MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9112615ba411d6052895da2d4a276289c21a36e2ae4ff93634d9d207f5e75427. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9112615ba411d6052895da2d4a276289c21a36e2ae4ff93634d9d207f5e75427
SHA3-384 hash: c6aae6250d5a0d42b93a50089045eed14cab7e7255d607c87a994c4900eacfb7737818531b897b79212a36174cf82ef7
SHA1 hash: d940a2ef5961160e7408791e98d4b980f2a85dc7
MD5 hash: 6a2769bc2a178495d792a5f9dc03c06a
humanhash: three-social-carpet-happy
File name:DHL_AWB#907853880911_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:778'240 bytes
First seen:2025-09-19 06:39:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:qUhEAEbeioEzlqAFQKRnV+hkjQxrqaMWv5ixnRbDQdc5crD+4pQea8cjIF0sJRN:qmEAE6mhqklf+RPM2E9SdNp7a8
Threatray 1'296 similar samples on MalwareBazaar
TLSH T17CF40215676AE902E0B29FF40870E7B01774AD9EBD61C34A9EF59DEFBC357908841382
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_AWB#907853880911_pdf.exe
Verdict:
No threats detected
Analysis date:
2025-09-19 06:52:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/da503bd1-e6dd-4c5b-8d2a-fe64222e9113

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28263/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ccfb01246a2631bd30f6b1
Tags:
underscore extens shell remo
Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68ccfb39254431b688d49853/reports/315d5083-a610-425b-902c-eba78d0dd8f7/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/9112615ba411d6052895da2d4a276289c21a36e2ae4ff93634d9d207f5e75427
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-19T01:51:00Z UTC
Last seen:
2025-09-19T01:51:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/9112615ba411d6052895da2d4a276289c21a36e2ae4ff93634d9d207f5e75427/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b8adc91b-2c0e-4acc-b0d7-a18ab682a394
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1780517
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Uncommon Userinit Child Process
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1780517 Sample: DHL_AWB#907853880911_pdf.exe Startdate: 19/09/2025 Architecture: WINDOWS Score: 100 42 www.78447751.xyz 2->42 44 www.mcssl.com 2->44 46 16 other IPs or domains 2->46 54 Suricata IDS alerts for network traffic 2->54 56 Antivirus detection for URL or domain 2->56 58 Multi AV Scanner detection for submitted file 2->58 62 8 other signatures 2->62 11 DHL_AWB#907853880911_pdf.exe 4 2->11         started        signatures3 60 Performs DNS queries to domains with low reputation 42->60 process4 file5 40 C:\Users\...\DHL_AWB#907853880911_pdf.exe.log, ASCII 11->40 dropped 72 Adds a directory exclusion to Windows Defender 11->72 74 Injects a PE file into a foreign processes 11->74 15 DHL_AWB#907853880911_pdf.exe 11->15         started        18 powershell.exe 23 11->18         started        signatures6 process7 signatures8 76 Maps a DLL or memory area into another process 15->76 20 iEX1i4AiQs0R.exe 15->20 injected 78 Loading BitLocker PowerShell Module 18->78 22 WmiPrvSE.exe 18->22         started        24 conhost.exe 18->24         started        process9 process10 26 userinit.exe 13 20->26         started        29 poqexec.exe 20->29         started        signatures11 64 Tries to steal Mail credentials (via file / registry access) 26->64 66 Tries to harvest and steal browser information (history, passwords, etc) 26->66 68 Modifies the context of a thread in another process (thread injection) 26->68 70 3 other signatures 26->70 31 mX3KDtAx5oL6J.exe 26->31 injected 34 chrome.exe 26->34         started        36 firefox.exe 26->36         started        process12 dnsIp13 48 www.flokta.live 203.161.43.199, 49731, 49732, 49733 VNPT-AS-VNVNPTCorpVN Malaysia 31->48 50 czarnecka.org 213.186.33.5, 49751, 49752, 49753 OVHFR France 31->50 52 10 other IPs or domains 31->52 38 WerFault.exe 4 34->38         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9112615ba411d6052895da2d4a276289c21a36e2ae4ff93634d9d207f5e75427
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.44 Win 32 Exe x86
Link:
https://app.malva.re/file/6a2769bc2a178495d792a5f9dc03c06a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9112615ba411d6052895da2d4a276289c21a36e2ae4ff93634d9d207f5e75427/
Threat name:
ByteCode-MSIL.Trojan.VIPKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-09-19 04:56:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sejgcw5echlakkev3iwuuj3crhbbunxcvzh7snru3hjap5phkqtq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
104d7263dd77981b760c26e0fb61986e6aa2a3e86eab2ae4bc7468cf28eaf902
Formbook
1b114b61f4a2313dc924eb4ff2cf26fd0c66b0a4127901d5be4531f1a201928e
Formbook
3c1a1ea671c0c3123d70cb864680bebfa1c151ed303514c2bd77347cec44dd9a
Formbook
515261ba7c77ffd970a3bb7e09d3f54fc5184d72ee48082fd3ac145f004f6e6e
Formbook
59452e6856b4aacd74c22b641a883b4aa2fc67a6aa2a0d8d95934ba2ff9288a2
Formbook
9112615ba411d6052895da2d4a276289c21a36e2ae4ff93634d9d207f5e75427
Formbook
a4e1ceb8458e0bca4119adb33ded5b1ef154f0ba69594b2079fbbcfb48cbe4ce
Formbook
b0be564eb26f9cf2f58ea450d43194f3a4fb7dd2ca16375e3ecbfd636e5e7c13
Formbook
cb2391d06743d76e0f5494daf21a381c57a6f7f824796697edb50a4424f3fcfc
Formbook
error
Formbook
+ 1'286 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250919-hf1y7aek41/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/734231ee-f6b8-4dab-a698-3c8d87179324
Unpacked files
SH256 hash:
9112615ba411d6052895da2d4a276289c21a36e2ae4ff93634d9d207f5e75427
MD5 hash:
6a2769bc2a178495d792a5f9dc03c06a
SHA1 hash:
d940a2ef5961160e7408791e98d4b980f2a85dc7
Link:
https://www.unpac.me/results/a3aefac9-c731-43fd-b59b-d72f684090e5/
SH256 hash:
d8dee6129f38c30a483601058aab50d77acffd6f1b69b1b5b08ff4f019046775
MD5 hash:
6759e1947e8cbd934ded2eca86ca7b34
SHA1 hash:
0b8110d446941482c32bf967f2921069a9d2087a
Link:
https://www.unpac.me/results/a3aefac9-c731-43fd-b59b-d72f684090e5/
SH256 hash:
1041b538ccbc7d66e59247ef7551cde9b6c282843541585e9190a8e2e3943b12
MD5 hash:
e870d1e8f3791ccc141f85f40fd2972b
SHA1 hash:
150919ee289cffa6feb40ab8261f620dd7e26aac
Link:
https://www.unpac.me/results/a3aefac9-c731-43fd-b59b-d72f684090e5/
SH256 hash:
f706d11c0e2b0c0c1013dd09c9a29ff09e764d75365d17cc18906847a8d59e5a
MD5 hash:
96ba0da5904548590ca8f99733b3ef62
SHA1 hash:
6ef4c5279766929f28f4652de62ce8097583e6b8
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a3aefac9-c731-43fd-b59b-d72f684090e5/
SH256 hash:
e233e393b029ebf5f2b60443c92820109ae6de7df083bcd23444ae95848c787a
MD5 hash:
083eb41defe46268e6639f1df8fd1089
SHA1 hash:
9c51eabe59337241588f514ea80bec602dd730e5
Link:
https://www.unpac.me/results/a3aefac9-c731-43fd-b59b-d72f684090e5/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9112615ba411/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9112615ba411d6052895da2d4a276289c21a36e2ae4ff93634d9d207f5e75427

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/28263/

Comments