MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8981d3125b702c7411fd7a8b33dfd6e7ebec507bfe99c6f4d85aa7e7dd5b3b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8981d3125b702c7411fd7a8b33dfd6e7ebec507bfe99c6f4d85aa7e7dd5b3b1
SHA3-384 hash: 40ed1cd949fc0a2e03bd1098889c65d1c6a6a5af85519213b9bb9ff5a1d991851c9c6623154d1c66a682397cbb5991f6
SHA1 hash: 2f729bb93593534862a9d2e804e014536f6463d6
MD5 hash: 757f76af04d8c2c966986a89e2970325
humanhash: hawaii-eighteen-oregon-queen
File name:Order PO#240145.ace
Download: download sample
Signature Formbook
Create hunting rule
File size:685'783 bytes
First seen:2025-07-25 12:12:11 UTC
Last seen:Never
File type: ace
MIME type:application/x-ace-compressed
ssdeep 12288:PA1Z6bSWUcUWr7wNoo7W1zfgSBO+DSCZ7pxcerh9Na6zx6LZxNJ8U+Vf1XU:PA1ZyyWUooC1zPOySCZHcerHNpxWIrU
TLSH T171E42363BA368F4E888E580BCF385A05E9498FF7C8502151ADBDBDD5E6E24F0271712D
Magika unknown
Reporter cocaman
Tags:ace FormBook


Avatar
cocaman
Malicious email (T1566.001)
From: "Chien-hung<Financial@lgepartner.com>" (likely spoofed)
Received: "from [167.160.161.96] (unknown [167.160.161.96]) "
Date: "25 Jul 2025 05:11:33 -0700"
Subject: "WG: Order PO240145"
Attachment: "Order PO#240145.ace"

Intelligence

File Origin
# of uploads :
1
# of downloads :
39
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.25738.AceHeur.Exe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.25166.AceHeur.Exe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Suspicious-ACE-exe.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688374a9af3050dc8d30c133
Tags:
stealer virus word
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/688374adc79df08ef0957649/reports/36d8f5f2-20d0-4b2f-9108-f4e94fe685b2/overview
Verdict:
Malicious
Labled as:
Mal/DrodAce
Link:
https://www.hybrid-analysis.com/sample/b8981d3125b702c7411fd7a8b33dfd6e7ebec507bfe99c6f4d85aa7e7dd5b3b1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8981d3125b702c7411fd7a8b33dfd6e7ebec507bfe99c6f4d85aa7e7dd5b3b1/
Verdict:
Malicious
Threat:
HEUR:Trojan-Spy.Win32.Noon
Link:
https://tip.neiki.dev/file/b8981d3125b702c7411fd7a8b33dfd6e7ebec507bfe99c6f4d85aa7e7dd5b3b1
Threat name:
ByteCode-MSIL.Infostealer.Genie8DN
Create hunting rule
Status:
Malicious
First seen:
2025-07-25 06:21:45 UTC
File Type:
Binary (Archive)
Extracted files:
5
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xcmb2mjfw4bmoqi726ulgpp5nz7l5rihx7uzy32nqwvh47ovwoyq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250725-ptndkszzew/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b8981d3125b702c7411fd7a8b33dfd6e7ebec507bfe99c6f4d85aa7e7dd5b3b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ACE_Containing_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems) - based on Nick Hoffman' rule - Morphick Inc
Description:Looks for ACE Archives containing an exe/scr file
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

ace b8981d3125b702c7411fd7a8b33dfd6e7ebec507bfe99c6f4d85aa7e7dd5b3b1

(this sample)

Formbook

Executable exe be3b41c810133c52469f01114284c66d96cbbeafefd4d1055f3202d0564826be

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 be3b41c810133c52469f01114284c66d96cbbeafefd4d1055f3202d0564826be
  
Dropping
MD5 465121f65e9e8865b36cf0891b976b82

Comments