MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bfeb9063f966fbd361b6b239d6e61d882a0c835ba83ec50ac65c5f5925ca76f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8bfeb9063f966fbd361b6b239d6e61d882a0c835ba83ec50ac65c5f5925ca76f
SHA3-384 hash: 8ae11d7b1fe726b710a52c7519c1270170892fd3435a083b419bc54504229f165fc321e358703f5f158da4c610f9d656
SHA1 hash: 6e8e826667b9108e39174c21c52f612185218e3c
MD5 hash: 981a248251067f2a970b365eee0d6087
humanhash: pluto-dakota-harry-zulu
File name:RFQ3252025.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:779'776 bytes
First seen:2025-03-26 10:10:24 UTC
Last seen:2025-03-27 15:40:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:F72iNczJ+Wnqn++Pxp2HhlMYcjThnaOcIsIG6DKl0WIA8dSQHlEB8nxX7RPXgHUr:91qzM1xp2BlMHjThn7R5ZFLtVn5gd99C
Threatray 46 similar samples on MalwareBazaar
TLSH T1F6F412685706DA13CAA617B10DB2F57823BD1CCDE911D30B4FED6EEB7A32B109D44292
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
510
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ3252025.bat
Verdict:
No threats detected
Analysis date:
2025-03-26 10:36:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/79b794a3-dbef-4a04-a3a8-9ebb09161249

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e3d2cc12b5dc44da3e3258
Tags:
shellcode virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed packer_detected phishing vbnet
Link:
https://www.filescan.io/uploads/67e3d2c9631830704a87a18f/reports/d7f4187d-549b-42c8-b1fa-ef0e27823ee4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8bfeb9063f966fbd361b6b239d6e61d882a0c835ba83ec50ac65c5f5925ca76f
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8e677f5-c910-4521-b8cf-9bd36f0d77c5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1648960
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648960 Sample: RFQ3252025.bat.exe Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 31 www.theamsterdamtouch.xyz 2->31 33 www.vitalh.life 2->33 35 9 other IPs or domains 2->35 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 53 5 other signatures 2->53 10 RFQ3252025.bat.exe 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 31->51 process4 file5 29 C:\Users\user\...\RFQ3252025.bat.exe.log, ASCII 10->29 dropped 65 Injects a PE file into a foreign processes 10->65 14 RFQ3252025.bat.exe 10->14         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 14->67 17 oKx8Q6lpsYAfD3A.exe 14->17 injected process9 signatures10 43 Found direct / indirect Syscall (likely to bypass EDR) 17->43 20 verclsid.exe 13 17->20         started        process11 signatures12 55 Tries to steal Mail credentials (via file / registry access) 20->55 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 59 Modifies the context of a thread in another process (thread injection) 20->59 61 3 other signatures 20->61 23 oKx8Q6lpsYAfD3A.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 www.vitalh.life 67.223.117.189, 49709, 49710, 49711 VIMRO-AS15189US United States 23->37 39 www.madebyveronika.art 62.109.151.80, 49705, 49706, 49707 IGNUM-ASCzechRepublicCZ Czech Republic 23->39 41 4 other IPs or domains 23->41 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8bfeb9063f966fbd361b6b239d6e61d882a0c835ba83ec50ac65c5f5925ca76f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8bfeb9063f966fbd361b6b239d6e61d882a0c835ba83ec50ac65c5f5925ca76f/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-03-26 10:11:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
28 of 36 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rp7lsbr7szx32nq3nmrz23tb3cbkbsbvxkb6yufmmxc7les4u5xq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
034d50a32f4d02f98159dfe1a44bcd3f87aea96af49340d516ed4a6e744929a3
Formbook
3b5893af84e478f126cbcee3c73bfb8edb25be9e9ec4f588fc7d8244d2d2a09e
Formbook
40a02794b61fb32fcad4b270141967d6ed82253085ba80599c2e6559679d0a00
Formbook
8bfeb9063f966fbd361b6b239d6e61d882a0c835ba83ec50ac65c5f5925ca76f
Formbook
af757217c016eb5365af3d45f7afc0263b2dca31a0cdf7d05e3f05e45cb9b799
Formbook
error
Formbook
fa5ef010e02cea3f7b92f1d8d529a291a1a775967a9f03cc58f6749ace1469d6
Formbook
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250326-l742pswqy5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7847cbb2-5481-4d76-98b0-a03f530ac27b
Unpacked files
SH256 hash:
8bfeb9063f966fbd361b6b239d6e61d882a0c835ba83ec50ac65c5f5925ca76f
MD5 hash:
981a248251067f2a970b365eee0d6087
SHA1 hash:
6e8e826667b9108e39174c21c52f612185218e3c
Link:
https://www.unpac.me/results/696baf43-4a3e-4e52-bee8-855b4eaf5da0/
SH256 hash:
d258628a2fb167654bc2161e1a3ac70f08ff228bf10b892b061af625ee2d61d5
MD5 hash:
5c6955cc1c942f652ddb45075cd9f543
SHA1 hash:
b80c4c66d89627f9786caab6280da91864305411
Link:
https://www.unpac.me/results/696baf43-4a3e-4e52-bee8-855b4eaf5da0/
SH256 hash:
565225a8561134b4966c139430b4d6945eedd45444d8435a48c6e7f41f7f7e30
MD5 hash:
3aebca61c665584c799acf55900cb26e
SHA1 hash:
3717a4f60d2822dfd8effda5490c93e7ccb38ebc
Link:
https://www.unpac.me/results/696baf43-4a3e-4e52-bee8-855b4eaf5da0/
SH256 hash:
dce59b621cfd32866fe54219f95243aa99a64abb569f25b28140a3cdce99df61
MD5 hash:
8fafd1f075c672e168b87feb8a98ee15
SHA1 hash:
9832f9910ec8a7ae541fcf873fc86b4d9f2092cd
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/696baf43-4a3e-4e52-bee8-855b4eaf5da0/
SH256 hash:
0dafc3a393987877058abdd9a1cb754f1bf8a123e6b0375a4bbe0f09ba026166
MD5 hash:
fcaa4b23274a7c4a5e6d4fe3a5c6f77c
SHA1 hash:
ec9a75a8ff7bd96eb7579cb940c4956cf77125d0
Link:
https://www.unpac.me/results/696baf43-4a3e-4e52-bee8-855b4eaf5da0/
SH256 hash:
f6517fbed6f7f47675869c53527d90da81cb868cf8d0371911a1da93136cbed5
MD5 hash:
caec35c9d2b244e5012fb06be7c4d940
SHA1 hash:
0ce6ae35cc9bd0d1b0cb6f62370939d02346abf0
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/696baf43-4a3e-4e52-bee8-855b4eaf5da0/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8bfeb9063f96/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8bfeb9063f966fbd361b6b239d6e61d882a0c835ba83ec50ac65c5f5925ca76f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8bfeb9063f966fbd361b6b239d6e61d882a0c835ba83ec50ac65c5f5925ca76f

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments