MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb8b6590ca5c65bf55bb227ac601636414ec7c1fa1f9a603840f57e45f8f8994. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb8b6590ca5c65bf55bb227ac601636414ec7c1fa1f9a603840f57e45f8f8994
SHA3-384 hash: cfb94962cb56b712694b8a96cb9a1a5c6533aa173b4f0e50e235ee031c7efc2c8e4f7b7f2d1485760087f0506dfb6607
SHA1 hash: 87f3a825c3369685b2fc85113e4a00e99e043c98
MD5 hash: 4ba34e67266629b6ad566702d98c35b5
humanhash: michigan-lamp-iowa-william
File name:rlistadepedidosped044-25.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:797'184 bytes
First seen:2025-09-11 07:30:07 UTC
Last seen:2025-10-10 06:23:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:AKqOZQ8QNZxlu6X8M3MSyZxfj78aKZbvh3a9y10bupnJZ/lVlp/3RrJg:vRQvNDlum82wB8aMzJybupnJp/dJ
TLSH T1E105F114161ACE09D0A64FF55A72E3B40B78AE9DE901D30B8FC63DDFB836B549A41347
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
5
# of downloads :
113
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rlistadepedidosped044-25.exe
Verdict:
No threats detected
Analysis date:
2025-09-11 08:05:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f6d60cb9-14cd-4db1-af29-bd07b5f03104

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26866/
Verdict:
Clean
Score:
N/A%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c27ac56e66ba602d7a4f0e
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/68c27ae173287948292677a0/reports/91c7648a-eeda-4335-94ed-547e01482d2c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bb8b6590ca5c65bf55bb227ac601636414ec7c1fa1f9a603840f57e45f8f8994
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-11T03:42:00Z UTC
Last seen:
2025-09-11T03:42:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/bb8b6590ca5c65bf55bb227ac601636414ec7c1fa1f9a603840f57e45f8f8994/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cae9a8b6-3ad3-41ff-a849-667f04ba1542
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bb8b6590ca5c65bf55bb227ac601636414ec7c1fa1f9a603840f57e45f8f8994
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.36 Win 32 Exe x86
Link:
https://app.malva.re/file/4ba34e67266629b6ad566702d98c35b5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb8b6590ca5c65bf55bb227ac601636414ec7c1fa1f9a603840f57e45f8f8994/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-09-11 07:31:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xofwlegklrs36vn3ej5mmaldmqkoy7a7uh42ma4eb5l6ix4prgka._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/250911-jcdj6azydz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8f709391-6257-44b4-a4b8-8c93ec3a23d7
Unpacked files
SH256 hash:
bb8b6590ca5c65bf55bb227ac601636414ec7c1fa1f9a603840f57e45f8f8994
MD5 hash:
4ba34e67266629b6ad566702d98c35b5
SHA1 hash:
87f3a825c3369685b2fc85113e4a00e99e043c98
Link:
https://www.unpac.me/results/27261807-78fb-428a-8449-3b2de9dba8f3/
SH256 hash:
32ee6025408a4300da68672b301ceedd9612abf7f295475bc9076e84ab07f25b
MD5 hash:
2c82ee7d98aa515f97ddaf2bddb63408
SHA1 hash:
124528d05f2b66a48f78ed3f1e65d1cea5d72cbc
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/27261807-78fb-428a-8449-3b2de9dba8f3/
SH256 hash:
4a8af9946518b7adfabab291dccfa4f3e27acac1ef07d4f8a69ebb488994bac1
MD5 hash:
56c90d081546763ea9a07679d338a4bc
SHA1 hash:
344a336b0717e7dd13e8afe573c54bde42947281
Link:
https://www.unpac.me/results/27261807-78fb-428a-8449-3b2de9dba8f3/
SH256 hash:
9c4144542c1fd5b3b34dc67a235efdecbfeeb53bd518085fa3b5dc313f2a8f63
MD5 hash:
85337d2be4b79cafdd99f45ce1e56aac
SHA1 hash:
73873dc1039981c34d25b75e40e4b2f0e42c80b2
Link:
https://www.unpac.me/results/27261807-78fb-428a-8449-3b2de9dba8f3/
SH256 hash:
07a5e9cce2c7d90bbfebb2a96ea963ad4476baa97b7a3b663f64de5695614e50
MD5 hash:
7534553d2f003d47629fdcb90301d68b
SHA1 hash:
943a3fbddba4c083a4d84416fbdf40b08938b6f5
Link:
https://www.unpac.me/results/27261807-78fb-428a-8449-3b2de9dba8f3/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bb8b6590ca5c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/bb8b6590ca5c65bf55bb227ac601636414ec7c1fa1f9a603840f57e45f8f8994

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe bb8b6590ca5c65bf55bb227ac601636414ec7c1fa1f9a603840f57e45f8f8994

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26866/

Comments