MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be00f80eac20623d707dd830da3f5f178e94efcd0dd6c5bda89394059cb471a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be00f80eac20623d707dd830da3f5f178e94efcd0dd6c5bda89394059cb471a6
SHA3-384 hash: 20c3903c20afa48ac4af1bf4f81d7f9178e9b3debe22cf70a06d82f2c808623ca72752a09533688c3395e944203bd611
SHA1 hash: e100c466d07e0ae8a6e4c55028f82904243d328a
MD5 hash: d06e7a0a55d46754716dac31f76b56f2
humanhash: nine-fix-nine-golf
File name:be00f80eac20623d707dd830da3f5f178e94efcd0dd6c5bda89394059cb471a6
Download: download sample
Signature Formbook
Create hunting rule
File size:774'144 bytes
First seen:2025-11-06 10:54:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:AiySTPLNDkRAmh6S/6yTgYf8dKGIlYa5oI:qLKYf8s3
TLSH T153F4121DBE12EA55CA9D1B7B9113690442A7D029F532F3A72CDB1CE60D2EBD4C10EB1B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
be00f80eac20623d707dd830da3f5f178e94efcd0dd6c5bda89394059cb471a6
Verdict:
No threats detected
Analysis date:
2025-11-06 16:12:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bed9601c-cc30-4e99-8e86-756f8ddb20f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/35940/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690c7eb1ea0f3e915c238692
Tags:
shell virus micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/be00f80eac20623d707dd830da3f5f178e94efcd0dd6c5bda89394059cb471a6
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-20T11:36:00Z UTC
Last seen:
2025-11-07T09:54:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/be00f80eac20623d707dd830da3f5f178e94efcd0dd6c5bda89394059cb471a6/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d78bf217-2f4b-49ff-83d3-6db65dd809f6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1798962
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1798962 Sample: PO.exe Startdate: 21/10/2025 Architecture: WINDOWS Score: 100 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus detection for URL or domain 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 7 other signatures 2->51 9 PO.exe 3 2->9         started        process3 signatures4 63 Adds a directory exclusion to Windows Defender 9->63 65 Injects a PE file into a foreign processes 9->65 12 PO.exe 9->12         started        15 powershell.exe 4 9->15         started        process5 signatures6 67 Maps a DLL or memory area into another process 12->67 17 N6NVSlQVP5lW.exe 12->17 injected 69 Installs new ROOT certificates 15->69 process7 signatures8 43 Maps a DLL or memory area into another process 17->43 20 psr.exe 1 20 17->20         started        process9 dnsIp10 32 sqlite.org 194.195.208.62, 49163, 80 NEXINTO-DE Germany 20->32 34 www.sqlite.org 20->34 30 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 20->30 dropped 55 Tries to steal Mail credentials (via file / registry access) 20->55 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 59 Maps a DLL or memory area into another process 20->59 61 Queues an APC in another process (thread injection) 20->61 25 firefox.exe 20->25         started        28 v6fqHvwD.exe 20->28 injected file11 signatures12 process13 dnsIp14 36 www.editmedtech.xyz 28->36 39 www.truyensexnganhay.icu 45.200.254.48, 49162, 49167, 49169 Africa-on-Cloud-ASZA Seychelles 28->39 41 2 other IPs or domains 28->41 signatures15 53 Performs DNS queries to domains with low reputation 36->53
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/be00f80eac20623d707dd830da3f5f178e94efcd0dd6c5bda89394059cb471a6
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.42 Win 32 Exe x86
Link:
https://app.malva.re/file/d06e7a0a55d46754716dac31f76b56f2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be00f80eac20623d707dd830da3f5f178e94efcd0dd6c5bda89394059cb471a6/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-10-20 22:34:37 UTC
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xyapqdvmebrd24d53aynup27c6hjj36nbxlmlpnisokalhfuogta._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251106-m1bbgszpfy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6753c132-c2b7-4361-a165-3599046b73df
Unpacked files
SH256 hash:
be00f80eac20623d707dd830da3f5f178e94efcd0dd6c5bda89394059cb471a6
MD5 hash:
d06e7a0a55d46754716dac31f76b56f2
SHA1 hash:
e100c466d07e0ae8a6e4c55028f82904243d328a
Link:
https://www.unpac.me/results/b3db7880-565f-40c5-aeb9-e7748772e578/
SH256 hash:
9f2bdadb8926bf6157c7487e994ec28657f9415fd2fdf97a5ba82ba12e24046a
MD5 hash:
0e1119a6df48b550ad1353d136297ef3
SHA1 hash:
3f89b2297c1e0a29932eb25741a51538e005d565
Link:
https://www.unpac.me/results/b3db7880-565f-40c5-aeb9-e7748772e578/
SH256 hash:
6823f349190a6c1a841796cfff74ad71b1ba52914dd36bdd85f95bafc4274ce9
MD5 hash:
9b25de9446ccb13b96798dd195b01d8f
SHA1 hash:
4a12bf86462a9093d56f33806e86fa446d301d66
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b3db7880-565f-40c5-aeb9-e7748772e578/
SH256 hash:
d62c1a56d3aa58668d0a36ec87991fb58c0f0be8dc3e13af7bca68ff075590af
MD5 hash:
b45fe57fa1568fd6c6869072a4c791e6
SHA1 hash:
a28a339ce7abb1169a7987a1042e23d999cab664
Link:
https://www.unpac.me/results/b3db7880-565f-40c5-aeb9-e7748772e578/
SH256 hash:
1f9013e4584c7c9305754f508740d54b6e4a1dff55916d40e249e01ed980c8bd
MD5 hash:
9c6c4a8b37e80926dccb544c7661b21a
SHA1 hash:
692fce3010b79ffc35f292bb9fd70c596f864611
Link:
https://www.unpac.me/results/b3db7880-565f-40c5-aeb9-e7748772e578/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be00f80eac20623d707dd830da3f5f178e94efcd0dd6c5bda89394059cb471a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/35940/

Comments