords, etc) 23->57 59 Modifies the context of a thread in another process (thread injection) 23->59 61 3 other signatures 23->61 26 T3jXJhu3q9IeU.exe 23->26 injected 29 firefox.exe 23->29         started        process12 dnsIp13 39 031234245.xyz 144.76.229.203, 49748, 49749, 49750 HETZNER-ASDE Germany 26->39 41 www.samlib.ru 81.176.66.171, 49722, 80 RTCOMM-ASRU Russian Federation 26->41 43 8 other IPs or domains 26->43
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/775fe2ed0542656527ad966042e01e62520026381dc10364fbe8d7ece148eec1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/775fe2ed0542656527ad966042e01e62520026381dc10364fbe8d7ece148eec1/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-06-17 03:12:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o5p6f3ifijswkj5nszqefya6mjjaajrydxaqgzh35dl6zyki53aq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
0e94ca98203135b33c4782070ea0a94396077255b6d66f9f36d0ceffe007d6a7
Formbook
841a3a3d4807c215f922e72b1391e8c56db813173a248ce4e5e7b29b5534b5ec
Formbook
c742bd7fa209e0a22d2710d192373e6a305355355ff8e1e1d91d2293cfc3e28f
Formbook
d6a676ac2fedead7999ed8250543e38da6096cc6efd3c7517d49d6b090ffbec2
Formbook
+ 3'179 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250617-gsar4awxgt/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2d5a67e3-95a2-4313-9fa9-aaeb2f2716f5
Unpacked files
SH256 hash:
775fe2ed0542656527ad966042e01e62520026381dc10364fbe8d7ece148eec1
MD5 hash:
43c66ff8a4a750d03ca2587d91786149
SHA1 hash:
34a55b9a5c0fe25441a17a9ba44d995f7f86132d
Link:
https://www.unpac.me/results/2bf31078-4b37-48b8-86fb-12398ef7f8bb/
SH256 hash:
621abd7bc145024c4679f74a245eb0e7ab0430429823c356716e54d4713d0a08
MD5 hash:
50e3af0710dafc8be7ff29655de99c5c
SHA1 hash:
07de53ffb5d9fce81918081d1f3cd111df464223
Link:
https://www.unpac.me/results/2bf31078-4b37-48b8-86fb-12398ef7f8bb/
SH256 hash:
ed8450b2a135a8bb59484a99c8de03f10161d976a45c41d2c86965020d5442a5
MD5 hash:
c53e55a9c98a4dd8980e3ac78c0c32ce
SHA1 hash:
28b17e1cd3f954eb56fcaad08fe8c8d2fef3fad3
Link:
https://www.unpac.me/results/2bf31078-4b37-48b8-86fb-12398ef7f8bb/
SH256 hash:
334056aff2a72c66f8959e79737b50a57af28320536ca06bc96f25f685d4e6dc
MD5 hash:
a4b21dacf92e0761739b7da89da7a38a
SHA1 hash:
36d767acb8cbfbcee76c8ceae1a0a172c5ac023f
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2bf31078-4b37-48b8-86fb-12398ef7f8bb/
SH256 hash:
a38181a50bfb36267c3dfc4b732c5e49a8274cce4e551efa7577f3c4cdaf7f4d
MD5 hash:
c1b42840aea10a07de12a1441ecf6771
SHA1 hash:
a12df8dce931ade0e44dc618ac67b8c8ece56e9e
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/2bf31078-4b37-48b8-86fb-12398ef7f8bb/
Parent samples :
775fe2ed0542656527ad966042e01e62520026381dc10364fbe8d7ece148eec1
df71af12f27e4f7512bc1ce4b7765e550b30a1887fef2e0781770c2c840d262e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/775fe2ed0542656527ad966042e01e62520026381dc10364fbe8d7ece148eec1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/9781/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments