MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aefde6d259b1398c252e898253588e747ac7aca311a143d3e694c644ccb47c3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aefde6d259b1398c252e898253588e747ac7aca311a143d3e694c644ccb47c3b
SHA3-384 hash: 94abac4cd2f45d31b0f03c314323573a0f38efa4e4cdaa543a4c57b2c204e932d13a459a9466d51553603b6df2eb23ae
SHA1 hash: 2858391ec357cc03c65121f797111ba932af0a5f
MD5 hash: 6d4d9ab3ac9d866709a5694bcf8ff9ee
humanhash: edward-washington-montana-south
File name:Quotation Request For New Order.pdf.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:751'616 bytes
First seen:2025-08-01 09:38:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:mbU8ughZGzU9yroGAKNutv6fHRx1EDQzLiWQmHoZKmy+yauU1FRG/O4sZH:mbnfGzU9UJAGuV6EALiZmIwdU1SvsZH
TLSH T100F4F169EE23D402F45497770742FA3977AA4E6C91C1C2B57AF8DED7B8AD6000F53212
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 4c36f2cca3dc949c (7 x SnakeKeylogger, 2 x MassLogger, 2 x a310Logger)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quotation Request For New Order.pdf.bat
Verdict:
No threats detected
Analysis date:
2025-08-01 09:39:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fee08953-85b8-49c8-8901-b5fc4bc2e192

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18281/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688c8b480b4775fb213488c5
Tags:
shell micro spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap masquerade obfuscated packed packed reconnaissance roboski stego
Link:
https://www.filescan.io/uploads/688c8b4673b8ef6f4af96da6/reports/eae97923-fc30-4369-906f-36edbb9db55d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/aefde6d259b1398c252e898253588e747ac7aca311a143d3e694c644ccb47c3b
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/424abdc9-a7fc-4931-9a11-4892b2109f4b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1748319
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1748319 Sample: Quotation Request For New O... Startdate: 01/08/2025 Architecture: WINDOWS Score: 100 42 www.magicsagents.xyz 2->42 44 www.78449973.xyz 2->44 46 15 other IPs or domains 2->46 54 Suricata IDS alerts for network traffic 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected FormBook 2->58 62 7 other signatures 2->62 11 Quotation Request For New Order.pdf.bat.exe 4 2->11         started        signatures3 60 Performs DNS queries to domains with low reputation 44->60 process4 file5 40 Quotation Request ...der.pdf.bat.exe.log, ASCII 11->40 dropped 72 Adds a directory exclusion to Windows Defender 11->72 74 Injects a PE file into a foreign processes 11->74 15 Quotation Request For New Order.pdf.bat.exe 11->15         started        18 powershell.exe 23 11->18         started        20 Quotation Request For New Order.pdf.bat.exe 11->20         started        signatures6 process7 signatures8 76 Maps a DLL or memory area into another process 15->76 22 b3xl1flLE.exe 15->22 injected 78 Loading BitLocker PowerShell Module 18->78 24 conhost.exe 18->24         started        process9 process10 26 UserAccountControlSettings.exe 13 22->26         started        29 poqexec.exe 22->29         started        signatures11 64 Tries to steal Mail credentials (via file / registry access) 26->64 66 Tries to harvest and steal browser information (history, passwords, etc) 26->66 68 Modifies the context of a thread in another process (thread injection) 26->68 70 3 other signatures 26->70 31 QSw57ojrj8.exe 26->31 injected 34 chrome.exe 26->34         started        36 firefox.exe 26->36         started        process12 dnsIp13 48 k8s-awsbjc2-8d445ec0e623d16d.elb.cn-north-1.amazonaws.com.cn 71.132.3.43, 49743, 49744, 49745 ATT-INTERNET4US China 31->48 50 www.cloudtango.website 199.192.23.195, 49747, 49748, 49749 NAMECHEAP-NETUS United States 31->50 52 8 other IPs or domains 31->52 38 WerFault.exe 4 34->38         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aefde6d259b1398c252e898253588e747ac7aca311a143d3e694c644ccb47c3b
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.34 Win 32 Exe x86
Link:
https://app.malva.re/file/6d4d9ab3ac9d866709a5694bcf8ff9ee
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aefde6d259b1398c252e898253588e747ac7aca311a143d3e694c644ccb47c3b/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/aefde6d259b1398c252e898253588e747ac7aca311a143d3e694c644ccb47c3b
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-08-01 05:59:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v366nuszwe4yyjjorgbfgweoor5mplfdcgquhu7gstdejtfupq5q._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250801-lmrwmsgn51/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6ec85adf-e798-42a4-b0d2-6b2d8e70ef3f
Unpacked files
SH256 hash:
aefde6d259b1398c252e898253588e747ac7aca311a143d3e694c644ccb47c3b
MD5 hash:
6d4d9ab3ac9d866709a5694bcf8ff9ee
SHA1 hash:
2858391ec357cc03c65121f797111ba932af0a5f
Link:
https://www.unpac.me/results/7845a634-4da3-4ba5-ac60-7adf4de1b5f4/
SH256 hash:
b025b0888a37d4168b20507afff008b017ace12a66fddebd03ecad58c601148b
MD5 hash:
1f9a9f052b6d9b55d113e7a008be6f9f
SHA1 hash:
2a4e79c1110fbefdd9dda6430b8bf02bb210183d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/7845a634-4da3-4ba5-ac60-7adf4de1b5f4/
SH256 hash:
967146c82ece78864f1b9fc82ed6d5f4022813c1530e7b5cfde0eddee5ce0305
MD5 hash:
034bc9b16ef9e131e34454cd52685397
SHA1 hash:
af31017ff5a6a0391daf989ea55f8c1fb7fd902f
Link:
https://www.unpac.me/results/7845a634-4da3-4ba5-ac60-7adf4de1b5f4/
SH256 hash:
dc938ea15a9847461561589a5e520721e4cd54c435dacd13cbdd0840b15e88a2
MD5 hash:
b350e2b0ec02cf642dcacd824413695f
SHA1 hash:
b987018b77a844c3f34d541a03705030778d22d9
Link:
https://www.unpac.me/results/7845a634-4da3-4ba5-ac60-7adf4de1b5f4/
SH256 hash:
5e8c64f07ff0a0e62af1274b86a3a171881ae1f02967043ada5c97e29ee8502c
MD5 hash:
50a8bbe48e41e6fa24a55f1da233f0f1
SHA1 hash:
bc2238639e5f7e906c89d7d99d6d73333b327b2a
Link:
https://www.unpac.me/results/7845a634-4da3-4ba5-ac60-7adf4de1b5f4/
SH256 hash:
0ffdca58f94cb6f40fed4cc5b33fee59a6d459c44a4b02d62e349e0b6e34f55e
MD5 hash:
9edd43dc371461986a60fa94246add95
SHA1 hash:
af96eb08be1b0587094adbfcb22f58895a6f9a25
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/7845a634-4da3-4ba5-ac60-7adf4de1b5f4/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aefde6d259b1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aefde6d259b1398c252e898253588e747ac7aca311a143d3e694c644ccb47c3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe aefde6d259b1398c252e898253588e747ac7aca311a143d3e694c644ccb47c3b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/18281/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments