MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b498807992cd0b5e151f3788ab97e7fb4f4381ce96ee7f80a0397ca9383db96f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b498807992cd0b5e151f3788ab97e7fb4f4381ce96ee7f80a0397ca9383db96f
SHA3-384 hash: d3d91f3545414a3286b05836c5704cb4dad0ff807044a395b75eea301ccd52c324dea9c43fda832ec1024df48391df33
SHA1 hash: 05e26ff7ac970b4664441cf66db3e0878c4a6354
MD5 hash: 6b9d961ba9030fe2dc98bbb48303dacb
humanhash: three-muppet-shade-november
File name:9112025-MT103.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:808'960 bytes
First seen:2025-09-11 12:55:07 UTC
Last seen:2025-09-11 18:00:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:BRQI11WPOAbQdYYYfrMf8JGhO68sTXdr5w:B91EFQdRYzepX
Threatray 1'263 similar samples on MalwareBazaar
TLSH T1F305E0122F8DCADAD4F2DBF14A33D1701E6C9E64AC52D2329ED43F9BF23E6109941592
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
9112025-MT103.exe
Verdict:
Malicious activity
Analysis date:
2025-09-11 12:59:14 UTC
Tags:
auto-sch-xml formbook xloader stealer
Link:
https://app.any.run/tasks/3ba6d347-979c-4a18-9146-003ec9c4fc27

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26909/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.22282.2508.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c2c6dc6e66ba602d7a689b
Tags:
krypt spawn msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Sending a custom TCP request
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap lolbin msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks stego vbc zero
Link:
https://www.filescan.io/uploads/68c2c6d9dbc6f5a29c400d39/reports/40cb22ee-e61f-4875-80dc-d3524b8927ad/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b498807992cd0b5e151f3788ab97e7fb4f4381ce96ee7f80a0397ca9383db96f
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-11T02:44:00Z UTC
Last seen:
2025-09-11T02:44:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/b498807992cd0b5e151f3788ab97e7fb4f4381ce96ee7f80a0397ca9383db96f/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37ad5a99-f2db-4d62-ac87-1bec3c6aa8d8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1775587
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1775587 Sample: 9112025-MT103.exe Startdate: 11/09/2025 Architecture: WINDOWS Score: 100 60 www.youcontributions.xyz 2->60 62 www.youcaster.xyz 2->62 64 19 other IPs or domains 2->64 76 Suricata IDS alerts for network traffic 2->76 78 Sigma detected: Scheduled temp file as task from temp location 2->78 80 Multi AV Scanner detection for submitted file 2->80 84 6 other signatures 2->84 11 9112025-MT103.exe 7 2->11         started        15 OsIVOEjfqrqNeW.exe 5 2->15         started        signatures3 82 Performs DNS queries to domains with low reputation 62->82 process4 file5 54 C:\Users\user\AppData\...\OsIVOEjfqrqNeW.exe, PE32 11->54 dropped 56 C:\Users\user\AppData\Local\...\tmp1034.tmp, XML 11->56 dropped 58 C:\Users\user\...\9112025-MT103.exe.log, ASCII 11->58 dropped 94 Uses schtasks.exe or at.exe to add and modify task schedules 11->94 96 Adds a directory exclusion to Windows Defender 11->96 17 vbc.exe 11->17         started        20 powershell.exe 23 11->20         started        22 powershell.exe 23 11->22         started        24 schtasks.exe 1 11->24         started        98 Multi AV Scanner detection for dropped file 15->98 26 schtasks.exe 1 15->26         started        28 vbc.exe 15->28         started        signatures6 process7 signatures8 72 Maps a DLL or memory area into another process 17->72 30 XJpyMKFU1nM9.exe 17->30 injected 74 Loading BitLocker PowerShell Module 20->74 32 WmiPrvSE.exe 20->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        process9 process10 42 sxstrace.exe 30->42         started        signatures11 86 Tries to steal Mail credentials (via file / registry access) 42->86 88 Tries to harvest and steal browser information (history, passwords, etc) 42->88 90 Modifies the context of a thread in another process (thread injection) 42->90 92 3 other signatures 42->92 45 a2qrCWrC7Dl.exe 42->45 injected 48 chrome.exe 42->48         started        50 firefox.exe 42->50         started        process12 dnsIp13 66 www.symbolx.xyz 166.117.110.61, 49721, 49723, 49724 NSWPOLSERV-AS-APNewSouthWalesPoliceAU United States 45->66 68 www.cunbet.mom 104.21.34.136, 49763, 49764, 49765 CLOUDFLARENETUS United States 45->68 70 8 other IPs or domains 45->70 52 WerFault.exe 48->52         started        process14
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b498807992cd0b5e151f3788ab97e7fb4f4381ce96ee7f80a0397ca9383db96f
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.28 Win 32 Exe x86
Link:
https://app.malva.re/file/6b9d961ba9030fe2dc98bbb48303dacb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b498807992cd0b5e151f3788ab97e7fb4f4381ce96ee7f80a0397ca9383db96f/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-09-11 06:22:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
28 of 37 (75.68%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wsmia6mszufv4fi7g6ekxf7h7nhuhaoos3xh7afahf6ksob5xfxq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
28a29d7b958cb08a5e9a71078387d8727881af04a454d665cb1e966b0fcbb3ad
Formbook
79ee7e3483bb6b0aa47f3fb7eb00f5f2d997122917ac02d8205ed4caa595ff09
Formbook
7b75b7d9e892e63a9fd39ccb87222d7311b6a3e9cba68cd34dc650e15e295796
Formbook
b498807992cd0b5e151f3788ab97e7fb4f4381ce96ee7f80a0397ca9383db96f
Formbook
error
Formbook
fac71d06df0d8f9ecb6d09a8ca4f6554bd2475dad68cffd871dbdfc9f00d34ee
Formbook
+ 1'253 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250911-p57atsdq8z/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3e3edfbb-4f87-4055-9cb1-a1da7dc937cd
Unpacked files
SH256 hash:
b498807992cd0b5e151f3788ab97e7fb4f4381ce96ee7f80a0397ca9383db96f
MD5 hash:
6b9d961ba9030fe2dc98bbb48303dacb
SHA1 hash:
05e26ff7ac970b4664441cf66db3e0878c4a6354
Link:
https://www.unpac.me/results/3051457e-5e20-421c-96c0-81b49b8e4fed/
SH256 hash:
ffce9d7ebfd2606aff54cbaa4796c8667927234371fe01778faa9af4d68b7ae7
MD5 hash:
ff0af8c3063c70a64bc020ab625a5e70
SHA1 hash:
6716cad9b69bfb5c0bf6cc9fb02e078d5ae21764
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/3051457e-5e20-421c-96c0-81b49b8e4fed/
SH256 hash:
12d5349fd7e823d0ef2cb68653c3bfb53ca3acbfad514b3594c949c3acb507cf
MD5 hash:
7a1502b4bfbb0b0015568f8349c98efc
SHA1 hash:
d43bbc11c25fe972fe78f45b98e005a992ebea9d
Link:
https://www.unpac.me/results/3051457e-5e20-421c-96c0-81b49b8e4fed/
SH256 hash:
a07218767cb37a2eb228ddf96d25724848f368c446abe6ad0813387dfc603f98
MD5 hash:
af22bb92639cb98b8f09382c32c478ac
SHA1 hash:
d97ed60de226af9876769ac2e94185cf1b25d676
Link:
https://www.unpac.me/results/3051457e-5e20-421c-96c0-81b49b8e4fed/
SH256 hash:
e72ef0d1f80664c428db3ee8701e059560c12634fa96361652709fbe237c4a7d
MD5 hash:
b43346bfc319433f9914f043e7b99ddc
SHA1 hash:
d76e051753be79ff7f0ce3bbb7969debacc3998f
Link:
https://www.unpac.me/results/3051457e-5e20-421c-96c0-81b49b8e4fed/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b498807992cd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b498807992cd0b5e151f3788ab97e7fb4f4381ce96ee7f80a0397ca9383db96f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b498807992cd0b5e151f3788ab97e7fb4f4381ce96ee7f80a0397ca9383db96f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26909/

Comments