MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbe069fd820088df5b2cf3f6eafef9af26d373dc2d41cdb1aa4a4f31295f422f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbe069fd820088df5b2cf3f6eafef9af26d373dc2d41cdb1aa4a4f31295f422f
SHA3-384 hash: b177f9cddbe743e052ce6d452a74e5d93384d3ce26e97b155106e22521166fab927433548d9e3f370bc6c3198e1828e2
SHA1 hash: 6fcd016091e8e48c036371b1974c1a03a2555140
MD5 hash: 89ed5fcaffa2f2bb6db3c8206da67d31
humanhash: bravo-december-florida-maryland
File name:ungziped_file
Download: download sample
Signature Formbook
Create hunting rule
File size:812'032 bytes
First seen:2025-11-24 14:41:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:mbyPgd5SPYSEqsQuK7IHgfYUyWVCYroGkETgQb:mWm5SPYusQu/HXUXVCYroGDb
Threatray 3'499 similar samples on MalwareBazaar
TLSH T192050156362AEE03C8664AF01651C2F157B46DDEA125D2C7AEDB3DDBF4EAF1021003A7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
ungziped_file
Verdict:
Malicious activity
Analysis date:
2025-11-24 15:02:21 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/4ebda362-058d-43aa-9381-2b2e40aa99eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/41305/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69246f285d7fac83ebf27362
Tags:
stration shell virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/bbe069fd820088df5b2cf3f6eafef9af26d373dc2d41cdb1aa4a4f31295f422f
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-19T10:41:00Z UTC
Last seen:
2025-11-25T14:41:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/bbe069fd820088df5b2cf3f6eafef9af26d373dc2d41cdb1aa4a4f31295f422f/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9bc387bd-549d-44e6-a7ce-49e5431b32be
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bbe069fd820088df5b2cf3f6eafef9af26d373dc2d41cdb1aa4a4f31295f422f
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.28 Win 32 Exe x86
Link:
https://app.malva.re/file/89ed5fcaffa2f2bb6db3c8206da67d31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbe069fd820088df5b2cf3f6eafef9af26d373dc2d41cdb1aa4a4f31295f422f/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-11-19 12:47:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xpqgt7mcacen6wzm6p3ov7xzv4tng464fva43mnkjjhtckk7iixq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
unc_loader_078
Create hunting rule
formbook
Create hunting rule
Similar samples:
1dc40d185826d3b1017c756cc2451548fa4236bbb0e8fd721b5e4c58857202c3
Formbook
29a4c0f7bc2396d392fff511532e04766555c31e3ba854a8784edfa7184e05c7
Formbook
ae89095b97719ff3ce49ac533b9b91fee0025d20e67c7ef2d50269328474f370
Formbook
bbe069fd820088df5b2cf3f6eafef9af26d373dc2d41cdb1aa4a4f31295f422f
Formbook
da957a6c7634511d1469f0b827a678f3c5e6ad8c46ba10a02e707a20836d7b0c
Formbook
error
Formbook
+ 3'489 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251124-r3l8zsvpcy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ba077764-abe3-43c4-b563-a271fe3b83e7
Unpacked files
SH256 hash:
bbe069fd820088df5b2cf3f6eafef9af26d373dc2d41cdb1aa4a4f31295f422f
MD5 hash:
89ed5fcaffa2f2bb6db3c8206da67d31
SHA1 hash:
6fcd016091e8e48c036371b1974c1a03a2555140
Link:
https://www.unpac.me/results/27367105-44df-496c-85ac-aab3804672bb/
SH256 hash:
111e88b06ab4bda9dcea292177f2fbf656f056ee3bc315aea8861653872867a4
MD5 hash:
ca046727926a963297a6f802f7f59312
SHA1 hash:
49c2d05a1f1ea2530c2b54c1450b70ab1595175c
Link:
https://www.unpac.me/results/27367105-44df-496c-85ac-aab3804672bb/
SH256 hash:
905d7d7c2dba9ea515d33d8ebf4e70b202f4bef96a32e833f3be1ad0a0a16f67
MD5 hash:
47d59a936af49a67c1edc3372effd95a
SHA1 hash:
8e2306a51524db62c71b25a1c7ef745c579bbdbf
Link:
https://www.unpac.me/results/27367105-44df-496c-85ac-aab3804672bb/
SH256 hash:
a887dce8c970590ae1049d0258e790c1256a5ffe552fafc30ca52536748b7abe
MD5 hash:
11ca237fd34498ac8757151c02a8dd95
SHA1 hash:
d216e3f3b262fa335e1b15502e065156f293ec19
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/27367105-44df-496c-85ac-aab3804672bb/
SH256 hash:
52123d97b66cd5f991cec3bc170c433fd15a4fdecd35a95a87e50e436fc195e5
MD5 hash:
13b1915453bbd3788419825c4756603c
SHA1 hash:
61d4e86e7c3b67b5c0e768a380b0c193589160ff
Link:
https://www.unpac.me/results/27367105-44df-496c-85ac-aab3804672bb/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bbe069fd8200/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbe069fd820088df5b2cf3f6eafef9af26d373dc2d41cdb1aa4a4f31295f422f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe bbe069fd820088df5b2cf3f6eafef9af26d373dc2d41cdb1aa4a4f31295f422f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/41305/

Comments