MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfe8597cf704cb576063e7883146c8af4f384521ddc1ecb059d91d58480bc265. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfe8597cf704cb576063e7883146c8af4f384521ddc1ecb059d91d58480bc265
SHA3-384 hash: 4d03d1f114593e4622d9b119dcd8c972dbb23cf67faaf721e5dcd7c6910bb25df0080e328e64d85191b09a543bce0460
SHA1 hash: aa35f7241b5518223cbb5ba8f33e735833725e1e
MD5 hash: c21f86ac794dcd6e3b03c5e41e6b6cd1
humanhash: butter-london-georgia-carolina
File name:Request Quotation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:761'856 bytes
First seen:2025-12-04 07:33:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:yPdiov8xzHu94dzCFnaDRUiiNoIrC1lwiUGjW/6pwf/+06Ldfz+Pv+igh8kovga2:yPdioEYmGFziimIrONjW/Dfm06lyOFqM
Threatray 2'248 similar samples on MalwareBazaar
TLSH T11BF412107569D917DAF752F408B2F23083BB6EAE7412D3D18EEDAE9B74E9B101510A83
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/bc7fcc91-7f60-4b72-8c68-2beac80872c9/
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Request Quotation.exe
Verdict:
Malicious activity
Analysis date:
2025-12-04 07:39:32 UTC
Tags:
auto-sch-xml formbook xloader stealer
Link:
https://app.any.run/tasks/25fd3e5d-c831-4634-9b38-989afa548bf1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/42416/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6931397a16e6db515e469878
Tags:
stration shell spawn
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/69313979bc15eab491f41939/reports/a294ed97-7bcf-45a8-bed4-7722b9355970/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bfe8597cf704cb576063e7883146c8af4f384521ddc1ecb059d91d58480bc265
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-03T22:27:00Z UTC
Last seen:
2025-12-04T13:11:00Z UTC
Hits:
~100
Detections:
Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic Trojan.MSIL.Taskun.sb Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Taskun.sb HEUR:Trojan.MSIL.Agent.gen
Link:
https://opentip.kaspersky.com/bfe8597cf704cb576063e7883146c8af4f384521ddc1ecb059d91d58480bc265/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/89133b70-e70e-4f64-89af-529eb312e2c0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1826188
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1826188 Sample: Request Quotation.exe Startdate: 04/12/2025 Architecture: WINDOWS Score: 100 67 www.54818532.xyz 2->67 69 www.yp7ced.info 2->69 71 16 other IPs or domains 2->71 79 Suricata IDS alerts for network traffic 2->79 81 Sigma detected: Scheduled temp file as task from temp location 2->81 83 Multi AV Scanner detection for submitted file 2->83 87 9 other signatures 2->87 10 Request Quotation.exe 7 2->10         started        14 dooItrZHGXk.exe 5 2->14         started        16 svchost.exe 2->16         started        signatures3 85 Performs DNS queries to domains with low reputation 67->85 process4 dnsIp5 57 C:\Users\user\AppData\...\dooItrZHGXk.exe, PE32 10->57 dropped 59 C:\Users\...\dooItrZHGXk.exe:Zone.Identifier, ASCII 10->59 dropped 61 C:\Users\user\AppData\Local\...\tmp21CA.tmp, XML 10->61 dropped 63 C:\Users\user\...\Request Quotation.exe.log, ASCII 10->63 dropped 95 Adds a directory exclusion to Windows Defender 10->95 97 Injects a PE file into a foreign processes 10->97 19 Request Quotation.exe 10->19         started        22 powershell.exe 23 10->22         started        24 powershell.exe 23 10->24         started        26 schtasks.exe 1 10->26         started        99 Multi AV Scanner detection for dropped file 14->99 101 Unusual module load detection (module proxying) 14->101 28 dooItrZHGXk.exe 14->28         started        30 schtasks.exe 14->30         started        65 127.0.0.1 unknown unknown 16->65 file6 signatures7 process8 signatures9 89 Maps a DLL or memory area into another process 19->89 32 lxLBhINV.exe 19->32 injected 91 Loading BitLocker PowerShell Module 22->91 34 WmiPrvSE.exe 22->34         started        36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        42 0EQVEaSVa8NzeW.exe 28->42 injected 45 conhost.exe 30->45         started        process10 signatures11 47 runonce.exe 13 32->47         started        93 Maps a DLL or memory area into another process 42->93 50 runonce.exe 42->50         started        process12 signatures13 103 Tries to steal Mail credentials (via file / registry access) 47->103 105 Tries to harvest and steal browser information (history, passwords, etc) 47->105 107 Modifies the context of a thread in another process (thread injection) 47->107 109 4 other signatures 47->109 52 TSexU7tYzFx.exe 47->52 injected 55 firefox.exe 47->55         started        process14 dnsIp15 73 www.uaeinteract.com 72.61.13.112, 49737, 49738, 49739 SPCSUS United States 52->73 75 www.torena.life 162.0.239.7, 49725, 49726, 49727 NAMECHEAP-NETUS Canada 52->75 77 11 other IPs or domains 52->77
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bfe8597cf704cb576063e7883146c8af4f384521ddc1ecb059d91d58480bc265
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.27 Win 32 Exe x86
Link:
https://app.malva.re/file/c21f86ac794dcd6e3b03c5e41e6b6cd1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfe8597cf704cb576063e7883146c8af4f384521ddc1ecb059d91d58480bc265/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/bfe8597cf704cb576063e7883146c8af4f384521ddc1ecb059d91d58480bc265
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-12-04 03:09:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 36 (55.56%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x7ufs7hxatfvoydd46edcrwiv5htqrjb3xa6zmcz3eovqsalyjsq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
6ac566e9a69e4bd338cfa6665c04a954c891fc5c09698ae85a40d9565796f481
Formbook
70f1abf1a366530426cb0afa916a8a3c2402fee0349f6784447afeac70167263
Formbook
93d8f58337eb1309d7fadafe6707dde3a7d20d65870d05a689b3c2f264e61193
Formbook
d04519a5f28662179a347bfff8fb1a96984b9019d097cab9d6903069129370fb
Formbook
db603d2938218ca0b95c604a319858d625907401a9317fafce65d916c7858347
Formbook
ecd80dc690eee6d7f89ad7f036aed2000c548440fabd8df91ab539307eb317aa
Formbook
fdd0a8858df54f275b361c6a7dae61ffb8761943c02d72a7f658c1ca56345b31
Formbook
+ 2'238 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251204-jd8fxsem9w/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/70364724-9b50-4f45-a293-d2a0861ed76a
Unpacked files
SH256 hash:
bfe8597cf704cb576063e7883146c8af4f384521ddc1ecb059d91d58480bc265
MD5 hash:
c21f86ac794dcd6e3b03c5e41e6b6cd1
SHA1 hash:
aa35f7241b5518223cbb5ba8f33e735833725e1e
Link:
https://www.unpac.me/results/6a8a46be-a951-425c-a07a-2eabb55c1806/
SH256 hash:
19622efe949906f3a8a270a3cffdb7bd2967ebb766e5403ae0aa48f02114a69c
MD5 hash:
d2b35b1a51cb336661a24382d7c92d81
SHA1 hash:
037061702cb17c6b33cd506f128bd6a59f06abd1
Link:
https://www.unpac.me/results/6a8a46be-a951-425c-a07a-2eabb55c1806/
SH256 hash:
d1765ef840d7b50c6ee430f1a0ac15e38ee71aa918d1108e86c0786caad5144d
MD5 hash:
70a06bd2db420411513441e3e4a5bbd0
SHA1 hash:
2e8a914745e38a897c673095e7722dcdfbd3882c
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/6a8a46be-a951-425c-a07a-2eabb55c1806/
SH256 hash:
fe92883751644cd7792c4016b79e527ae7128f5e0d1b6ab89b546876a4df882c
MD5 hash:
e56d8d905a1bea8e84416aba62db896a
SHA1 hash:
37a22ecf7b79371efa525261907bd1f8a6559f18
Link:
https://www.unpac.me/results/6a8a46be-a951-425c-a07a-2eabb55c1806/
SH256 hash:
8f597c4088753b230af69d8f3e241cbab58ce7cc011fc573b11a2db39032566c
MD5 hash:
00ea34699286923253d5a3b358f483ef
SHA1 hash:
4d415c988027b0ff0c2a5bf89b32f5ebf2f5d1ec
Link:
https://www.unpac.me/results/6a8a46be-a951-425c-a07a-2eabb55c1806/
SH256 hash:
65ff3c159e0d6207aca43001079c062646d480ff9558454ac5666d5c0921ff70
MD5 hash:
2cc742abf147d316fb4243482b739fa7
SHA1 hash:
768f08baf401a952f2eb27cb0e9476d34a48f05b
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/6a8a46be-a951-425c-a07a-2eabb55c1806/
Parent samples :
6e2b1a9ba0fb924774b35d3fe97e5ee232de78f7292fd7a79c678d6de974751a
d4ac4a98170b7b5606fc03e625be2973bd0f4ad38c653ba4db1558fead88dc0a
f50d4bf5151fc2f9f89ff48f4ead9ea615bc85a951b88a6d83d0dd53bd17a942
e3733d68078f927a67479fded197bf45287c17a775da4c81d3b3d4853e57d1f4
bfe8597cf704cb576063e7883146c8af4f384521ddc1ecb059d91d58480bc265
0b67d298c72d5ce44862870a253e2fae7011e9bb615b4edb17fee6227f252819
ffe62ce01381e57eeed388498cce63803de8f7a9093d0c9b8ff821179d65aeee
de0892e8c62f21f2fb6669f8b4bf28a7bd9c014cc5820735491c44ce93fe0f09
549a2ef27e60dc1550032622ce3c85b5b5b3fdceabdfc318342f1c24e55614bf
50aef9fefe23240506ef807c00fd6cd89ef912d98127db467bdb0823a3677721
SH256 hash:
f6e40703214e53214932dad8f343b60263420de76caf1a8c52446d3e1fc103a0
MD5 hash:
1d2c5d96a77378b3f03972ba34b7f7f1
SHA1 hash:
cb474a6570b9406da8e5e85c5b4c1a3d41fbde67
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/6a8a46be-a951-425c-a07a-2eabb55c1806/
SH256 hash:
2eb389520506883b4b3e21e58ef7021e5f602d0cf5350165ceb3bd49059f8fcf
MD5 hash:
bd7067155d0c051529fcb14d3eadb066
SHA1 hash:
fd2bbd3e85e8b5656a5596c646b351fbd43b15c1
Link:
https://www.unpac.me/results/6a8a46be-a951-425c-a07a-2eabb55c1806/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bfe8597cf704/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bfe8597cf704cb576063e7883146c8af4f384521ddc1ecb059d91d58480bc265

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:TH_Win_ETW_Bypass_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Windows ETW Bypass Detection Rule - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe bfe8597cf704cb576063e7883146c8af4f384521ddc1ecb059d91d58480bc265

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/42416/

Comments