MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8277de2a08c7a135350fa8498699a86bfd28ebf31402908dc523b2eef07084fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8277de2a08c7a135350fa8498699a86bfd28ebf31402908dc523b2eef07084fd
SHA3-384 hash: d86f17f30e9947811f82e73f747a88e5c763dd1d499beb5a610651843efc709c79ccb586429d9bf5cf65fcc914338d89
SHA1 hash: 13fe1245838c22bb541537acf85fb07cd2859e0c
MD5 hash: 8cb4b2133502a55d198bbac1b8508203
humanhash: harry-april-single-fifteen
File name:P4678995434.xlsx.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:757'760 bytes
First seen:2025-10-20 17:17:55 UTC
Last seen:2025-11-06 10:55:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:md3L/rb8WkQougDFRYbKsI7BQjP5EA1Fk7orSUPOuV0v/gnNSCMJpvwtSsGhaQTn:A7v+QodZqI7BOBEsUo1F2/gmDv4SsGo+
TLSH T124F4125C678DCD22D4A42E305610E3B023748F5AF856C6238FFCBDEBB479E162858B95
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
105
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
P4678995434.xlsx.exe
Verdict:
No threats detected
Analysis date:
2025-10-20 17:21:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/94508fc1-0029-445b-8473-ed4e1054a9bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33515/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f66ef23edd081eba401426
Tags:
underscore spawn shell micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap lolbin masquerade msbuild obfuscated packed packed reconnaissance redcap regsvcs rezer0 roboski schtasks stego vbc vbnet zero
Link:
https://www.filescan.io/uploads/68f66f043a79800405ecb37b/reports/86b0e5b4-caed-4081-9e0f-5fc88609c34b/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/8277de2a08c7a135350fa8498699a86bfd28ebf31402908dc523b2eef07084fd
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-20T00:17:00Z UTC
Last seen:
2025-10-22T12:05:00Z UTC
Hits:
~1000
Detections:
Trojan-Spy.Noon.HTTP.ServerRequest Trojan.MSIL.Crypt.sb PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.DarkCloud.gen Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb VHO:Backdoor.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/8277de2a08c7a135350fa8498699a86bfd28ebf31402908dc523b2eef07084fd/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8a2d78b-ff30-4b9a-bd13-4e0c68a8aa65
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1798579
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Double Extension File Execution
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1798579 Sample: P4678995434.xlsx.exe Startdate: 20/10/2025 Architecture: WINDOWS Score: 100 50 www.youcontributions.xyz 2->50 52 www.ulke.com.tr 2->52 54 2 other IPs or domains 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->58 60 Multi AV Scanner detection for submitted file 2->60 64 6 other signatures 2->64 11 P4678995434.xlsx.exe 4 2->11         started        signatures3 62 Performs DNS queries to domains with low reputation 50->62 process4 file5 42 C:\Users\user\...\P4678995434.xlsx.exe.log, ASCII 11->42 dropped 66 Adds a directory exclusion to Windows Defender 11->66 68 Injects a PE file into a foreign processes 11->68 15 P4678995434.xlsx.exe 11->15         started        18 powershell.exe 23 11->18         started        20 P4678995434.xlsx.exe 11->20         started        22 P4678995434.xlsx.exe 11->22         started        signatures6 process7 signatures8 78 Maps a DLL or memory area into another process 15->78 24 XIyHLH1yrw.exe 15->24 injected 80 Loading BitLocker PowerShell Module 18->80 26 WmiPrvSE.exe 18->26         started        28 conhost.exe 18->28         started        process9 process10 30 mstsc.exe 13 24->30         started        signatures11 70 Tries to steal Mail credentials (via file / registry access) 30->70 72 Tries to harvest and steal browser information (history, passwords, etc) 30->72 74 Modifies the context of a thread in another process (thread injection) 30->74 76 3 other signatures 30->76 33 KJzVpvkri.exe 30->33 injected 36 chrome.exe 30->36         started        38 firefox.exe 30->38         started        process12 dnsIp13 44 www.ulke.com.tr 185.195.231.66, 80 VARGONENTR Turkey 33->44 46 gooder.bar 3.33.130.190, 80 AMAZONEXPANSIONGB United States 33->46 48 www.youcontributions.xyz 76.223.54.146, 49692, 80 AMAZON-02US United States 33->48 40 WerFault.exe 4 36->40         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8277de2a08c7a135350fa8498699a86bfd28ebf31402908dc523b2eef07084fd
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.22 Win 32 Exe x86
Link:
https://app.malva.re/file/8cb4b2133502a55d198bbac1b8508203
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8277de2a08c7a135350fa8498699a86bfd28ebf31402908dc523b2eef07084fd/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/8277de2a08c7a135350fa8498699a86bfd28ebf31402908dc523b2eef07084fd
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-10-20 03:51:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qj354kqiy6qtknipvbeyngninp6sr27tcqbjbdofeozo54dqqt6q._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251020-vvk8hawpcq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Unpacked files
SH256 hash:
8277de2a08c7a135350fa8498699a86bfd28ebf31402908dc523b2eef07084fd
MD5 hash:
8cb4b2133502a55d198bbac1b8508203
SHA1 hash:
13fe1245838c22bb541537acf85fb07cd2859e0c
Link:
https://www.unpac.me/results/727e86e2-ba8f-4bae-969b-5512c18e5394/
SH256 hash:
2d373b906748a78d0a5b0bb635494465fa66a0e95c29872c45eadaeb7884c244
MD5 hash:
91530d27048fe358ccb9ff84dcf73f2c
SHA1 hash:
07b0f89704110ff068948d46079b6cefbeff601c
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/727e86e2-ba8f-4bae-969b-5512c18e5394/
SH256 hash:
c0418cf8a7952e204acfc87dc155fcceb5a486ead59260f2303dba78db496a31
MD5 hash:
bc82a9e341e9ede14ac25f6a8aa82e56
SHA1 hash:
63020718b421fbb439f2600961ede97d704130ee
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/727e86e2-ba8f-4bae-969b-5512c18e5394/
Parent samples :
89c911723b05c5bce8bcd4dd0ec42f190763afc166e85e0fde944e2e752223c8
f9926b77fd47dffc66e6f22e4ecd4d0f1b1b3e4b768064bb22b64be3094569f6
8277de2a08c7a135350fa8498699a86bfd28ebf31402908dc523b2eef07084fd
bdb77fb15a71d15824003e2baca520124dab19ec99a1cd90e12769be216e1541
d9be66d734fe5c34f17805e4c54fc22862108dc83120fd30ea27679a0b32b442
8ddf7f818b62b95ca4b60a5177dfe46d00684f3f2b14998b8419f29e081186e7
e80ff6956ffb3e3189596fe42c13b03efb70c023bb9db2f83db9d91ec04a157c
f49d6efeab5a163ccaff6d8166c0be80e8430d50b4ba7c43df903dbb05bb7bfa
d87de6be63c49499dfe482bfdafbdca13760efb66c2d8af6950919f01f52608c
2c2b051b1f3085754054173c5afc5675b0bd9f2940f7ac81714f8b2d08faa63b
2acbd38d75a998bc663dc7f1ba6ccccf87d9724557b52b2966250cba1c70286b
dbecf6e2bad4b37d6d724a33c84bd1826dbd4f6eb0c490ef152b261c67edc751
ef191e2d10681d7e07d403c5a0f5c595fb55c54c9a66ddd6cabdb7af0d6f65b2
83ac2145013dfaebbf27d69340996ccc9ccbd9e609dce2b7be58c10f32b29a9b
SH256 hash:
eabe1822e74df66451abd6e69c33d1f98b8ae6ede8d3a3d6d3e38503406dbce5
MD5 hash:
f4070f6b3e7c23e4f8431d7f9033452f
SHA1 hash:
7495900b72f95bbb28c133d679176ab9ceec177d
Link:
https://www.unpac.me/results/727e86e2-ba8f-4bae-969b-5512c18e5394/
SH256 hash:
17acd4803bff203f9c4ac1177e2fc4001ccecb699a3eff41bfa80b2b08469599
MD5 hash:
b9d799983fdb6ffbd3917e85128728f2
SHA1 hash:
5707b74f77f79d53d5a196697ac36903846b817d
Link:
https://www.unpac.me/results/727e86e2-ba8f-4bae-969b-5512c18e5394/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8277de2a08c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/8277de2a08c7a135350fa8498699a86bfd28ebf31402908dc523b2eef07084fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8277de2a08c7a135350fa8498699a86bfd28ebf31402908dc523b2eef07084fd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33515/

Comments