MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9af620a6d0c690d50d3a17b32fad9d5201fe9875eedc48e380343c8e9cc69c22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9af620a6d0c690d50d3a17b32fad9d5201fe9875eedc48e380343c8e9cc69c22
SHA3-384 hash: 7e572d9a8fdb72621250e234e8f8a48547c4172d14a600267d6cc71ef69fa04bf4cc4be530443266a005374497c6b69a
SHA1 hash: 08e30c2264ba924b55aa0590c4b30e8216e83c5c
MD5 hash: 19117b909f82a51b0d352304b1ed2913
humanhash: river-thirteen-minnesota-twelve
File name:bin.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:287'744 bytes
First seen:2025-03-21 14:00:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:PKnxmotQP9sNXorCa+iof2rhAUCt75uoD/A2gk2/L3d2ecYvPKx6NBL+:YW9sxorfoAGuoD/AbbL3drcwU67L
Threatray 24 similar samples on MalwareBazaar
TLSH T1845412EC6410443ADC7B323D28B573FB09B605E67AB582125ED96DC49334C36A77A20F
TrID 35.7% (.EXE) Win32 Executable (generic) (4504/4/1)
16.3% (.ICL) Windows Icons Library (generic) (2059/9)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.8% (.EXE) Generic Win/DOS Executable (2002/3)
15.8% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
448
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bin.exe
Verdict:
No threats detected
Analysis date:
2025-03-21 15:12:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/492b20bb-6e85-4d94-ab02-a90db7181dd1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67dd7129115e7b48b48f6b69
Tags:
injection obfusc virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/67dd711a1dd35ee4a0ea8d3b/reports/d0ee0238-5d8d-423c-abd7-051980f36984/overview
Verdict:
Malicious
Labled as:
Mikey.Generic
Link:
https://www.hybrid-analysis.com/sample/9af620a6d0c690d50d3a17b32fad9d5201fe9875eedc48e380343c8e9cc69c22
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f00a1e7f-4513-432a-a99a-a62b57b9f14a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1645224
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1645224 Sample: bin.exe Startdate: 21/03/2025 Architecture: WINDOWS Score: 100 24 www.whalegamefi.xyz 2->24 26 www.tropicus.xyz 2->26 28 13 other IPs or domains 2->28 36 Suricata IDS alerts for network traffic 2->36 38 Antivirus detection for URL or domain 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 44 3 other signatures 2->44 9 bin.exe 2->9         started        signatures3 42 Performs DNS queries to domains with low reputation 26->42 process4 signatures5 48 Maps a DLL or memory area into another process 9->48 12 CH4u2YQuBDOF9C37DNi.exe 9->12 injected process6 signatures7 50 Found direct / indirect Syscall (likely to bypass EDR) 12->50 15 RMActivate_ssp_isv.exe 13 12->15         started        process8 signatures9 52 Tries to steal Mail credentials (via file / registry access) 15->52 54 Tries to harvest and steal browser information (history, passwords, etc) 15->54 56 Modifies the context of a thread in another process (thread injection) 15->56 58 3 other signatures 15->58 18 CH4u2YQuBDOF9C37DNi.exe 15->18 injected 22 firefox.exe 15->22         started        process10 dnsIp11 30 www.flashselectionhub.shop 162.210.195.105, 49738, 49739, 49740 LEASEWEB-USA-WDCUS United States 18->30 32 51-clubb.net 208.109.172.233, 49697, 49698, 49699 GO-DADDY-COM-LLCUS United States 18->32 34 8 other IPs or domains 18->34 46 Found direct / indirect Syscall (likely to bypass EDR) 18->46 signatures12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9af620a6d0c690d50d3a17b32fad9d5201fe9875eedc48e380343c8e9cc69c22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9af620a6d0c690d50d3a17b32fad9d5201fe9875eedc48e380343c8e9cc69c22/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-03-21 14:00:40 UTC
File Type:
PE (Exe)
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tl3cbjwqy2inkdj2c6zs7lm5kia75gdv53oery4agq6i5hggtqra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
004b01b19e0225e92388a04d9792240192952ef47f40679b71fbe6de33982f11
Formbook
2744da94da0a5d848f9fa9dc01f13b7040d2eb9305954fdfacf97f4aa9016495
Formbook
361824a93963a036303e3693dba63c248755a51cee833207da9023d7dea8a381
Formbook
5125cd2510684f104967b37d5bcdd3247c38c813b1c6f251a3c8376974ffb6a0
Formbook
583301080b343f41fc8676a407e3892129834c1c6ae07fd47342e7c0077a224b
Formbook
7f1764a28d27f381701d9254166241607a37a02eb2fe80d682baf15236da5b7e
Formbook
86cfac3955af9eb6cc14f7fdcffaf83be9b9240f9a87240886227108d36a3f53
Formbook
9ae658d8611c3265310baa2f438692bd52d65206e7a3d1ef49be5a8d68eccd47
Formbook
9af620a6d0c690d50d3a17b32fad9d5201fe9875eedc48e380343c8e9cc69c22
Formbook
error
Formbook
f7e7b3b8740c159ae7ad937f4f638a80288d2cc6932964fab66b19c476f87ccc
Formbook
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250321-rbckgazwgy/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/eb818946-4d45-44d4-af78-c46fad465d00
Unpacked files
SH256 hash:
9af620a6d0c690d50d3a17b32fad9d5201fe9875eedc48e380343c8e9cc69c22
MD5 hash:
19117b909f82a51b0d352304b1ed2913
SHA1 hash:
08e30c2264ba924b55aa0590c4b30e8216e83c5c
Link:
https://www.unpac.me/results/fde78052-e767-4931-be7f-1e7c0d1a8054/
SH256 hash:
e26cb262ecd808a1dde125009c0c457b15d4aced549a6ea038413d03a0c77844
MD5 hash:
6804f293fb6de3a3ec836458cbd91c20
SHA1 hash:
464570d624f8e9d4b047c416a8071946c1714a6a
Link:
https://www.unpac.me/results/fde78052-e767-4931-be7f-1e7c0d1a8054/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9af620a6d0c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9af620a6d0c690d50d3a17b32fad9d5201fe9875eedc48e380343c8e9cc69c22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments