MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bce46d675d57b09b2bf85f109ab3cdd12c7894519b8ba37426601dd18eb03671. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 21


Intelligence 21 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bce46d675d57b09b2bf85f109ab3cdd12c7894519b8ba37426601dd18eb03671
SHA3-384 hash: 4e0844e52d0628a2052bf959f116f23ef6ea9fa8a206564d8c6d63f0d16cd48715aee769ac04700d8107709a57d2eed5
SHA1 hash: 1431188ce3d453920493f61a75b8528a822628d3
MD5 hash: 0e28e8df77cfa1baf5bd0e6bcfbf37ce
humanhash: kitten-oven-green-whiskey
File name:Offer Nr. 35830.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:820'736 bytes
First seen:2025-09-24 07:06:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:BMrXKWr1AJlYubGo0GDlwYD7bPhsEF/kwCS4siJPHw0x61EVFXd:oL6JdGo00we/PHVFiFXxX
TLSH T10605020122E9E705C0B74BF50970E3B017766E997912E32E4EE6ACDF3D35B412E0A667
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Offer Nr. 35830.exe
Verdict:
Malicious activity
Analysis date:
2025-09-24 07:22:59 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/f632be21-56c4-43c4-8de5-7df9a0c262a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28741/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.656.10785.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d53da7cc9425144151cc68
Tags:
shell virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap lolbin msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks stego vbc zero
Link:
https://www.filescan.io/uploads/68d3986eb4f22678f7637fda/reports/2f7d434d-e8e3-415a-996f-b7e3748022d0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bce46d675d57b09b2bf85f109ab3cdd12c7894519b8ba37426601dd18eb03671
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-23T21:35:00Z UTC
Last seen:
2025-09-23T21:35:00Z UTC
Hits:
~1000
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Taskun.gen Backdoor.Agent.HTTP.C&C Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Win32.Noon.sb Trojan-Spy.Noon.HTTP.ServerRequest
Link:
https://opentip.kaspersky.com/bce46d675d57b09b2bf85f109ab3cdd12c7894519b8ba37426601dd18eb03671/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2c996afd-4867-494f-a73e-ac09eb8e7106
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1783088
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1783088 Sample: Offer Nr. 35830.exe Startdate: 24/09/2025 Architecture: WINDOWS Score: 100 41 www.runefi.xyz 2->41 43 www.raginput.xyz 2->43 45 19 other IPs or domains 2->45 59 Suricata IDS alerts for network traffic 2->59 61 Antivirus detection for URL or domain 2->61 63 Multi AV Scanner detection for submitted file 2->63 67 7 other signatures 2->67 11 Offer Nr. 35830.exe 4 2->11         started        15 svchost.exe 1 1 2->15         started        signatures3 65 Performs DNS queries to domains with low reputation 43->65 process4 dnsIp5 39 C:\Users\user\...\Offer Nr. 35830.exe.log, ASCII 11->39 dropped 77 Adds a directory exclusion to Windows Defender 11->77 79 Injects a PE file into a foreign processes 11->79 18 Offer Nr. 35830.exe 11->18         started        21 powershell.exe 23 11->21         started        53 127.0.0.1 unknown unknown 15->53 file6 signatures7 process8 signatures9 55 Maps a DLL or memory area into another process 18->55 23 o155CYyLg.exe 18->23 injected 57 Loading BitLocker PowerShell Module 21->57 25 conhost.exe 21->25         started        process10 process11 27 replace.exe 13 23->27         started        signatures12 69 Tries to steal Mail credentials (via file / registry access) 27->69 71 Tries to harvest and steal browser information (history, passwords, etc) 27->71 73 Modifies the context of a thread in another process (thread injection) 27->73 75 3 other signatures 27->75 30 zpE3nnY7Gy4jcP.exe 27->30 injected 33 chrome.exe 27->33         started        35 firefox.exe 27->35         started        process13 dnsIp14 47 www.jorvia.site 203.161.58.88, 49709, 49710, 49711 VNPT-AS-VNVNPTCorpVN Malaysia 30->47 49 8m1.xyz 173.0.157.187, 49721, 49722, 49723 SERVERS-COMUS United States 30->49 51 11 other IPs or domains 30->51 37 WerFault.exe 4 33->37         started        process15
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bce46d675d57b09b2bf85f109ab3cdd12c7894519b8ba37426601dd18eb03671
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.16 Win 32 Exe x86
Link:
https://app.malva.re/file/0e28e8df77cfa1baf5bd0e6bcfbf37ce
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bce46d675d57b09b2bf85f109ab3cdd12c7894519b8ba37426601dd18eb03671/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/bce46d675d57b09b2bf85f109ab3cdd12c7894519b8ba37426601dd18eb03671
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-09-24 01:40:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
28 of 37 (75.68%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xtsg2z25k6yjwk7yl4ijvm6n2ewhrfcrtof2g5bgmao5ddvqgzyq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250924-hw9ahadl6v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a24c97fa-d65b-481d-9166-2a65be71d488
Unpacked files
SH256 hash:
bce46d675d57b09b2bf85f109ab3cdd12c7894519b8ba37426601dd18eb03671
MD5 hash:
0e28e8df77cfa1baf5bd0e6bcfbf37ce
SHA1 hash:
1431188ce3d453920493f61a75b8528a822628d3
Link:
https://www.unpac.me/results/dc916b83-9672-4cda-baab-652f24419b75/
SH256 hash:
cdb8ac92c7a341ee1ead563bf7b48a244d580acfb30704043b6d4b24ea5ccf09
MD5 hash:
07ca79c30cd50df8c68d115eebd52475
SHA1 hash:
a70c058086cd6156059b9947aee5bcd3f75f3336
Link:
https://www.unpac.me/results/dc916b83-9672-4cda-baab-652f24419b75/
SH256 hash:
c050f733455e5e3e05d434612abe51e018629692e87a91c41e46b75dbc3f7e42
MD5 hash:
b62f8bd4529cd5e4d3ee58c9ff8f91ef
SHA1 hash:
ad168f2238622c4dbc5f26273867f221b367cbec
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/dc916b83-9672-4cda-baab-652f24419b75/
SH256 hash:
0fd8fbd3f9fea94bbfaa61d0b25e4d7e1f624338912296a8cd05fad3de6f7b64
MD5 hash:
c74b415bb180764d6b8031cec0cebe45
SHA1 hash:
ce2b7b025b572f8d797aee799d74f9bdee553fd7
Link:
https://www.unpac.me/results/dc916b83-9672-4cda-baab-652f24419b75/
SH256 hash:
f0cb55f264ecd2e074276bac9bb05156d4c1e9d0c7c32731ca0eab8e56cf8a93
MD5 hash:
652dc3ea284ef5640b37e3d3d844e440
SHA1 hash:
3b6aa4a5591245f8260304d65f5f7c2c6d175314
Link:
https://www.unpac.me/results/dc916b83-9672-4cda-baab-652f24419b75/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bce46d675d57/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bce46d675d57b09b2bf85f109ab3cdd12c7894519b8ba37426601dd18eb03671

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe bce46d675d57b09b2bf85f109ab3cdd12c7894519b8ba37426601dd18eb03671

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28741/

Comments