MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85c83e8461064a67455752d482537bc86d195719942ab01d2211dc75bb69f8c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85c83e8461064a67455752d482537bc86d195719942ab01d2211dc75bb69f8c0
SHA3-384 hash: 49c9e9a7a23a5109ec70e07059af60bcc113f25f5b51b844cb7eb7db26fe9ef914d787bdcbd94202ecab699125528e82
SHA1 hash: c071470b75ee54619fd861d74bd9106df4a94a6a
MD5 hash: ed88fdd0944c0c515555acd122e4f3c9
humanhash: rugby-winner-cold-kentucky
File name:Updated 2025 Trading Agreement for Direct Purchase account.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:803'328 bytes
First seen:2025-02-04 13:07:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:PKVhQHYjEHqjPCW+g2dxw61OA1UD6gOBvbpkp7yn5UUQpO1vVE027YYlf:PqhyYjljebj1UDxaTpCKqO7WT
Threatray 115 similar samples on MalwareBazaar
TLSH T18F05120FABF36DB5DA282D3BD3A7445005AE8004AC31F7559ACD99F40FA26F89C5A353
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon e0e698a08088a888 (20 x Formbook, 6 x AgentTesla, 3 x SnakeKeylogger)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
445
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Updated 2025 Trading Agreement for Direct Purchase account.exe
Verdict:
No threats detected
Analysis date:
2025-02-04 13:10:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bed4283d-b372-411f-8742-77f885d012d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a212122dcee78dd8195053
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67a211446c662328c4a9bd46/reports/eafdb4d0-bb67-4a2d-9100-db9d54807425/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/85c83e8461064a67455752d482537bc86d195719942ab01d2211dc75bb69f8c0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/91064952-6b1c-49e5-b7dc-433504ca0d78
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1606478
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1606478 Sample: Updated 2025 Trading Agreem... Startdate: 04/02/2025 Architecture: WINDOWS Score: 100 35 www.yusufzdemir.xyz 2->35 37 www.shibbets.xyz 2->37 39 19 other IPs or domains 2->39 47 Suricata IDS alerts for network traffic 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for submitted file 2->51 55 7 other signatures 2->55 10 Updated 2025 Trading Agreement for Direct Purchase account.exe 3 2->10         started        signatures3 53 Performs DNS queries to domains with low reputation 37->53 process4 file5 33 Updated 2025 Tradi...ase account.exe.log, ASCII 10->33 dropped 67 Injects a PE file into a foreign processes 10->67 14 Updated 2025 Trading Agreement for Direct Purchase account.exe 10->14         started        17 Updated 2025 Trading Agreement for Direct Purchase account.exe 10->17         started        19 Updated 2025 Trading Agreement for Direct Purchase account.exe 10->19         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 14->71 21 TbUVu0ZowO8E.exe 14->21 injected process9 signatures10 57 Found direct / indirect Syscall (likely to bypass EDR) 21->57 24 Utilman.exe 13 21->24         started        process11 signatures12 59 Tries to steal Mail credentials (via file / registry access) 24->59 61 Tries to harvest and steal browser information (history, passwords, etc) 24->61 63 Modifies the context of a thread in another process (thread injection) 24->63 65 3 other signatures 24->65 27 TbUVu0ZowO8E.exe 24->27 injected 31 firefox.exe 24->31         started        process13 dnsIp14 41 mykitchen-ideas.shop 162.241.62.235, 50008, 50009, 50010 UNIFIEDLAYER-AS-1US United States 27->41 43 goodnewsedutech.net 84.32.84.32, 50046, 50047, 50048 NTT-LT-ASLT Lithuania 27->43 45 10 other IPs or domains 27->45 69 Found direct / indirect Syscall (likely to bypass EDR) 27->69 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/85c83e8461064a67455752d482537bc86d195719942ab01d2211dc75bb69f8c0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85c83e8461064a67455752d482537bc86d195719942ab01d2211dc75bb69f8c0/
Threat name:
Win32.Trojan.Genie
Create hunting rule
Status:
Malicious
First seen:
2025-02-04 04:16:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxed5bdbazfgorkxklkieu33zbwrsvyzsqvlahjcchohlo3j7daa._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
Similar samples:
584f89a151ee7d12e1f1c17384147f5b242c7aa9c5ae082fcdde789732ad980d
Formbook
640cd2bb3f4726760684d6e3a5e56e28e37860c7d377fd18e1f428d31b47a468
Formbook
error
Formbook
+ 105 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250204-qc9e6aylcp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0fa9d62d-41c2-4959-b8b0-f047bec1835a
Unpacked files
SH256 hash:
85c83e8461064a67455752d482537bc86d195719942ab01d2211dc75bb69f8c0
MD5 hash:
ed88fdd0944c0c515555acd122e4f3c9
SHA1 hash:
c071470b75ee54619fd861d74bd9106df4a94a6a
Link:
https://www.unpac.me/results/fcbc697f-7c9a-4319-be3b-636513b9b2b2/
SH256 hash:
418b21ec5efd1adf8120c5f07c4f000e47e0cf0ca50483917e8f6d1b86733cbc
MD5 hash:
271739dd9a5398038839c36095fc7bc3
SHA1 hash:
10336d6e604872533058f09b2e2f042539636b32
Link:
https://www.unpac.me/results/fcbc697f-7c9a-4319-be3b-636513b9b2b2/
SH256 hash:
235f7910cf41c3df2d3d65bf6d292c5fb3eb07cd6cc64bfa8c7dd53cdb9f844b
MD5 hash:
3970095ebb65dc14e834ebb4201fad19
SHA1 hash:
562521f42548d13932ba6fa4354d9dcd874593a6
Link:
https://www.unpac.me/results/fcbc697f-7c9a-4319-be3b-636513b9b2b2/
SH256 hash:
a773a0717e0d300a3bbd74940bdf36718202a24c78fa9ea1513def7586ce451c
MD5 hash:
f552ebc8f408a6990db38646186b0746
SHA1 hash:
dda7e1ce299a8a0cf0c6e358de6800abf966726b
Link:
https://www.unpac.me/results/fcbc697f-7c9a-4319-be3b-636513b9b2b2/
SH256 hash:
723248fc7298bb276cba4247e421b4374b896293cf8701256838d28b8852d3ce
MD5 hash:
5e6c8f3f64d7ed60a01e5be808c4eba7
SHA1 hash:
e1944657bb492e27f874313fcf854c41eccd77a2
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/fcbc697f-7c9a-4319-be3b-636513b9b2b2/
SH256 hash:
dbbe53d8aaf54a427ca7e4f3b3a32abcc8ef96dd642b017b54c74e4ba6d8b57b
MD5 hash:
9db50228cde30984246365865f882593
SHA1 hash:
cfc14da1dc7751977fc14d110c4d4dcbc68597e8
Link:
https://www.unpac.me/results/fcbc697f-7c9a-4319-be3b-636513b9b2b2/
SH256 hash:
f55bbdf72e564fe51b0966df7c7441cbc3d2bf7f080d9963efd856449b440c38
MD5 hash:
03f0b5155960e98eb7763f43da3e9907
SHA1 hash:
48f30aac7e669319fecfd9f864e81c973d5e7a8d
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/fcbc697f-7c9a-4319-be3b-636513b9b2b2/
Parent samples :
2ded7ae6526b0a58dbeb50d575c13c84f76751f15a81ffb81d4a4d7f9d8539ce
17c4031831d4166a50a72b65ebdb2a4825645a3314ba5907f46329b9da9b2a06
93d75ee7ff41d078613fe66301551570e2102d52ee9505dc09eff74d6a70df8d
ee55e7f496b05d9bf98cc381e621483f549f9452d94d6ce32d4f3b59c67bec57
85c83e8461064a67455752d482537bc86d195719942ab01d2211dc75bb69f8c0
46d3ad35d5b8f4489e3752447bdc1c3690e3cb69259f2b561e9a6c7a6677e769
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/85c83e846106/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/85c83e8461064a67455752d482537bc86d195719942ab01d2211dc75bb69f8c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 85c83e8461064a67455752d482537bc86d195719942ab01d2211dc75bb69f8c0

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments