MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fbb9df559f0095c077340fa32948aed301427ad6b11f0f682736ca6695d4077. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9fbb9df559f0095c077340fa32948aed301427ad6b11f0f682736ca6695d4077
SHA3-384 hash: a0fed38090d03f34174592df7698168dcab287f30e4a9751abc1b0e3ed6d721ff56844007032318ff37c5cd2bd202004
SHA1 hash: 972a87d9c89f4b897bd31a1bafbe4b7b1dbbdfcd
MD5 hash: 0ed290496fd80019928319c8b782248d
humanhash: pizza-avocado-spring-east
File name:9fbb9df559f0095c077340fa32948aed301427ad6b11f0f682736ca6695d4077
Download: download sample
Signature Formbook
Create hunting rule
File size:837'128 bytes
First seen:2025-06-10 08:51:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:LHEIZc9rkqe5/miSLYxSAKbusGzTatFmJYM4w+k8BBJLdKodVFmw+AkR:LHEIMkqm3mA6JoT68vhsJLdrdVFmnn
Threatray 4'588 similar samples on MalwareBazaar
TLSH T18F05E000A6D89F06C47B2BF465A1D27427B4AE8AF932C39B4ED4BCEB7C71B114906357
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9fbb9df559f0095c077340fa32948aed301427ad6b11f0f682736ca6695d4077
Verdict:
Malicious activity
Analysis date:
2025-06-10 11:11:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/28323446-cdca-43c5-9c7e-d5958aae6d0b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/8402/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6847f23e8bd5d68a12e75877
Tags:
spawn shell msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9fbb9df559f0095c077340fa32948aed301427ad6b11f0f682736ca6695d4077
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba559e49-bcf3-4ae8-b687-4b37db76921f
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1711629
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rundll32 Execution Without CommandLine Parameters
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Uses threadpools to delay analysis
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1711629 Sample: ahNyLR6fki.exe Startdate: 11/06/2025 Architecture: WINDOWS Score: 100 65 www.atchme.xyz 2->65 67 www.tudioblijmetklei.online 2->67 69 8 other IPs or domains 2->69 85 Suricata IDS alerts for network traffic 2->85 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 93 12 other signatures 2->93 11 ahNyLR6fki.exe 7 2->11         started        15 bTEngkkWlPhVoV.exe 5 2->15         started        signatures3 91 Performs DNS queries to domains with low reputation 65->91 process4 file5 57 C:\Users\user\AppData\...\bTEngkkWlPhVoV.exe, PE32 11->57 dropped 59 C:\...\bTEngkkWlPhVoV.exe:Zone.Identifier, ASCII 11->59 dropped 61 C:\Users\user\AppData\Local\...\tmpAD67.tmp, XML 11->61 dropped 63 C:\Users\user\AppData\...\ahNyLR6fki.exe.log, ASCII 11->63 dropped 95 Uses schtasks.exe or at.exe to add and modify task schedules 11->95 97 Adds a directory exclusion to Windows Defender 11->97 99 Tries to detect virtualization through RDTSC time measurements 11->99 101 Switches to a custom stack to bypass stack traces 11->101 17 ahNyLR6fki.exe 11->17         started        20 powershell.exe 23 11->20         started        22 powershell.exe 23 11->22         started        28 2 other processes 11->28 103 Multi AV Scanner detection for dropped file 15->103 105 Injects a PE file into a foreign processes 15->105 107 Uses threadpools to delay analysis 15->107 24 bTEngkkWlPhVoV.exe 15->24         started        26 schtasks.exe 15->26         started        signatures6 process7 signatures8 73 Modifies the context of a thread in another process (thread injection) 17->73 75 Maps a DLL or memory area into another process 17->75 77 Sample uses process hollowing technique 17->77 79 Queues an APC in another process (thread injection) 17->79 30 explorer.exe 91 1 17->30 injected 81 Loading BitLocker PowerShell Module 20->81 34 conhost.exe 20->34         started        36 WmiPrvSE.exe 20->36         started        38 conhost.exe 22->38         started        83 Found direct / indirect Syscall (likely to bypass EDR) 24->83 40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        process9 dnsIp10 71 www.ave.world 13.248.169.48, 49698, 80 AMAZON-02US United States 30->71 115 System process connects to network (likely due to code injection or exploit) 30->115 44 rundll32.exe 30->44         started        47 cmmon32.exe 30->47         started        49 autofmt.exe 30->49         started        51 autofmt.exe 30->51         started        signatures11 process12 signatures13 109 Modifies the context of a thread in another process (thread injection) 44->109 111 Maps a DLL or memory area into another process 44->111 53 cmd.exe 44->53         started        113 Tries to detect virtualization through RDTSC time measurements 47->113 process14 process15 55 conhost.exe 53->55         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9fbb9df559f0095c077340fa32948aed301427ad6b11f0f682736ca6695d4077
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9fbb9df559f0095c077340fa32948aed301427ad6b11f0f682736ca6695d4077/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-05-22 12:53:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
29 of 36 (80.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t65z35kz6aevyb3tid5dffek5uybij5nnmi7b5uconwkm2k5ib3q._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
0198cc6636a1c05da00eb7457f498c6e1743fe0a9e3d50fc106621f862bf04dd
Formbook
3e26ebdfbd46dadcbf46c199970362689fa6ca0e0abb65ec703ca21d08b7269f
Formbook
6f706398207b1fd3a00de5f859dc840cf8e100175fdabe260ebb96db5980f03c
Formbook
9fbb9df559f0095c077340fa32948aed301427ad6b11f0f682736ca6695d4077
Formbook
error
Formbook
f4f30e7141908e117623dcac4e9f98cee8287fab750a1d720bdba5350cad19c9
Formbook
f86f20a799e10fb4906d426906e30734636a4c2743b8dd1b781adb307f4d5576
Formbook
+ 4'578 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:hi07 discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250610-ksvztaam51/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/14fc1a1b-af9d-4f15-ab37-3878973bc9ae
Unpacked files
SH256 hash:
9fbb9df559f0095c077340fa32948aed301427ad6b11f0f682736ca6695d4077
MD5 hash:
0ed290496fd80019928319c8b782248d
SHA1 hash:
972a87d9c89f4b897bd31a1bafbe4b7b1dbbdfcd
Link:
https://www.unpac.me/results/95974498-abe2-4d90-b199-93acc178ea01/
SH256 hash:
bf5b27bd17beb68ab8d178b4c52b8e9fd236b05c5652f4e876f6cc3a40ade4d5
MD5 hash:
0e26f688322d6e948a912101be685e83
SHA1 hash:
3403cc9b8b356b96266314f2ca141261a78ed20d
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/95974498-abe2-4d90-b199-93acc178ea01/
Parent samples :
9fbb9df559f0095c077340fa32948aed301427ad6b11f0f682736ca6695d4077
eade91a91cfb37da846b62e7b1d25060446ebffaa32f119b844276c0bb28b5ff
SH256 hash:
62c46e61d15a4ddf4ed4e998dba7ea1fa2fffca3e2a8ae11744eed1befbe3510
MD5 hash:
f74d5dc3b372fd76676f7c5f6b44428b
SHA1 hash:
99a11d4a3054443ad83b9fffd2d5de949204ae36
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/95974498-abe2-4d90-b199-93acc178ea01/
SH256 hash:
91261cb28721ff9970e64aebd6d5d5e42195e5e8e0ff33c5f0f6596a5cd16a3d
MD5 hash:
ced3def4ad5c2872a3957a8deb78f6aa
SHA1 hash:
42b66ac0024a090f4b6e9c56b44781f2cf0b6527
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/95974498-abe2-4d90-b199-93acc178ea01/
Parent samples :
9b80a8c7bd762d18e429725dc2520d7526b71d89593b49139ea7432170480648
1b90fa962c8b4ae6410c30cdd4af285caa2ed2381541572cf61a8cb20bfb36ce
9fbb9df559f0095c077340fa32948aed301427ad6b11f0f682736ca6695d4077
Malware family:
zgRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9fbb9df559f0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9fbb9df559f0095c077340fa32948aed301427ad6b11f0f682736ca6695d4077

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/8402/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments