MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a144cd130e495dd2aff83c1439ad7ee3fbaeea012539adeb120f54a81e421fc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	a144cd130e495dd2aff83c1439ad7ee3fbaeea012539adeb120f54a81e421fc1
SHA3-384 hash:	5f4445e294ebbc3eddd1557e46960aa477e5a6326fffe33592ba225e83768d9c25755abb06fb0798c0868e1f90e2f0d0
SHA1 hash:	fa9baa3eba521dcb15904191ff26c079860e8d5a
MD5 hash:	bb2bbf0f50883e27d7122b5b5e46ff61
humanhash:	whiskey-lamp-two-india
File name:	SecuriteInfo.com.Win32.MalwareX-gen.361.2604
Download:	download sample
Signature	Formbook Create hunting rule
File size:	753'664 bytes
First seen:	2025-06-05 04:31:40 UTC
Last seen:	2025-06-05 20:51:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:dSR0B0qgjlL/d4cjCgVACxtNKlYtlD6Ni5gYNX1TlteAKNXTnPgN:dSrBykVts6tl+jw32PS
TLSH	T133F412553365E907E1A20BB80932D07567FD7DCDA401C6AB8FE62CEFB9E17102611B87
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	07111534283c3927 (4 x Formbook, 1 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

586

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.MalwareX-gen.361.2604

Verdict:

No threats detected

Analysis date:

2025-06-05 04:40:12 UTC

Tags:

netreactor

Link:

https://app.any.run/tasks/5253c52e-0b16-4862-93d3-c10748682c64

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/7389/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.361.2604.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68411fb507b5e8c1cfe4cf6b

Tags:

virus micro msil

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/68411f12171e01f959369668/reports/a2e493bb-e715-4187-8d32-7bbc2b352480/overview

Verdict:

Malicious

Labled as:

Genie.8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/a144cd130e495dd2aff83c1439ad7ee3fbaeea012539adeb120f54a81e421fc1

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e72af7f8-bc1b-4d68-9fb2-22dc74e7b44c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1706787

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Uses threadpools to delay analysis

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a144cd130e495dd2aff83c1439ad7ee3fbaeea012539adeb120f54a81e421fc1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a144cd130e495dd2aff83c1439ad7ee3fbaeea012539adeb120f54a81e421fc1/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2025-06-05 03:55:03 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ufcm2eyojfo5fl7yhqkdtll64p5252qbeu4232ysb5kkqhscd7aq._file

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/250605-e872esskx7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7be56cfd-ec4e-40f7-b522-50cddf183cbf

Unpacked files

SH256 hash:

a144cd130e495dd2aff83c1439ad7ee3fbaeea012539adeb120f54a81e421fc1

MD5 hash:

bb2bbf0f50883e27d7122b5b5e46ff61

SHA1 hash:

fa9baa3eba521dcb15904191ff26c079860e8d5a

Link:

https://www.unpac.me/results/54b001c9-f7ac-4d60-a0e2-9df68e86e06d/

SH256 hash:

cdd12566af7e180945bc7573f5113fa2bb3b9b4ac4e1fb0b3174bb1f69bc099d

MD5 hash:

cc5a1404cf9fa4da0478e2b1ec2915ca

SHA1 hash:

4812e5376682c1f4083313b5070dcdf6875051da

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/54b001c9-f7ac-4d60-a0e2-9df68e86e06d/

Parent samples :

a144cd130e495dd2aff83c1439ad7ee3fbaeea012539adeb120f54a81e421fc1
9a369f0a8ccad9c7a741dcaa3670b18cab47518e5758866b74145f945c30ec19
9457c57f87426deb09c61c3d665d58120b8007a004a09777aae236a74526ff2f
68fae3525daf2f34468abf08649f38ae82b7d0adbe3c0714476702bd58c39fa8

SH256 hash:

00383de0838a17a8d61ca4375fb8b275297337d6cce73afe108efa35018058fc

MD5 hash:

9850dea4433e133e33091b18c7a6bb32

SHA1 hash:

d739029a85827add4061388535457d264f22ac7c

Link:

https://www.unpac.me/results/54b001c9-f7ac-4d60-a0e2-9df68e86e06d/

SH256 hash:

faa87d3b144a06d19c65eb60554ad493aedf802c68ac58cf9f17c31f81ce6d4d

MD5 hash:

7792a646ad49dc5f6931eee2eb8589b9

SHA1 hash:

ebc28b418cfa16b78ff3a307aa9bd5d8f4db100a

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/54b001c9-f7ac-4d60-a0e2-9df68e86e06d/

SH256 hash:

dc03fe83b88ecd1086340cf60835c034e6a1dc13538bc872ee54e5b62ea996d8

MD5 hash:

8d9f571c83edc271de7077347418d417

SHA1 hash:

ecf49ede1240ed0582260fd0943a5b1fff0b470c

Link:

https://www.unpac.me/results/54b001c9-f7ac-4d60-a0e2-9df68e86e06d/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a144cd130e49/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a144cd130e495dd2aff83c1439ad7ee3fbaeea012539adeb120f54a81e421fc1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/7389/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample