MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7aabe82adaefd4fe013b563b342ff838479a0e0e2288a478e1ab917d16160e11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7aabe82adaefd4fe013b563b342ff838479a0e0e2288a478e1ab917d16160e11
SHA3-384 hash: c9c97b277633cd8d73a3724060260a52f307ccfcb80cb63c5ff4b9526348e086445db41af8049a4b2b9e11d17dffe66a
SHA1 hash: 0d70d4967eec8e9c9f11dc41153ecbbbbf213469
MD5 hash: 7b646f0b01732bc2c8a47e2709378301
humanhash: aspen-mirror-papa-river
File name:DHL - OVERDUE ACCOUNT LETTER- FINAL REMINDER - 1300711528 XLS.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:248'832 bytes
First seen:2025-03-05 16:54:53 UTC
Last seen:2025-03-05 17:16:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:O7ZmfPx1ZZVqsdXp95i78Iz9xWgylqDfdGjxyHBDnU9hqADhHmO/HTcc:AZmHZHL95DI
Threatray 2'607 similar samples on MalwareBazaar
TLSH T11234DA0E668A75A3C6507F72C4B60B060374E945A6E2DE0B2DBBA35D09737FB6C5120F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 30a44a4c4c4aa430 (6 x Formbook, 4 x RedLineStealer, 2 x AgentTesla)
Reporter cocaman
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
491
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
457de1104cf5376ecb1726d4c45cacaa.zip_
Verdict:
Suspicious activity
Analysis date:
2025-03-05 16:45:09 UTC
Tags:
arch-exec
Link:
https://app.any.run/tasks/bc4627f6-5490-49e7-8f7c-f3a0ca369137

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.4169.5259.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c882bac668b65489bf36f8
Tags:
autorun virus hype sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request to an infection source
Creating a file in the %AppData% directory
Launching a process
Connection attempt to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade net_reactor obfuscated obfuscated packed stealer
Link:
https://www.filescan.io/uploads/67c881fcf8726576332d5d50/reports/896c5bfa-02fe-4f73-aff5-c82b3e6c1479/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/7aabe82adaefd4fe013b563b342ff838479a0e0e2288a478e1ab917d16160e11
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bb9682b4-9305-460e-b536-c1dae828e3a1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1630272
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Downloads files with wrong headers with respect to MIME Content-Type
Drops VBS files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1630272 Sample: DHL - OVERDUE ACCOUNT LETTE... Startdate: 05/03/2025 Architecture: WINDOWS Score: 100 40 www.lenzor.xyz 2->40 42 www.031233720.xyz 2->42 44 10 other IPs or domains 2->44 58 Suricata IDS alerts for network traffic 2->58 60 Antivirus detection for URL or domain 2->60 62 Multi AV Scanner detection for submitted file 2->62 66 9 other signatures 2->66 10 DHL - OVERDUE ACCOUNT LETTER- FINAL REMINDER - 1300711528 XLS.exe 15 5 2->10         started        15 wscript.exe 1 2->15         started        signatures3 64 Performs DNS queries to domains with low reputation 42->64 process4 dnsIp5 46 196.251.83.222, 49733, 49735, 80 SONIC-WirelessZA Seychelles 10->46 36 C:\Users\user\AppData\Roamingncoding.exe, PE32 10->36 dropped 38 C:\Users\user\AppData\...ncoding.vbs, ASCII 10->38 dropped 78 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->78 17 InstallUtil.exe 10->17         started        80 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->80 20 Encoding.exe 14 2 15->20         started        file6 signatures7 process8 signatures9 54 Maps a DLL or memory area into another process 17->54 22 DmNDz7ksP9B1ho7n5.exe 17->22 injected 56 Multi AV Scanner detection for dropped file 20->56 25 InstallUtil.exe 20->25         started        process10 signatures11 68 Found direct / indirect Syscall (likely to bypass EDR) 22->68 27 finger.exe 13 22->27         started        process12 signatures13 70 Tries to steal Mail credentials (via file / registry access) 27->70 72 Tries to harvest and steal browser information (history, passwords, etc) 27->72 74 Modifies the context of a thread in another process (thread injection) 27->74 76 3 other signatures 27->76 30 DmNDz7ksP9B1ho7n5.exe 27->30 injected 34 firefox.exe 27->34         started        process14 dnsIp15 48 an05-prod-v.cdn-ng.net 43.251.56.78, 49748, 49765, 49782 WSN-TW-NET-ASWorldstarNetworkTW Taiwan; Republic of China (ROC) 30->48 50 www.lifce.life 209.74.77.230, 50051, 50052, 50053 MULTIBAND-NEWHOPEUS United States 30->50 52 2 other IPs or domains 30->52 82 Found direct / indirect Syscall (likely to bypass EDR) 30->82 signatures16
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7aabe82adaefd4fe013b563b342ff838479a0e0e2288a478e1ab917d16160e11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7aabe82adaefd4fe013b563b342ff838479a0e0e2288a478e1ab917d16160e11/
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2025-03-05 08:20:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pkv6qkw257kp4aj3ky5til7yhbdzudqoekeki6hbvoix2fqwbyiq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
186f2e8050a7770d1e334a75570701dd24d3f69a917d9291642a62045ad9a8b2
Formbook
1b72e6203b4d26cbe44b55e7df27b3477badd3270cf900bb13c2af47bed80516
Formbook
4f456f083e843fac3b49cccf201cd1aad7f9cdba6e70db0de6d9c025c9540105
Formbook
6ae91782bc6a429b1381d2c63d05d268be691a616c46e4c01481b2bab60938a8
Formbook
7aabe82adaefd4fe013b563b342ff838479a0e0e2288a478e1ab917d16160e11
Formbook
7f1764a28d27f381701d9254166241607a37a02eb2fe80d682baf15236da5b7e
Formbook
db0957f9d8a95431403d63b33f7c424a5593424ceaf6aefb25694557a2e558b3
Formbook
error
Formbook
+ 2'597 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/250305-ve6t9stlt3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Drops startup file
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d94d8822-34c1-42b7-a587-c725e26eb313
Unpacked files
SH256 hash:
7aabe82adaefd4fe013b563b342ff838479a0e0e2288a478e1ab917d16160e11
MD5 hash:
7b646f0b01732bc2c8a47e2709378301
SHA1 hash:
0d70d4967eec8e9c9f11dc41153ecbbbbf213469
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/c430b6d7-7fc5-45f4-ba56-8aa2d72080bd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7aabe82adaef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7aabe82adaefd4fe013b563b342ff838479a0e0e2288a478e1ab917d16160e11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 703a14ae07deba722217bc6837fbc576af67300d2d9e683ad4293f20e9a1e804

Formbook

Executable exe 7aabe82adaefd4fe013b563b342ff838479a0e0e2288a478e1ab917d16160e11

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 703a14ae07deba722217bc6837fbc576af67300d2d9e683ad4293f20e9a1e804
  
Dropped by
MD5 457de1104cf5376ecb1726d4c45cacaa

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments