MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fe05e0f8d396aa98b482c87c67b0d4a3201242ddb71743df095b41ed3d05471. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fe05e0f8d396aa98b482c87c67b0d4a3201242ddb71743df095b41ed3d05471
SHA3-384 hash: b0fdc37919cea1c400447303539c4643597aeeccd436d2d6f1801cfa932da6adee3a75c49d1b917eefc45656c82a2a42
SHA1 hash: 89d1275ef3b5d7e4d9218d9312c3b3448ef7b02b
MD5 hash: 1629954790626a170417dfd4484110a9
humanhash: floor-montana-tango-utah
File name:Lab Dip With Sample Yarn Order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:765'952 bytes
First seen:2025-09-24 07:06:37 UTC
Last seen:2025-10-09 14:37:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:nASsBA1/eXyrAJA1wZE28JDFZKP4BdPqn1RuSXe/zhPIhYj05lfCwKmmUTazJC4M:ASYImX6A7ZwH6n17Xe/FOYj055g
TLSH T1DDF412587346E802D5B21FF018B1D7B40BB4BE8AA915C3079FFAACEB78367542D45386
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
6
# of downloads :
112
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
8176e3e766aa3db5d2b132c3656901c67ef7d7a804b423bb91a27e280080ced9.zip
Verdict:
Malicious activity
Analysis date:
2025-09-23 08:59:33 UTC
Tags:
arch-exec formbook xloader stealer
Link:
https://app.any.run/tasks/91f24620-a440-4b35-bbb9-09deeaccb912

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28742/
Detection(s):
SecuriteInfo.com.Trojan.Siggen31.57980.5707.5724.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d53dadcc9425144151cc76
Tags:
virus spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Launching a process
Creating a file
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68d398a405398d990aefed1b/reports/a646a051-8cd7-443d-8943-2d3c28277854/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/8fe05e0f8d396aa98b482c87c67b0d4a3201242ddb71743df095b41ed3d05471
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-23T03:44:00Z UTC
Last seen:
2025-09-23T03:44:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/8fe05e0f8d396aa98b482c87c67b0d4a3201242ddb71743df095b41ed3d05471/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a02d2c1f-bcb4-4641-8791-3e489275b685
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1783087
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1783087 Sample: Lab Dip With Sample Yarn Or... Startdate: 24/09/2025 Architecture: WINDOWS Score: 100 49 www.superunihub.xyz 2->49 51 www.lyoira.xyz 2->51 53 19 other IPs or domains 2->53 57 Suricata IDS alerts for network traffic 2->57 59 Antivirus detection for URL or domain 2->59 61 Multi AV Scanner detection for submitted file 2->61 65 8 other signatures 2->65 11 Lab Dip With Sample Yarn Order.exe 4 2->11         started        signatures3 63 Performs DNS queries to domains with low reputation 51->63 process4 file5 41 C:\...\Lab Dip With Sample Yarn Order.exe.log, ASCII 11->41 dropped 67 Adds a directory exclusion to Windows Defender 11->67 15 MSBuild.exe 11->15         started        18 powershell.exe 23 11->18         started        20 svchost.exe 1 1 11->20         started        23 MSBuild.exe 11->23         started        signatures6 process7 dnsIp8 77 Maps a DLL or memory area into another process 15->77 25 fK9QeCOivn.exe 15->25 injected 79 Loading BitLocker PowerShell Module 18->79 27 conhost.exe 18->27         started        55 127.0.0.1 unknown unknown 20->55 signatures9 process10 process11 29 cttune.exe 13 25->29         started        signatures12 69 Tries to steal Mail credentials (via file / registry access) 29->69 71 Tries to harvest and steal browser information (history, passwords, etc) 29->71 73 Modifies the context of a thread in another process (thread injection) 29->73 75 3 other signatures 29->75 32 wP6g6hQ6YAC.exe 29->32 injected 35 chrome.exe 29->35         started        37 firefox.exe 29->37         started        process13 dnsIp14 43 www.lyoira.xyz 67.223.117.189, 49695, 49696, 49697 VIMRO-AS15189US United States 32->43 45 clarke.ceo 15.197.225.128, 49699, 49700, 49701 TANDEMUS United States 32->45 47 11 other IPs or domains 32->47 39 WerFault.exe 4 35->39         started        process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8fe05e0f8d396aa98b482c87c67b0d4a3201242ddb71743df095b41ed3d05471
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.37 Win 32 Exe x86
Link:
https://app.malva.re/file/1629954790626a170417dfd4484110a9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8fe05e0f8d396aa98b482c87c67b0d4a3201242ddb71743df095b41ed3d05471/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-09-23 08:59:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r7qf4d4nhfvktc2ifsd4m6ynjizacjbn3nyxippqsw2b5u6qkryq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250924-hxwe2attes/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5a52f85b-dad8-4b97-b893-44e2b2d212e8
Unpacked files
SH256 hash:
8fe05e0f8d396aa98b482c87c67b0d4a3201242ddb71743df095b41ed3d05471
MD5 hash:
1629954790626a170417dfd4484110a9
SHA1 hash:
89d1275ef3b5d7e4d9218d9312c3b3448ef7b02b
Link:
https://www.unpac.me/results/5b48c5c6-c4a9-4464-9400-c73d20b40c1c/
SH256 hash:
3ceeb0c071b160fb4e3af51ad09b6f918ecd8d04d65f5f54a697d3d331cb29ef
MD5 hash:
a2efe2b70a04bcf321019769eb43b986
SHA1 hash:
116930b3891a1be091a3929953b7d24fdfa0f9ee
Link:
https://www.unpac.me/results/5b48c5c6-c4a9-4464-9400-c73d20b40c1c/
SH256 hash:
7b675628e3219e65757449fb496b5a3787da5e2c47339f7c385841ee6fb403b5
MD5 hash:
cb5362cbb7ab48f1c1d71d18b43008ae
SHA1 hash:
9dfcbf14dae3a50fef5d261ea6ff9c8bbf0f133b
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/5b48c5c6-c4a9-4464-9400-c73d20b40c1c/
SH256 hash:
796895f86291ed8b552b663173cd35dfdc48d2e7d038ce6ea103848955a16e37
MD5 hash:
55cbac1bb92f70f90ce3270f041a3903
SHA1 hash:
9f00900f531fbc8296420010126524b004e531ff
Link:
https://www.unpac.me/results/5b48c5c6-c4a9-4464-9400-c73d20b40c1c/
SH256 hash:
9ef15019406535c2e9a161058649f090d4f7e2f60048dff08f9483e3b2b52a4b
MD5 hash:
7c33d9ba0164009337146bd94a68dc63
SHA1 hash:
49b57573334cc72f922aa87864ef7befe30883aa
Link:
https://www.unpac.me/results/5b48c5c6-c4a9-4464-9400-c73d20b40c1c/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8fe05e0f8d39/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8fe05e0f8d396aa98b482c87c67b0d4a3201242ddb71743df095b41ed3d05471

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8fe05e0f8d396aa98b482c87c67b0d4a3201242ddb71743df095b41ed3d05471

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28742/

Comments