MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80deb2bfde4e46bfae175693f1456552a8c594e7ef92a7fde81f79512ec5f639. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80deb2bfde4e46bfae175693f1456552a8c594e7ef92a7fde81f79512ec5f639
SHA3-384 hash: 652f15bed736ca5834fb4d174bfd1bcd5ff861bf15819abfb9c85122cbeb5534d767715cc665a3713831dbe68c63898c
SHA1 hash: 9b383c5088918b2649654c5d20343e25391488e2
MD5 hash: 7af12dbb0abaad9f64cfc70827ba58ca
humanhash: edward-zulu-echo-xray
File name:INQUIRY.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:750'080 bytes
First seen:2025-04-29 12:27:04 UTC
Last seen:2025-05-13 06:02:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:OPGaKsGDAx9z6UPhVILPTy+j7WD/8x2tF3LElZTP/NGnO4YvU:c/rwnqEAPAnRl
Threatray 4'774 similar samples on MalwareBazaar
TLSH T1EFF4F1643308E613E8E51B745B71F274027D6DDA7801DB6A9FDA7DEB7A72A040D0A283
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
445
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
INQUIRY.exe
Verdict:
Malicious activity
Analysis date:
2025-04-29 12:32:12 UTC
Tags:
formbook stealer xloader
Link:
https://app.any.run/tasks/46aa1f3b-7198-4b58-a85b-a9145526c063

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/4983/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6810c94bc8b2e86d0ac45f65
Tags:
spawn shell msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
entropy obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/6810c5a0218c4a98ade7494b/reports/02b1ed6d-b0c9-45ee-8270-33257b6dae67/overview
Verdict:
Malicious
Labled as:
Genie8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/80deb2bfde4e46bfae175693f1456552a8c594e7ef92a7fde81f79512ec5f639
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/203565f7-7468-4c0e-8984-78f99c93a6fb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1677288
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1677288 Sample: INQUIRY.exe Startdate: 29/04/2025 Architecture: WINDOWS Score: 100 62 www.lotpersen789.xyz 2->62 64 www.lgox.bot 2->64 66 4 other IPs or domains 2->66 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Sigma detected: Scheduled temp file as task from temp location 2->86 90 8 other signatures 2->90 11 INQUIRY.exe 7 2->11         started        15 grCQhEdmVl.exe 5 2->15         started        signatures3 88 Performs DNS queries to domains with low reputation 62->88 process4 file5 54 C:\Users\user\AppData\...\grCQhEdmVl.exe, PE32 11->54 dropped 56 C:\Users\...\grCQhEdmVl.exe:Zone.Identifier, ASCII 11->56 dropped 58 C:\Users\user\AppData\Local\...\tmp5F02.tmp, XML 11->58 dropped 60 C:\Users\user\AppData\...\INQUIRY.exe.log, ASCII 11->60 dropped 92 Uses schtasks.exe or at.exe to add and modify task schedules 11->92 94 Adds a directory exclusion to Windows Defender 11->94 96 Tries to detect virtualization through RDTSC time measurements 11->96 98 Injects a PE file into a foreign processes 11->98 17 INQUIRY.exe 11->17         started        20 powershell.exe 23 11->20         started        22 powershell.exe 23 11->22         started        24 schtasks.exe 1 11->24         started        100 Multi AV Scanner detection for dropped file 15->100 102 Switches to a custom stack to bypass stack traces 15->102 26 grCQhEdmVl.exe 15->26         started        28 schtasks.exe 15->28         started        30 grCQhEdmVl.exe 15->30         started        signatures6 process7 signatures8 70 Modifies the context of a thread in another process (thread injection) 17->70 72 Maps a DLL or memory area into another process 17->72 74 Sample uses process hollowing technique 17->74 76 Queues an APC in another process (thread injection) 17->76 32 explorer.exe 23 1 17->32 injected 78 Loading BitLocker PowerShell Module 20->78 35 conhost.exe 20->35         started        37 WmiPrvSE.exe 20->37         started        39 conhost.exe 22->39         started        41 conhost.exe 24->41         started        80 Found direct / indirect Syscall (likely to bypass EDR) 26->80 43 conhost.exe 28->43         started        process9 signatures10 68 Uses ipconfig to lookup or modify the Windows network settings 32->68 45 ipconfig.exe 32->45         started        48 ipconfig.exe 32->48         started        process11 signatures12 104 Modifies the context of a thread in another process (thread injection) 45->104 106 Maps a DLL or memory area into another process 45->106 108 Tries to detect virtualization through RDTSC time measurements 45->108 110 Switches to a custom stack to bypass stack traces 45->110 50 cmd.exe 45->50         started        process13 process14 52 conhost.exe 50->52         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/80deb2bfde4e46bfae175693f1456552a8c594e7ef92a7fde81f79512ec5f639
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/80deb2bfde4e46bfae175693f1456552a8c594e7ef92a7fde81f79512ec5f639/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-04-29 12:18:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qdplfp66jzdl7lqxk2j7crlfkkumlfhh56jkp7pid54vclwf6y4q._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
1e26f69f063b034aff856a4b9bb1680824e61ebf28867a36fa30e2b3e1727526
Formbook
4ef83ac7a3bdee1a742de8de749c5afa4747acc20f8937301dcba291d1ef83d7
Formbook
582c078327541d1459228aebf38c9471b78e3a2c03cb9c375622209221970709
Formbook
6be92b0d491f6d5d7f65e01a3336aac1155f091ad6def08b541e07b68eda3bb4
Formbook
a779cf3623ccd0238d0b5d3f01dcc911e1538a1c0a656442234b4c3335453607
Formbook
c6113d38b157b316943297f3981f9cb3291e0c4b62fbbded5143d115586fd1dc
Formbook
efc8dba0e301b455b4691c60bf363ce60bc0b44921a2018ce2c1a684df8d26b9
Formbook
error
Formbook
f42de693aaae005ec4dcf3514621f8573b422f3a3ad1bb1af370acc7c5cba233
Formbook
+ 4'764 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mk20 discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250429-pmta9ayvc1/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/00d4df2d-3b3e-4780-a4fc-b1c95ff242c1
Unpacked files
SH256 hash:
80deb2bfde4e46bfae175693f1456552a8c594e7ef92a7fde81f79512ec5f639
MD5 hash:
7af12dbb0abaad9f64cfc70827ba58ca
SHA1 hash:
9b383c5088918b2649654c5d20343e25391488e2
Link:
https://www.unpac.me/results/e732797d-05db-4b93-a5e4-fccd98855a18/
SH256 hash:
c09e0e64718e1b45af19885feddc86f902bc18cb5fa5e64dade87ee1c4f0f3f2
MD5 hash:
2e4fe6630c31bbf4ad9558dbdb64ae4d
SHA1 hash:
030852dcab9532308aefb31b1b719416c5840d24
Link:
https://www.unpac.me/results/e732797d-05db-4b93-a5e4-fccd98855a18/
SH256 hash:
f7d936bf01c34d028e091b88b4e008fb52a29422eaab098ef27b30d51cda5aff
MD5 hash:
6a18c4a4536d4174feec95c7a3a680e1
SHA1 hash:
6faad9c989703fcba00e4c6df102bb3b6eddcb0b
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e732797d-05db-4b93-a5e4-fccd98855a18/
SH256 hash:
8b9b8228528aa3f04c31c73c8c7603f939ccf9fbf3dc747c0abe9ffef6ce7cf0
MD5 hash:
d4f86f0bbe0799924ac776487fd2eef1
SHA1 hash:
6ce2e10554f00f743b3f6fb2be4779d2b7a1def6
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/e732797d-05db-4b93-a5e4-fccd98855a18/
Parent samples :
80deb2bfde4e46bfae175693f1456552a8c594e7ef92a7fde81f79512ec5f639
f7716c15ec6f2fbbe55ea20de84f9b2b2c5c985f65aa7482a1aa7cf8bf1d06d6
038f5306f2e0a321feed92789bb34b382def8f7e67a38cb924e1e508934a5c74
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/80deb2bfde4e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80deb2bfde4e46bfae175693f1456552a8c594e7ef92a7fde81f79512ec5f639

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/4983/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments