MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d55e8bec13637a61dc5bd6fffc8fa267d266aabef0f039cd668a72f5ae2b51a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d55e8bec13637a61dc5bd6fffc8fa267d266aabef0f039cd668a72f5ae2b51a
SHA3-384 hash: 21e7e730fcdcfb8200dccfd8d73b341868a2a2fa8941899f9b49a759d99e43eba6d9d15d59172843110daf956b3145d9
SHA1 hash: dcd689e68e021aeba089fa454bcfbecaf63d3c65
MD5 hash: 4683b0a049432c2f6fc273376333f569
humanhash: uranus-triple-uncle-carolina
File name:8d55e8bec13637a61dc5bd6fffc8fa267d266aabef0f039cd668a72f5ae2b51a
Download: download sample
Signature Formbook
Create hunting rule
File size:776'192 bytes
First seen:2025-10-10 06:45:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:6pHDzEjH3eFr4P+nbTWHymCiMJDw9fXWd2eJlzG/8b+nyU8NGxBVn0V6gtShqZ9a:YzEjH3eFrs2RmCiyDwNXh6lz/bgf8NI5
Threatray 1'996 similar samples on MalwareBazaar
TLSH T155F40258235AEF12C8B11BF04970E3F01379AE89A556D31B4EFA3CDBB83AB115994743
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8d55e8bec13637a61dc5bd6fffc8fa267d266aabef0f039cd668a72f5ae2b51a
Verdict:
No threats detected
Analysis date:
2025-10-10 10:20:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6a11fe2e-2d98-44de-9d99-3761cf5dc446

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32164/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e8ad488b7b147cc4b68d87
Tags:
virus shell msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68e8b8614f3013c55e494475/reports/917d88f7-6a21-49b0-8680-bd6a64f46994/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8d55e8bec13637a61dc5bd6fffc8fa267d266aabef0f039cd668a72f5ae2b51a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-16T03:59:00Z UTC
Last seen:
2025-10-02T02:51:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/8d55e8bec13637a61dc5bd6fffc8fa267d266aabef0f039cd668a72f5ae2b51a/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/69d84511-0353-4633-8c96-aa8390e38344
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8d55e8bec13637a61dc5bd6fffc8fa267d266aabef0f039cd668a72f5ae2b51a
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.48 Win 32 Exe x86
Link:
https://app.malva.re/file/4683b0a049432c2f6fc273376333f569
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d55e8bec13637a61dc5bd6fffc8fa267d266aabef0f039cd668a72f5ae2b51a/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-09-16 10:57:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
3a2ba2930632a0a60f6c74b40be24d474cf84c174d921bd8bab8903d59f01835
Formbook
583cd2c26e0d7bc786d76dbf50dd0a76c8026aafd39b6f932ee7dd6c4faa4601
Formbook
597c42249ac3a5da42285aa99cac5a00ba45c61c695c4f6af4df925444b276cf
Formbook
989743ced5dd962ea0dad1aaf89998ce3b2bed6e97ad59fd520402592b1bd18d
Formbook
ada71baf53aaee00fdd7839175e9f688dea0365cd09a500c68187d3565c2c1b0
Formbook
b140ed87f2ba5d4ea5781adb9abeb567c743c2edfcb330d2fcd93f7a72eb5220
Formbook
d248a0c9b30b0ae7ba91096d8106ca1b97b706a4d10e3921caeab6e9031bd565
Formbook
e97f62d893c2f818f623482a0c8f35f32e9862a67cc479efdb5723ec75d1f6c0
Formbook
ef9ded41b6e7c1bd265900b7fa7699b2346cbf95e99c1dcfb8ffd6557017ef5d
Formbook
error
Formbook
+ 1'986 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251010-jfld6shk4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b893362c-9659-486a-8fe9-e565f4774990
Unpacked files
SH256 hash:
8d55e8bec13637a61dc5bd6fffc8fa267d266aabef0f039cd668a72f5ae2b51a
MD5 hash:
4683b0a049432c2f6fc273376333f569
SHA1 hash:
dcd689e68e021aeba089fa454bcfbecaf63d3c65
Link:
https://www.unpac.me/results/ef6abb4d-7c9d-4421-a77d-401abd4e56e5/
SH256 hash:
1041b538ccbc7d66e59247ef7551cde9b6c282843541585e9190a8e2e3943b12
MD5 hash:
e870d1e8f3791ccc141f85f40fd2972b
SHA1 hash:
150919ee289cffa6feb40ab8261f620dd7e26aac
Link:
https://www.unpac.me/results/ef6abb4d-7c9d-4421-a77d-401abd4e56e5/
SH256 hash:
7f7fe37c05451af9269a90f703bec090f1c0646868ffed56040c303ed8cfa249
MD5 hash:
dcfc8db7f2a3e9417b541b4b40e1a5ea
SHA1 hash:
631223ae82a3156dbefc3248f6401943c9fbed87
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ef6abb4d-7c9d-4421-a77d-401abd4e56e5/
SH256 hash:
ca1afbbdb25b54e0d4c07f9b84b0413f52a43b6cde98879ad8ab8f4af072cc61
MD5 hash:
08b7c02de115f6bd6949b9cf47164d4b
SHA1 hash:
9307c830cedc68bfba8f518954c07c352cc063bc
Link:
https://www.unpac.me/results/ef6abb4d-7c9d-4421-a77d-401abd4e56e5/
SH256 hash:
a9a052597a34286cf778a5ad06f7f70f61712d1987f53a987c223d43b12073a9
MD5 hash:
e97357eb02eb9b699aad5c9c5990ef31
SHA1 hash:
5bc3719dbecef38e6087c7f70e0fd146343304da
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/ef6abb4d-7c9d-4421-a77d-401abd4e56e5/
Parent samples :
ada71baf53aaee00fdd7839175e9f688dea0365cd09a500c68187d3565c2c1b0
eafab9555af357e0f3748f5545f4abb7a7017e06fc023f32157b446ba7e9a828
100dee1435e5c1b8e15c6b354723199d6bb76e7085214987908abfdd8e9a7835
bf60b093a5077cd95856432f33f37e1aa2d6b672eb3a8445d3b08788217f0fa0
df3479b269fd17c9f3e13358b3b945d0173c6f95bfd405c3ddc9dbec577f4699
b1a2a5c2a8f9406c6a85e00e4c2790d60f1b4a5d2bc956f5c32203b392634950
8d55e8bec13637a61dc5bd6fffc8fa267d266aabef0f039cd668a72f5ae2b51a
3f50e8ea3fdd5c1a72a3c7de22984a59f6f6e73d7d395824b2715d10a22016ff
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8d55e8bec136/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d55e8bec13637a61dc5bd6fffc8fa267d266aabef0f039cd668a72f5ae2b51a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32164/

Comments