MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 add6f69cf908fb21c82e67c5a48f1b9c2bcfe994a240e09f889d4df73c2783f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 19


Intelligence 19 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: add6f69cf908fb21c82e67c5a48f1b9c2bcfe994a240e09f889d4df73c2783f0
SHA3-384 hash: 2c7c8ef6000695d31aac475979b5fa9e1cf449b4225d997898770a039e10e2c408ffde2b51054caa7f2331e960493ef5
SHA1 hash: 85e630618551332f5335b340dcd4671fc32bcf9a
MD5 hash: b08601af470502401489d09b7da0be7f
humanhash: edward-uranus-alpha-sink
File name:Rev_PO#20250728.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:916'992 bytes
First seen:2025-07-29 15:40:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:px8fwIp2byVPtc1/rV7LG9VRDrMiaorvoJbgJn9294Mds/Lkta7v/L6OiSkSySpz:jxIpiL9orwJbgy99beL6OiSt/D
TLSH T1CD15F15D3AA55E60CF4C5BBBC003941846F6CC67A636F76B12C82CB62D32AC4E58FC95
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
_add6f69cf908fb21c82e67c5a48f1b9c2bcfe994a240e09f889d4df73c2783f0.exe
Verdict:
Malicious activity
Analysis date:
2025-07-29 15:42:35 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/4b82ce82-c9d2-42e8-ac48-593b12e112b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17606/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6888eb89af3050dc8d321ab6
Tags:
shell micro spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/6888eb7613488cfd44de9d13/reports/bd43cc76-042a-4f46-9360-91a3345c2645/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/add6f69cf908fb21c82e67c5a48f1b9c2bcfe994a240e09f889d4df73c2783f0
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/761b510b-8a5e-402b-b320-d685715de281
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1746442
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1746442 Sample: Rev_PO#20250728.exe Startdate: 29/07/2025 Architecture: WINDOWS Score: 100 38 www.terkocsamet.xyz 2->38 40 www.maximmint.xyz 2->40 42 16 other IPs or domains 2->42 56 Suricata IDS alerts for network traffic 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected FormBook 2->60 64 6 other signatures 2->64 11 Rev_PO#20250728.exe 3 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 62 Performs DNS queries to domains with low reputation 40->62 process4 dnsIp5 66 Adds a directory exclusion to Windows Defender 11->66 68 Injects a PE file into a foreign processes 11->68 17 Rev_PO#20250728.exe 11->17         started        20 powershell.exe 23 11->20         started        50 127.0.0.1 unknown unknown 14->50 signatures6 process7 signatures8 52 Maps a DLL or memory area into another process 17->52 22 Lh1wnKWM0pW.exe 17->22 injected 54 Loading BitLocker PowerShell Module 20->54 25 WmiPrvSE.exe 20->25         started        27 conhost.exe 20->27         started        process9 dnsIp10 44 www.sloshe.tokyo 46.37.111.118, 49702, 49703, 49704 Y-INTERNETGB Spain 22->44 46 www.closereasons.online 216.40.34.41, 49706, 49707, 49708 TUCOWSCA Canada 22->46 48 11 other IPs or domains 22->48 29 dllhost.exe 13 22->29         started        process11 signatures12 70 Tries to steal Mail credentials (via file / registry access) 29->70 72 Tries to harvest and steal browser information (history, passwords, etc) 29->72 74 Modifies the context of a thread in another process (thread injection) 29->74 76 2 other signatures 29->76 32 chrome.exe 29->32         started        34 firefox.exe 29->34         started        process13 process14 36 WerFault.exe 4 32->36         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/add6f69cf908fb21c82e67c5a48f1b9c2bcfe994a240e09f889d4df73c2783f0
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/add6f69cf908fb21c82e67c5a48f1b9c2bcfe994a240e09f889d4df73c2783f0/
Verdict:
Malicious
Threat:
Trojan.MSIL.Inject
Link:
https://tip.neiki.dev/file/add6f69cf908fb21c82e67c5a48f1b9c2bcfe994a240e09f889d4df73c2783f0
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2025-07-29 15:40:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vxlpnhhzbd5sdsbom7c2jdy3tqv472muujaobh4itvg7opbhqpya._file
Verdict:
malicious
Label(s):
d&dloader
Create hunting rule
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250729-s4hsmazjs3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6a1eb5eb-aee9-4843-b361-9963d7dece2a
Unpacked files
SH256 hash:
add6f69cf908fb21c82e67c5a48f1b9c2bcfe994a240e09f889d4df73c2783f0
MD5 hash:
b08601af470502401489d09b7da0be7f
SHA1 hash:
85e630618551332f5335b340dcd4671fc32bcf9a
Link:
https://www.unpac.me/results/1e248327-eb96-4655-ab3a-58b724592ae0/
SH256 hash:
194eaf4630ad0dc2c6a01fa2e0c2c891d80c737847393dfc0a9db490b8f6ccfa
MD5 hash:
8032570f82f7741316492c02d1a29a43
SHA1 hash:
501f5cfff95af3025b220b6f43fc85c88fd88b10
Link:
https://www.unpac.me/results/1e248327-eb96-4655-ab3a-58b724592ae0/
SH256 hash:
ce794e89689678c68b03170b1d201f65032ab224ef104cfbc87af4e0accf4175
MD5 hash:
f8d581332904f5c208345e96ee291d34
SHA1 hash:
d9bea5feb7471b5c6aa835d3585d5c7d365c73a8
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/1e248327-eb96-4655-ab3a-58b724592ae0/
SH256 hash:
27893a955f067dcca26909b05f6cb55aaefbef9878140adbc470ea24430bfa4c
MD5 hash:
4fc852366f02aaef7ee046efb77269ea
SHA1 hash:
e191ec017870a81e33a0e19854dda0d148a93164
Link:
https://www.unpac.me/results/1e248327-eb96-4655-ab3a-58b724592ae0/
SH256 hash:
ef1ad6b633fc57457c5996af72d20837273b9f4a20fd144d01605bcb216a7d98
MD5 hash:
0cd5f36688ec8bb0f1311a10824c9ccd
SHA1 hash:
dfd63ec59ea077d12fca03c19a6d358b7a74f5f3
Link:
https://www.unpac.me/results/1e248327-eb96-4655-ab3a-58b724592ae0/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/add6f69cf908/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MoleBoxv20
Create hunting rule
Author:malware-lu
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe add6f69cf908fb21c82e67c5a48f1b9c2bcfe994a240e09f889d4df73c2783f0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/17606/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments