MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f10867f8a37f96369cf305b122fa7f5fb3f61e0a98dc35d66a7206530557c1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f10867f8a37f96369cf305b122fa7f5fb3f61e0a98dc35d66a7206530557c1d
SHA3-384 hash: ef48e16eaa21cdb941b8cec6346bda62b101bb8cd41f759553700febff25ed574b5ee60e99f9fcd3b0372c736616d249
SHA1 hash: f46e8a490f412d9a080f116af64e31f50b768264
MD5 hash: 4513ccf66f6171fdb90d2027bb2656eb
humanhash: pluto-ohio-zulu-magnesium
File name:Payment Slip rar.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:795'648 bytes
First seen:2025-01-20 08:19:50 UTC
Last seen:2025-01-20 14:22:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:n06k4eopoGxsK1RCaMLPxaOBqUJsdvOuoq1+c0U:n06KtGPCpxauNJsdvw0N0U
TLSH T1AC05224CBB41F3B2CF5C2B729667900997B9C113F0A2F3AB15CA89911939F98D14B763
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
462
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Slip rar.exe
Verdict:
No threats detected
Analysis date:
2025-01-20 08:22:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2626e2a4-d259-4a0d-adfc-a9d12ec7587b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.16753.25498.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=678e2e08e708b6e7a3ad9183
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/678e073fce56b59135d068e5/reports/eee411c7-33cc-4213-a6a0-8b1714f42ef9/overview
Verdict:
Malicious
Labled as:
HackTool[Obfuscator]/MSIL.DeepSea
Link:
https://www.hybrid-analysis.com/sample/7f10867f8a37f96369cf305b122fa7f5fb3f61e0a98dc35d66a7206530557c1d
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d54cc275-c3e3-4d19-8386-47496fc2e2c9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1594959
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1594959 Sample: Payment Slip rar.exe Startdate: 20/01/2025 Architecture: WINDOWS Score: 100 30 www.smartoves.xyz 2->30 32 www.l87741.xyz 2->32 34 14 other IPs or domains 2->34 44 Suricata IDS alerts for network traffic 2->44 46 Antivirus detection for URL or domain 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 52 8 other signatures 2->52 10 Payment Slip rar.exe 3 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 32->50 process4 file5 28 C:\Users\user\...\Payment Slip rar.exe.log, ASCII 10->28 dropped 13 Payment Slip rar.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 16 sVBdEYTpmK33pXV.exe 13->16 injected process8 signatures9 42 Found direct / indirect Syscall (likely to bypass EDR) 16->42 19 net.exe 13 16->19         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 19->54 56 Tries to harvest and steal browser information (history, passwords, etc) 19->56 58 Modifies the context of a thread in another process (thread injection) 19->58 60 3 other signatures 19->60 22 sVBdEYTpmK33pXV.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 36 www.313333.xyz 103.120.80.111, 49997, 49998, 49999 WEST263GO-HKWest263InternationalLimitedHK Hong Kong 22->36 38 www.dkeqqi.info 47.83.1.90, 49988, 49989, 49990 VODANETInternationalIP-BackboneofVodafoneDE United States 22->38 40 8 other IPs or domains 22->40 62 Found direct / indirect Syscall (likely to bypass EDR) 22->62 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7f10867f8a37f96369cf305b122fa7f5fb3f61e0a98dc35d66a7206530557c1d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f10867f8a37f96369cf305b122fa7f5fb3f61e0a98dc35d66a7206530557c1d/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-01-20 05:52:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p4iim74kg74wg2opgbnrel5h6x5t6ypavgg4gxlgu4qgkmcvpqoq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250120-j8e3vszpbt/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ed6b1757-0648-423f-a84e-6004ccd20d7f
Unpacked files
SH256 hash:
2b61bfb7b2980aaa8ae4cb17c5ce54f996f0a1a32223912861d2cb8762c11b7b
MD5 hash:
faf86df2ef3c546e4ae0e8e89cbd8ea8
SHA1 hash:
42c72c9ac9515e17a326097d33b5c82fe3837338
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/270727c8-3b61-41cc-94e4-b24484b5f82d/
Parent samples :
7f10867f8a37f96369cf305b122fa7f5fb3f61e0a98dc35d66a7206530557c1d
52588fe73383ccdb5d715ecff941d1ae169a57d49deddcc8e3c06536f2c56795
771077ce6d2c6eab4908e19af87680fba3491ce6aa9cf976d82afae3a7cdfa10
c76072f42ba97861b01655026250c0920a3856a191144601e061318346e75e1b
7360456ec87f544e6a9eb05a88bf81e0ce693fb4b04f6a4f6a71d05ce524abdf
SH256 hash:
3be48df9146586e98bfdd76675408341486998f6e41af37f02ad70052947e674
MD5 hash:
307aa3fb9e19e48ddcfa5bd75da9ab57
SHA1 hash:
a156be6120ca86341bbf10a152c359069321fe5a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/270727c8-3b61-41cc-94e4-b24484b5f82d/
SH256 hash:
4fa7870fd3e7a220b3bb5cf713671908c7a11811d5b3e426a4052b59120b7ebb
MD5 hash:
dd3b9fc3c673d8c24e52037a15dd029a
SHA1 hash:
2299a2053155747597d1371293fb56704d14d677
Link:
https://www.unpac.me/results/270727c8-3b61-41cc-94e4-b24484b5f82d/
SH256 hash:
52623f7f653468852363e6eecd312eacb8c07d24f3e4d06a736ee88d5945d6b6
MD5 hash:
bc67ec4fbc8d26fa2992db28c17d1bd1
SHA1 hash:
09de04d8f8eaa2f5509b632e26e0d66053e6a3d3
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/270727c8-3b61-41cc-94e4-b24484b5f82d/
Parent samples :
701cc76315954f7e5e8b0fb36db44cdb6e6e40384be529670490523be1429d8f
84e892d4627a3a3aa053b30200788bd6942c046d2dadcf5121017a32e10142f2
6f094aa75a8322555241fae3063c17075a6ed5166bfb41c9055c390278178d6b
339c521fe6235de8b0b912c9fffcad6cc2eab721902ac095bafa510d68868c97
06c6a4f57f8b8d5b12406b5b2c8960362c0c2ef3cf74c4dcb49481ebb942230e
c470eab16e537bf777506e63bbedd58114c0403965e9a01965507ffd731dde4d
845304505e2c101665da5f7c34cff35f470b7a02d7c0218d7bd0d25664cc9cfc
e69d37275cc3b52a9d3a26f76073191ab8f59901781b5ef2859f33dee2252ddc
00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d
3cad0fb9280972f24f68c74e7b9c93dbd446c22f704f3b66cc7f1effc54d7a09
8bd60c5add862eb634b15fad4020a9afcf8ed6f523485665c80044f90bc8b305
5d4dc700ab772bfb4ac1fa290c0dfeae62058d31c42b48b5072a2c13b4c419bb
1de6c06cde011693219b05444f8e18cf1fe97373d0557a083a6e6e7d836e3153
db86c56e2f1c33504e4bd47d1490709bc5afe4ec1d95a0fbf22510bc3c542a8b
202efe071db5f07fc1570f9f296799dafd1bdcd29085e0b9c8c5c9e2ce1199d5
07abbe06a2d17f142846d33bda215df5b05355148c781cb9ff1c8f233f534cbc
f89d5db1d93b61d6e6346fa86e914a5b02e927c8eee905e658b0818f76a545ca
784f9e5d1eedc785401f6397aab1d9fbfff7593262f8db591e50ae06d37cba02
1c80bf8e780ae58203e7f816c8fe04f66df434a3fbd981ba7c6e52e588622c03
efd65e32b20afe5bd0541a097bb5f4e7f741875b2c65cab7f08c04a645ccdf6f
eda2bf8423a8046d884b20532a74bed0ce7219a2ee5f9fe829a72624d081e3df
8fe18e6c77d0b63ad58b669472c8247a8771c82ce4edc65814bb4c53fe5ab51c
cb45d6a207ad4218619ad1b7e1001b55201894ef21f717588e5f3df5122c0583
7abd614a718eae6e0544e6828c834f275248093b5d807b7cc5c4de975dc7abc9
91a04734fb1bfa93391d961ff94dfdfffc3021d6cf56cb31f9d696aa3251c6e2
51d5fbecdf7459fc37ab296b97245a020f31cfd4ac1073f3fb2947a3710a8523
0198cc6636a1c05da00eb7457f498c6e1743fe0a9e3d50fc106621f862bf04dd
0ec77a2b6843ab87887929ed395775aa2280cb4d8d16454827bde96fcb3a100a
4fc7cb2b1080330179c0164b3cbd8b5906375fcadaad566896a5b6468917a21a
7a4b80b6d3ea4ca73224197f7d85d763dd953826978cdc30c6e75fb298cfb5ab
1b758fdf653d34cd62c7fecd1e3023ca5d3537360097676b5cc83b7915c2ac90
489d60af14c516d7b4f712272b1a2803988385e197a5883431d58f7694f22f20
f9075b95c77272f8c8f1b8fa996374c9c8e6bc0e2a6f1cbb6cc2fab34b9b589c
d122657bf2b391fb9fe392a711526b7ea4163bc606d629144c0e7b72700872d5
60541941074f0d0772bfd1b307f3ac777ed84f776bdd89aef505960bc97c1404
5e0237bb820fdcd2bafcaee8be22bb60004ef0f644c9eabaebcad2c423f4d4d4
1f468ba035928b41550cd68056a3e2ba8b4ef5e98b61b45c4562f110ddaba29a
24ce2be70ffbceba0067972a154cba571866cbeca67e2132bc01352f46acd9b6
8078b743d8a317718f8fa77d12caa85019cce7dfeab9da4e268fb4836a7f9e74
d4f10c758df8ca5f3bd16209cf5b82a27b218719453ad29e7f5073d08c376676
13aef47049b6f723e3b24e8f794b9c09e18ed477f62436d1a8250951b4fe253e
42c52ed2af4708289cb182a0fd83026691eabc7c4916a3ef0cf8a01b5f890856
9bf5d73a9924bd9e616336e200767e575569869d7d0ab959de9c7ebb37914dfc
7f10867f8a37f96369cf305b122fa7f5fb3f61e0a98dc35d66a7206530557c1d
422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf
2e7fac97bc9785e461473c2776be1da2d9dfe7916753d4a3148c5055edeb9bd6
e16ed69e1d337d88539ff98cda8d36aabc495db375d68e4f9b86a1843ad8c679
799332983f0739446bd4e37db4163529d016947426bdc4ee519dc2e5976445f7
fea0db3026f3e075b240d97b0ff93ac157c8dc69a7d56a32e3595ed261a9ea55
2bc219aa0c642b6064f467a9abe85ccf81dfd0191377fa4453863384f22b5fa5
5d4360996a1f89361dda1818a51dcdd2a551698c6c4d887b5ba67fd86b946e3b
79a83acd6e34d187228950510e8bdcb36f0d3cc6dd9d6d35d40d37651454c1a3
2040a0fdd0eddf11176cddce8489b0906e9bb6ed39b2c825f883e26a3309db57
da8f006e36cc66990a1a1f43539bebc73fc9531413ba2960180db55927552014
52588fe73383ccdb5d715ecff941d1ae169a57d49deddcc8e3c06536f2c56795
7300535ef26158bdb916366b717390fc36eb570473ed7805c18b101367c68af5
23b7eb252bc2a67247c1a93f3f810acb46664d21fbb029051297c016e2991bcc
fd3164057ef5cfebb668b25b93a0638edf8d032f7a1e0c13249334bd913a1ad3
d07f3d05d91790637901f276b2b2a13ae4006768c22d9e6576a283a916530e38
eeae24981abf36649d9eeeedaee30acb50374d5567c8543e66b9c337688a7794
887f393b62c6c4b69e81cfc772397619082d936dd38cbcbc0f54b623ef871af6
12156a70576773f3aea3bb59bcb042ddc4033a7e0c1ec5dadaa8df2470a53664
a932a1ece48c319e2ea472193afc00132644c7540b4d0156b1c9b518c54869dd
a91e52d4bedcc2c8114e3f2ddb80908c4abb92b0838689a14818494009088b95
7ea98bae6d7f0176c1ae6cecc9bfbc8611304fe007899d8d989425c7b13f3339
238525043acd0e92e92f6317fdadcb469dd26ef5cd7460e0188a673165ebef84
9410ad58ad07e9b3ed28bc9be7a567ed733e14ca0de9faa470cc7c200ddd917a
2ded7ae6526b0a58dbeb50d575c13c84f76751f15a81ffb81d4a4d7f9d8539ce
232a7e46e445365072b4a136330efec9284ce63b7b1525442a10f68a8ef02ee4
1fa03ffa990685dcc676b8706fd5ef7246de2c18b97c14d882ee25b0d130955e
9529683e6579dc09cc61d5f2e5909d922f2bb589586d9c2350642d525924c1c4
8bcb1766e1f236382b36fab2fc6a8ee385275c0acbf3067471cd9b35703f2875
9fd0ede72e03f6a4897daaa809a4dafa9b9e0eeac52c5244b11df40e9a4af2f2
ece49e828c96a3cbc96535f04ef66109c997cb13a87850c4b66b3de0fd2818f7
320daf03f7f2b9e697955ebc5c479c51fa3fb32caf789187c54b52749550305a
01e140fe679c25634196075a34eb5c8594ec3631571023282955962b3dc1f609
0d222d3b5efc99f87cab1fd26440f65f531c1058dad5d9153e45331bbcf5e856
f7fbfc0649a348b742faf012fd443a55ee310f475a9b58d7b07ede4e0428f494
b5bc975891963c29a16fe8ac7dd612f15afe937fd14ba95707a6ab30224bfc7a
f6093a0d468e3cd2df9b2563336ccbd3b5783e8c06c52e296770fc31fe5257f4
99430e62ab4f67847bae708e0414b25e6df4a3631c7477231ef4bb3c214d37c3
25f9a9731702553929452710d25a8587ca7e7e7ef9494b7f82c6682a2cecf024
9d206d3991c8549fb048a2aac2bf5aa7d25c0958713fc8f3aa2bfec18d47dbe7
e07298c237f7f69d83c9760409b8c38dc311581008c751c3f6ddd37bb408cc87
e3ce6cb3e592837181c06c157cd1afd190afbedca9c66da7f4dbaf58c51afcd8
143a58287706e26be705b3756cf1810922cb28e92954ec6e669131178bf196fa
089e95b16d5f1acc07ddaf59d1edf60fd52ce6cd29f4bfa17377f4a68c383d12
662c96f27f4533d72e97b4cffe31be71d810dae4e6c1ac981060c38d3f627142
a5d951ea30a7079b09113a1f7d98abfe809f8030be45de8f8f9e96a51778867c
24d731e94d2250181a75707739b145da491194c5a6bfd29fd93ab276bb106601
SH256 hash:
7f10867f8a37f96369cf305b122fa7f5fb3f61e0a98dc35d66a7206530557c1d
MD5 hash:
4513ccf66f6171fdb90d2027bb2656eb
SHA1 hash:
f46e8a490f412d9a080f116af64e31f50b768264
Link:
https://www.unpac.me/results/270727c8-3b61-41cc-94e4-b24484b5f82d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7f10867f8a37/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f10867f8a37f96369cf305b122fa7f5fb3f61e0a98dc35d66a7206530557c1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip da09334d7e9c8a22828346e38e2c25f40fed908f635601d54f45c50008a80656

Formbook

Executable exe 7f10867f8a37f96369cf305b122fa7f5fb3f61e0a98dc35d66a7206530557c1d

(this sample)

  
Dropped by
SHA256 da09334d7e9c8a22828346e38e2c25f40fed908f635601d54f45c50008a80656
  
Dropped by
MD5 bbc309067d5933ca124b0c4bf03a9d18

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments