MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a099fd8df9bd4c01464c6b2ebe38fc174d073702a0b75338bc010aa98131f18d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a099fd8df9bd4c01464c6b2ebe38fc174d073702a0b75338bc010aa98131f18d
SHA3-384 hash: c54c65d16a22a1de63be2ae1d562a2f2da098767d4dff1a708afc0b07f05eb68492000bf43b1ba200711d49b65793456
SHA1 hash: 915425bb409a55417e086dde788bac917cde2da5
MD5 hash: c1119b5aa38bc88e0a2c044b7abd2c9b
humanhash: equal-carpet-alaska-spring
File name:3NZuuMkllU54tB0.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:819'720 bytes
First seen:2025-06-05 13:17:06 UTC
Last seen:2025-06-14 11:54:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:OM3EcLbP9s1P2Hw//wemV+d7Fr/DqYJWubQUD:jLidHwe5/uYJWubpD
Threatray 4'802 similar samples on MalwareBazaar
TLSH T11E05ACD2E6BAD6C3C4655AB52162C2382F753FC97421C2955DF638DB36F2A00328727E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
482
Origin country :
US US
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
3NZuuMkllU54tB0.exe
Verdict:
Malicious activity
Analysis date:
2025-06-05 13:21:36 UTC
Tags:
formbook stealer xloader
Link:
https://app.any.run/tasks/4bb7d748-2e94-423b-8a49-811b85fe2a5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/7484/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3345.17806.15343.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68419a0d8bd5d68a12e588d6
Tags:
virus spawn msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expired-cert invalid-signature obfuscated packed packed packer_detected signed vbnet
Link:
https://www.filescan.io/uploads/684198e8171e01f959370f50/reports/8610e651-e5f7-4cd9-862f-c9df94057902/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/a099fd8df9bd4c01464c6b2ebe38fc174d073702a0b75338bc010aa98131f18d
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c731cf27-c7b6-412c-9824-64abb7f9f8d6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1707227
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Reads the DNS cache
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses threadpools to delay analysis
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1707227 Sample: 3NZuuMkllU54tB0.exe Startdate: 05/06/2025 Architecture: WINDOWS Score: 100 62 www.aplayplinko.xyz 2->62 64 www.388789.xyz 2->64 66 10 other IPs or domains 2->66 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Sigma detected: Scheduled temp file as task from temp location 2->82 86 7 other signatures 2->86 11 3NZuuMkllU54tB0.exe 7 2->11         started        15 hNyomtkGiD.exe 5 2->15         started        signatures3 84 Performs DNS queries to domains with low reputation 64->84 process4 file5 54 C:\Users\user\AppData\...\hNyomtkGiD.exe, PE32 11->54 dropped 56 C:\Users\...\hNyomtkGiD.exe:Zone.Identifier, ASCII 11->56 dropped 58 C:\Users\user\AppData\Local\...\tmp96FE.tmp, XML 11->58 dropped 60 C:\Users\user\...\3NZuuMkllU54tB0.exe.log, ASCII 11->60 dropped 98 Uses schtasks.exe or at.exe to add and modify task schedules 11->98 100 Writes to foreign memory regions 11->100 102 Allocates memory in foreign processes 11->102 104 Adds a directory exclusion to Windows Defender 11->104 17 vbc.exe 11->17         started        20 powershell.exe 23 11->20         started        22 powershell.exe 23 11->22         started        24 schtasks.exe 1 11->24         started        106 Multi AV Scanner detection for dropped file 15->106 108 Injects a PE file into a foreign processes 15->108 110 Uses threadpools to delay analysis 15->110 26 vbc.exe 15->26         started        28 schtasks.exe 15->28         started        signatures6 process7 signatures8 68 Modifies the context of a thread in another process (thread injection) 17->68 70 Maps a DLL or memory area into another process 17->70 72 Sample uses process hollowing technique 17->72 76 3 other signatures 17->76 30 explorer.exe 53 1 17->30 injected 74 Loading BitLocker PowerShell Module 20->74 33 conhost.exe 20->33         started        35 WmiPrvSE.exe 20->35         started        37 conhost.exe 22->37         started        39 conhost.exe 24->39         started        41 conhost.exe 28->41         started        process9 signatures10 112 Uses ipconfig to lookup or modify the Windows network settings 30->112 43 ipconfig.exe 30->43         started        46 cmd.exe 30->46         started        48 autochk.exe 30->48         started        process11 signatures12 88 Modifies the context of a thread in another process (thread injection) 43->88 90 Reads the DNS cache 43->90 92 Maps a DLL or memory area into another process 43->92 94 Switches to a custom stack to bypass stack traces 43->94 50 cmd.exe 43->50         started        96 Tries to detect virtualization through RDTSC time measurements 46->96 process13 process14 52 conhost.exe 50->52         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a099fd8df9bd4c01464c6b2ebe38fc174d073702a0b75338bc010aa98131f18d
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a099fd8df9bd4c01464c6b2ebe38fc174d073702a0b75338bc010aa98131f18d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-06-05 07:34:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ucm73dpzxvgacrsmnmxl4oh4c5gqonycuc3vgof4aefktajr6ggq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
53d30b6b4749ebdfdfebc9a93793ea3863d5c5ef93594e3c215d91b347db2bca
Formbook
a779cf3623ccd0238d0b5d3f01dcc911e1538a1c0a656442234b4c3335453607
Formbook
b37b37330f9c4970ca450212d0e3e902fb44110b4570bb07574621354509d045
Formbook
c76f4cc201813bc9e4a8d5ae27ce0c59b799f02dd48b3e09af20118a8fe18c50
Formbook
e69d37275cc3b52a9d3a26f76073191ab8f59901781b5ef2859f33dee2252ddc
Formbook
error
Formbook
+ 4'792 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:hi26 discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250605-qjkqdaek7w/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/68032d0e-1288-4b09-93e5-705235090dd0
Unpacked files
SH256 hash:
a099fd8df9bd4c01464c6b2ebe38fc174d073702a0b75338bc010aa98131f18d
MD5 hash:
c1119b5aa38bc88e0a2c044b7abd2c9b
SHA1 hash:
915425bb409a55417e086dde788bac917cde2da5
Link:
https://www.unpac.me/results/c4c51027-5d4a-469d-b7d0-64f8ec68cd91/
SH256 hash:
31d37639b748f626185f40c41c4ec3d7fe209c95c159ffcc2c33d2f5de921239
MD5 hash:
31ce9d289fb305b6cfdcef7a3cf1e14a
SHA1 hash:
8137a999c8b3f3e2ee7ee0c6ef04d4219926b220
Link:
https://www.unpac.me/results/c4c51027-5d4a-469d-b7d0-64f8ec68cd91/
SH256 hash:
456e71b5ea6e64256cebd400fa062cea934cfeddefb604cd5be7d7f2d102f1d7
MD5 hash:
64572b074f76d9ed872386f055575416
SHA1 hash:
b832c91afcad4c7e4387e41b01d4ea0383ce0f32
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c4c51027-5d4a-469d-b7d0-64f8ec68cd91/
SH256 hash:
78ce5985f2ff20719b2924f128206c43d71af6eca0c88fdabeecbfef63057741
MD5 hash:
6440b1f79d6f8a2c00a8397e463becf2
SHA1 hash:
b11cecafb882f82c5fc59d60466baf0ad5dbac30
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/c4c51027-5d4a-469d-b7d0-64f8ec68cd91/
Parent samples :
8794b12ebc79acd077de77153363bcef2007aa4e3215d0b0a532156b8a15ae55
53d30b6b4749ebdfdfebc9a93793ea3863d5c5ef93594e3c215d91b347db2bca
876186ad1969e2f202fd93fdde333f8d042e4dd35c687a8f17723f77788d1837
a099fd8df9bd4c01464c6b2ebe38fc174d073702a0b75338bc010aa98131f18d
1fdb37474b1d07f41110416a3381ff1810bd2b9a83e4e0313889f3a941d56ece
6781be8abda50b0cc7d27b9466f7b39572f978cf16151092554e7b4557f0ac06
e703350c07f3828f681e338b68e3ab8cd7ca933fcd056bf9487eb10f419431e5
2382293ae93ccb52b8f2085e938dd5748cbcc615bbb93b692e84ca10614b97eb
1fca7f3155e24ba3e96508a8b406395c80966cc7aa5f0ff9e6201f7979c80b8b
7d6248b79e83e710efc263a60b855854648088ea196e3460aece7f3fef4dbc8c
f700199315360a824ed6eca65f543d531d04210118e3cfc8bfbe986ed1641aaa
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a099fd8df9bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a099fd8df9bd4c01464c6b2ebe38fc174d073702a0b75338bc010aa98131f18d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/7484/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments