MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fff9a173774de4ef78139d49e3f62b83fdf1b2a542c257567e76c7b82ef5e5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 6 File information Comments

SHA256 hash:	8fff9a173774de4ef78139d49e3f62b83fdf1b2a542c257567e76c7b82ef5e5f
SHA3-384 hash:	d7cd47d68485efe25b34ce409374f391c6bfc366b0184aa081108533f265ff550e81bde48612e0c55c69e1272c2a69f1
SHA1 hash:	b99426345cc005fcf5caa333ccae68ce8345c9df
MD5 hash:	1b27358f5ad8d9e7f8f24dae59c0e047
humanhash:	cup-timing-wolfram-xray
File name:	EKSTRE_005.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	611'840 bytes
First seen:	2025-03-24 08:44:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:xijHAqAJFfG3AP4mbYl4uahxX5Euk5vQnO67B1EU:xoAZ+IbY+/hxXOuS8OWB1J
TLSH	T11ED4019C2A2AEF13C8B21BF50A21D1B227F16CEE6812D60B9FC97DEB34B5B045140747
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67e24712bb84e066269ebbf7

Tags:

trojan spawn shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Forced shutdown of a system process

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/67e11b9fa08e28b31d9f18bb/reports/5c5f5c9b-821d-4106-a5d2-90b6aa05e6d7/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/8fff9a173774de4ef78139d49e3f62b83fdf1b2a542c257567e76c7b82ef5e5f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1646829

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8fff9a173774de4ef78139d49e3f62b83fdf1b2a542c257567e76c7b82ef5e5f

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/8fff9a173774de4ef78139d49e3f62b83fdf1b2a542c257567e76c7b82ef5e5f/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2025-03-20 21:31:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 36 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r77zufzxotpe554bhhkj4p3cxa756gzkkqwck5lh45whxaxplzpq._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:bs03 discovery execution rat spyware stealer trojan

Link:

https://tria.ge/reports/250324-knsc5ayky7/

Behaviour

Gathers network information

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Deletes itself

Command and Scripting Interpreter: PowerShell

Formbook payload

Formbook

Formbook family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/52caf7a9-fe8c-4e93-8dec-84ee7c262082

Unpacked files

SH256 hash:

8fff9a173774de4ef78139d49e3f62b83fdf1b2a542c257567e76c7b82ef5e5f

MD5 hash:

1b27358f5ad8d9e7f8f24dae59c0e047

SHA1 hash:

b99426345cc005fcf5caa333ccae68ce8345c9df

Link:

https://www.unpac.me/results/1c5b553a-356c-47ad-9a49-7672b6f13d43/

SH256 hash:

ed7090c87927967c08f1c0b861b1c21ed1cd0885227c31bb4e52e857f657b667

MD5 hash:

ab04dbde3ab78a30cd8ef476fd5e2ee5

SHA1 hash:

2ea3e35075a11b8f762272f19d4efae3caeafc5e

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/1c5b553a-356c-47ad-9a49-7672b6f13d43/

Parent samples :

cea3a71806ecfdd4c4ba8a81c7cab7e2e3e30cd1da823cd3e4b145a949cc3617
1c3857b716fc65dbd1ffdc7e06b1d2b0420537ac4f113d7ece283b64fee8c976
8a54d3c9af3aa73ee06abc101d4c1791adbefdd205a1d576cfcfab423d441c87
714169ae2bbd3503ff72eda33d7fdff7cecd5f39fcea5c49e2f4ad4562aabb3d
20aed1d218b695d49699aa9afb2f2e036b24ecf0654ac8e1253a99037ec44c1e
c3f9616bfc8b4e899bc5bebb87ff26a4582f5ce8387388d7a6581268b02298a5
a9a87510d6ea1ba4e8ac3d7fe1fc5099a356b6d99fe729d384cbf2b665a653a5
35ebe17f33803f292a173b8652fdd9c69be8e6b89bc9897776e41c3a721b4211
fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88
8fff9a173774de4ef78139d49e3f62b83fdf1b2a542c257567e76c7b82ef5e5f
4f30ff34b7783623eeb7e213fc6a4bfe560e4607271791144262a3e5e3b9b1ed
e6f8c55e28db20fd767010b1bae587df65c60c8902216e64f4dbcf2d885c72b5

SH256 hash:

cc6199fade453f3827604498b769cd055bb1b301c7255ce25fde5867306c419c

MD5 hash:

22cd3a25014a6465cbcdadafd703bcb2

SHA1 hash:

56ba8a9b102bae5038806eb4d17a8755d5fe05b3

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/1c5b553a-356c-47ad-9a49-7672b6f13d43/

SH256 hash:

532b11c8087cc519a9ad47e7d9f1129467911478a1ef182b4187584aa011d29d

MD5 hash:

ccee1396e554934bc68432550a9d5470

SHA1 hash:

89301cec622009659e5913b0406de46cf0e873de

Detections:

win_formbook_w0

win_formbook_g0

win_formbook_auto

FormBook

Windows_Trojan_Formbook

Formbook

Link:

https://www.unpac.me/results/1c5b553a-356c-47ad-9a49-7672b6f13d43/

Parent samples :

41415c1dab37487faf427095855fb66cafa150ae15b9c515234e1e0b5f733aa8
4023f16ab570c96bbfc7d6c9685d137382c82029c15df71696acdc20023dd31b
8fff9a173774de4ef78139d49e3f62b83fdf1b2a542c257567e76c7b82ef5e5f
df76258f5a92817111c47c370f40806f0e913fe8a8f05dc84a8a3f5e5c8464eb
16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8fff9a173774/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 8fff9a173774de4ef78139d49e3f62b83fdf1b2a542c257567e76c7b82ef5e5f

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample