MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adf8f2572d50a7af9af7512742520644479904c5973cad6aafa5b6e83516e36f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: adf8f2572d50a7af9af7512742520644479904c5973cad6aafa5b6e83516e36f
SHA3-384 hash: b3926ad22af965ce31eaaea2bef2e16de4580b5fa7393304dc61a55487491c90778b3ae51546c52f63e6ab0578eab8c0
SHA1 hash: ccdd8edb157871bafc65726bafa8a4f533386a79
MD5 hash: 215e3ab613245551e803d234e3965e4a
humanhash: maryland-floor-kitten-xray
File name:DHL_7348995142_793402-124738.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:910'336 bytes
First seen:2025-09-11 06:36:02 UTC
Last seen:2025-09-19 10:02:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'654 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:CPL99gN5yKyv9TryAshjBNm5h1O4NbWEfbrX2/fi:yL9Sxm4xm8Ef3Xd
Threatray 1'032 similar samples on MalwareBazaar
TLSH T1DE15DF5032A8990BE0B64BF045B1D2B00BB5AE6DB966D6CF9DC12CDF79F6F40464270B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:DHL exe FormBook gooder-bar

Intelligence

File Origin
# of uploads :
3
# of downloads :
104
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_7348995142_793402-124738.exe
Verdict:
No threats detected
Analysis date:
2025-09-11 06:55:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/42336c7a-23aa-40a9-b8a3-fcd4a4401750

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26853/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c26e266e66ba602d7a45f4
Tags:
shell virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68c26f037328794829266b20/reports/34fcb34f-620e-41b6-8458-821ef1938eb6/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/adf8f2572d50a7af9af7512742520644479904c5973cad6aafa5b6e83516e36f
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-09T02:25:00Z UTC
Last seen:
2025-09-09T02:25:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/adf8f2572d50a7af9af7512742520644479904c5973cad6aafa5b6e83516e36f/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8829a741-90bc-4db1-89d3-70acf7a8cebb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1775349
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1775349 Sample: DHL_7348995142_793402-124738.exe Startdate: 11/09/2025 Architecture: WINDOWS Score: 92 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected FormBook 2->26 28 Yara detected AntiVM3 2->28 30 4 other signatures 2->30 7 DHL_7348995142_793402-124738.exe 4 2->7         started        process3 file4 22 C:\...\DHL_7348995142_793402-124738.exe.log, ASCII 7->22 dropped 32 Adds a directory exclusion to Windows Defender 7->32 34 Injects a PE file into a foreign processes 7->34 11 powershell.exe 23 7->11         started        14 DHL_7348995142_793402-124738.exe 7->14         started        signatures5 process6 signatures7 36 Loading BitLocker PowerShell Module 11->36 16 conhost.exe 11->16         started        18 WmiPrvSE.exe 11->18         started        20 WerFault.exe 19 16 14->20         started        process8
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/adf8f2572d50a7af9af7512742520644479904c5973cad6aafa5b6e83516e36f
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/adf8f2572d50a7af9af7512742520644479904c5973cad6aafa5b6e83516e36f/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-09-09 07:25:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
40
AV detection:
28 of 38 (73.68%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vx4pevznkct27gxxketueuqgirdzsbgfs46k22vpuw3oqniw4nxq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
046ca2dc433d9474ce7222ad4f6c0aa89a3caaab42e6c3c76f260a6c2ff241c8
Formbook
1da6708a65f8dfe0c3359c8aa3fd07387c7aed37af8c66e5a5a0893aab14f547
Formbook
203e8e937149c92740b6fc6293ee458aa431ff4c4ca81539e7b91adff659c7a5
Formbook
38c7e35b5c3ffd6988ed96a7edf1bfab263257f08740550324500b7f776e0de1
Formbook
59452e6856b4aacd74c22b641a883b4aa2fc67a6aa2a0d8d95934ba2ff9288a2
Formbook
674b492473c8055decf69d41cf511912178127b104a0aac346770cc919aff31a
Formbook
d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a
Formbook
e087ef304badb09dbb8b38a88337c5e2d4a0d3fc174d75817e622fdd8f5a6722
Formbook
error
Formbook
+ 1'022 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250911-hkksrshp8z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1768dd1f-1935-42e8-a35b-ce2c0b208739
Unpacked files
SH256 hash:
adf8f2572d50a7af9af7512742520644479904c5973cad6aafa5b6e83516e36f
MD5 hash:
215e3ab613245551e803d234e3965e4a
SHA1 hash:
ccdd8edb157871bafc65726bafa8a4f533386a79
Link:
https://www.unpac.me/results/1763198c-5b1b-4ce9-8764-039cdb5a1395/
SH256 hash:
bfd9e784b16c080df91c5019b42a50655c4fefb46bf761f5f19e0b686643c5bb
MD5 hash:
64f04cb0f4a616ad6227723ddec4a13c
SHA1 hash:
12dedd0357cfccb9ef03a62f35b9bf519fe8868a
Link:
https://www.unpac.me/results/1763198c-5b1b-4ce9-8764-039cdb5a1395/
SH256 hash:
fd742dc757b9e6a65d06ccd34fd72f3ac54f5e9a4cef4897f16e56cb73412510
MD5 hash:
aa4da47781ecf50571c33b4d6138c571
SHA1 hash:
98903b6f141d61662fd8e38db479655d9d876f7a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/1763198c-5b1b-4ce9-8764-039cdb5a1395/
SH256 hash:
b182bb998f20f1caa679f6acf32670554739b4cfd7172076c7663f7aaa82921e
MD5 hash:
b2ecef9ee7b1fb0990e69acdcebfe0b6
SHA1 hash:
d633c4dbb196159e9fef4d03f3d4e7a21fe74d05
Link:
https://www.unpac.me/results/1763198c-5b1b-4ce9-8764-039cdb5a1395/
SH256 hash:
2d406341e1745d47f8007a78b5dbd5392441b61a7692129772d5482d6174f2fd
MD5 hash:
448ed76ba637b5377a2f1b028b97d911
SHA1 hash:
ec9d2a30424ff7cc165e5b5103fe3f2c8542c930
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/1763198c-5b1b-4ce9-8764-039cdb5a1395/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/adf8f2572d50/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/adf8f2572d50a7af9af7512742520644479904c5973cad6aafa5b6e83516e36f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26853/

Comments