MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3fd5f0c90db244a8b4a99d1fc342abc54464332cc12a27b36ea07f601d717c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 14 File information Comments

SHA256 hash:	b3fd5f0c90db244a8b4a99d1fc342abc54464332cc12a27b36ea07f601d717c8
SHA3-384 hash:	d10bb76a0a89728925d87311cffa66f93bfe2f1b78594601f8123c73b6c5dc243e46e0b6d0588d0f454f33d38ef68248
SHA1 hash:	8437c6bfeefede5ac4885096b88fbe2ef32c8e2e
MD5 hash:	d0e6bb6d041c0fd4cf178c516f675a08
humanhash:	east-sweet-indigo-ceiling
File name:	ddosrl$.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	235'008 bytes
First seen:	2025-07-04 11:16:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'757 x AgentTesla, 19'664 x Formbook, 12'252 x SnakeKeylogger)
ssdeep	6144:lloZMOfsXtioRkts/cnnK6cMlOX7fhv0IHx2PxM4dvYnb8e1mVMmi:noZCtlRk83MlOX7fhv0IHx2PxM4d+AML
TLSH	T11C346B4933B88B17E25F8BBED5B1558F87B1F103E90AF7CE0C8899E82411742E949E57
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Anonymous
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

rl_b3fd5f0c90db244a8b4a99d1fc342abc54464332cc12a27b36ea07f601d717c8

Verdict:

Malicious activity

Analysis date:

2025-07-04 11:24:59 UTC

Tags:

stealer auto-startup evasion umbralstealer discordgrabber generic umbral divulgestealer discord exfiltration ims-api

Link:

https://app.any.run/tasks/0532e0bf-1d9d-47a8-b849-832eb4a558e3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

UmbralStealer

Link:

https://www.capesandbox.com/analysis/12304/

Detection(s):

Win.Packed.Msilzilla-9952790-0

Win.Packed.Msilzilla-9955952-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6867b837c9eb9747376632f9

Tags:

vmdetect autorun

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Creating a file

Launching a process

Creating a file in the %temp% directory

Creating a window

Sending an HTTP GET request

Adding an exclusion to Microsoft Defender

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm anti-vm base64 cmd fingerprint hacktool lolbin obfuscated reconnaissance wmic

Link:

https://www.filescan.io/uploads/6867b8429db85bde254a9223/reports/9ed1d8b4-a476-4a68-9c02-436d41473129/overview

Verdict:

Malicious

Labled as:

Jalapeno.Generic

Link:

https://www.hybrid-analysis.com/sample/b3fd5f0c90db244a8b4a99d1fc342abc54464332cc12a27b36ea07f601d717c8

Malware family:

Sharp Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a712a63a-4c19-4ca6-843d-f95e7da8f2f1

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b3fd5f0c90db244a8b4a99d1fc342abc54464332cc12a27b36ea07f601d717c8

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

.Net Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/d0e6bb6d041c0fd4cf178c516f675a08

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b3fd5f0c90db244a8b4a99d1fc342abc54464332cc12a27b36ea07f601d717c8/

Threat name:

ByteCode-MSIL.Trojan.UmbralStealer

Status:

Malicious

First seen:

2025-07-04 11:17:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

31 of 37 (83.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wp6v6deq3msevc2kthi7ynbkxrkemqzszqjke6zw5id7maoxc7ea._file

Verdict:

malicious

Label(s):

umbral

Similar samples:

error

Formbook

Result

Malware family:

umbral

Score:

10/10

Tags:

family:umbral execution spyware stealer

Link:

https://tria.ge/reports/250704-ndp2ss1yez/

Behaviour

Detects videocard installed

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Detect Umbral payload

Umbral

Umbral family

Malware Config

C2 Extraction:

https://discordapp.com/api/webhooks/1390431858537529586/SoV5MUsiH2bKEvPTnw35lcMTFItJ8HCwfBKUEWMhO-jzOt1NJiAjmzOCAz6cNB3W5Y25

Verdict:

Malicious

Tags:

stealer umbral Win.Packed.Msilzilla-9952790-0

YARA:

MALWARE_Win_Umbralstealer

Link:

https://app.threat.zone/submission/5dfcfbd3-78d3-4b16-a211-d3aea94521e4

Unpacked files

SH256 hash:

b3fd5f0c90db244a8b4a99d1fc342abc54464332cc12a27b36ea07f601d717c8

MD5 hash:

d0e6bb6d041c0fd4cf178c516f675a08

SHA1 hash:

8437c6bfeefede5ac4885096b88fbe2ef32c8e2e

Detections:

UmbralStealer

Link:

https://www.unpac.me/results/ced2f93e-b071-4421-af66-b33beed3f7a7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.77

Link:

https://yomi.yoroi.company/submissions/b3fd5f0c90db244a8b4a99d1fc342abc54464332cc12a27b36ea07f601d717c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing possible sandbox analysis VM names

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing possible sandbox system UUIDs

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing possible sandbox analysis VM usernames

Rule name:	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice Create hunting rule
Author:	ditekSHen
Description:	Detects executables attemping to enumerate video devices using WMI

Rule name:	MALWARE_Win_UmbralStealer Create hunting rule
Author:	ditekShen
Description:	Detects Umbral infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	UmbrealStealerEXIFData Create hunting rule
Author:	adm1n_usa32
Description:	Detects UmbralStealer by obvious comment in EXIF Data

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/12304/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample