MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a369f0a8ccad9c7a741dcaa3670b18cab47518e5758866b74145f945c30ec19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 18

Intelligence 18 IOCs YARA 5 File information Comments

SHA256 hash:	9a369f0a8ccad9c7a741dcaa3670b18cab47518e5758866b74145f945c30ec19
SHA3-384 hash:	7ddc412fa5b19ba30e8aa3dc395cd6cc0d04eb1d517d96ad7ae83813d3021e6be548e5198c3302dc0a93f43d7225757a
SHA1 hash:	dfd8782548c80c56fdd12242e5105491acd9b7f0
MD5 hash:	ed007e5a7f7ecaa149993ec7aec69617
humanhash:	idaho-venus-speaker-delta
File name:	SecuriteInfo.com.Variant.Genie.8DN.751.6654.20410
Download:	download sample
Signature	Formbook Create hunting rule
File size:	761'856 bytes
First seen:	2025-06-05 11:39:10 UTC
Last seen:	2025-06-05 12:38:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	12288:mER0BNDi2I4Dm915791sBJy4tQJ9059vRC7aISzj2VuteT/k2VanYQJU5:mEeDit4DmT57aQ4YI9A7Mtm/kSEg5
Threatray	3'722 similar samples on MalwareBazaar
TLSH	T170F41212315AE817C8FB0BF91B22D2B96BB97C8C9411D18BEFD92DDB74E2710615438B
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	07111534283c3927 (4 x Formbook, 1 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

459

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

SecuriteInfo.com.Variant.Genie.8DN.751.6654.20410

Verdict:

Malicious activity

Analysis date:

2025-06-05 11:41:04 UTC

Tags:

netreactor formbook xloader

Link:

https://app.any.run/tasks/5576ae6a-e28f-4803-b4a6-3065ac79ae8a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/7465/

Detection(s):

SecuriteInfo.com.Variant.Genie.8DN.751.6654.20410.UNOFFICIAL

Verdict:

Clean

Score:

N/A%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6841831b8bd5d68a12e58382

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/684181ff171e01f95936fa8c/reports/e9bcf369-bb6c-48e7-a38c-fe70f96cc2cd/overview

Verdict:

Malicious

Labled as:

Genie.8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/9a369f0a8ccad9c7a741dcaa3670b18cab47518e5758866b74145f945c30ec19

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f1b4ae37-b368-4a3d-a682-68b0c9aabcbc

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1707141

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Uses threadpools to delay analysis

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9a369f0a8ccad9c7a741dcaa3670b18cab47518e5758866b74145f945c30ec19

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9a369f0a8ccad9c7a741dcaa3670b18cab47518e5758866b74145f945c30ec19/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/9a369f0a8ccad9c7a741dcaa3670b18cab47518e5758866b74145f945c30ec19

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2025-06-05 03:49:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ti3j6cumzlm4pj2b3svdm4frrsvuoumok5mim23ucrpzixbq5qmq._file

Verdict:

malicious

Label(s):

unc_loader_037

Formbook

59cb54570d5d67d0dc406d25b3fb2413663e11eab1034ac83d3924e93205e33a

Formbook

779065a001ee3006e880df587c823741e372eeeddbb5725dd53cb35349c79d89

Formbook

989db46562126cd83b6148da103cb17d770ed14c5a09b899bd225e77ff1b054d

Formbook

error

Formbook

+ 3'712 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/250605-nsjhkawry8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f4bb9e5b-d7f0-4dd7-80d3-0e226e44b95c

Unpacked files

SH256 hash:

9a369f0a8ccad9c7a741dcaa3670b18cab47518e5758866b74145f945c30ec19

MD5 hash:

ed007e5a7f7ecaa149993ec7aec69617

SHA1 hash:

dfd8782548c80c56fdd12242e5105491acd9b7f0

Link:

https://www.unpac.me/results/d12433d8-8b96-4d6f-b9cd-03da95bb7739/

SH256 hash:

66812c00bd482706605f2c5c76838812aa4e470e28a60fb5247673e43b7c7f8a

MD5 hash:

2879cb6c2c1afd14393b1a3af22c1212

SHA1 hash:

115928d9df0046011b1759faeb1e94c33e1574db

Link:

https://www.unpac.me/results/d12433d8-8b96-4d6f-b9cd-03da95bb7739/

SH256 hash:

cdd12566af7e180945bc7573f5113fa2bb3b9b4ac4e1fb0b3174bb1f69bc099d

MD5 hash:

cc5a1404cf9fa4da0478e2b1ec2915ca

SHA1 hash:

4812e5376682c1f4083313b5070dcdf6875051da

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/d12433d8-8b96-4d6f-b9cd-03da95bb7739/

Parent samples :

a144cd130e495dd2aff83c1439ad7ee3fbaeea012539adeb120f54a81e421fc1
9a369f0a8ccad9c7a741dcaa3670b18cab47518e5758866b74145f945c30ec19
9457c57f87426deb09c61c3d665d58120b8007a004a09777aae236a74526ff2f
68fae3525daf2f34468abf08649f38ae82b7d0adbe3c0714476702bd58c39fa8

SH256 hash:

50aba0f0bc1ba3c0b6a315ea0eb1060ad8de36ce7cb0d3431b1f9a63075bc2ad

MD5 hash:

94b683095e7a22867dfffd262df1e160

SHA1 hash:

75dc922cba0a7a2341c5054d34b74e676102b486

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/d12433d8-8b96-4d6f-b9cd-03da95bb7739/

SH256 hash:

eb02d7b47e81e969d1528dece3a422550b8314bcefe7eec488521a498273ce72

MD5 hash:

7015ad9877a6317cf0d959f78155503d

SHA1 hash:

4c3fb97c542021426b2433379ee230894da7f4ef

Link:

https://www.unpac.me/results/d12433d8-8b96-4d6f-b9cd-03da95bb7739/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9a369f0a8cca/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9a369f0a8ccad9c7a741dcaa3670b18cab47518e5758866b74145f945c30ec19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/7465/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample