MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cab399f07bf9083158af533a84fef44b4ca8b12edc3a9f45a682938c930b4caa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cab399f07bf9083158af533a84fef44b4ca8b12edc3a9f45a682938c930b4caa
SHA3-384 hash: 3343a649880d6173594ccecbc1dc79b46b2203735e3a5a1f6872260a328b1c2840222946eb8248499e61921b21a8efb2
SHA1 hash: ef581890bc75b31b914b513ccda53c7d3f25058f
MD5 hash: 52a321e48902b8fbd1e984d9bd15f278
humanhash: papa-hawaii-five-finch
File name:DHL UK Invoice PO656-2025.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:808'328 bytes
First seen:2025-05-22 06:21:23 UTC
Last seen:2025-06-10 08:30:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:74P0inwlM8dWWM9p9jrT6qqda0jABnTrcSt9Rtu1CH5femeS+SFTpf:74P0inwGGWR9zy5tjAtrcmRwmeMf
Threatray 107 similar samples on MalwareBazaar
TLSH T1AB055003FA57C5B2D25C5776C5AB080057A4E5867713F61E3B8E2B7A1AC3BBAF841603
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
423
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL UK Invoice PO656-2025.exe
Verdict:
Malicious activity
Analysis date:
2025-05-22 07:54:04 UTC
Tags:
netreactor auto-startup
Link:
https://app.any.run/tasks/a59ba823-ae6b-4cb1-921f-2d6931f60415

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.3608.25978.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682ec5c92f280a98fb432fb8
Tags:
injection autorun virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request to an infection source
Connection attempt to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 invalid-signature lolbin masquerade net_reactor obfuscated packed signed tracker
Link:
https://www.filescan.io/uploads/682ec2e8fd02ed5e0581d31d/reports/33a58975-54e0-4452-b047-a694b40c50dc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cab399f07bf9083158af533a84fef44b4ca8b12edc3a9f45a682938c930b4caa
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bf946112-bb82-48fc-ab7d-7445bb140123
Result
Threat name:
FormBook, ResolverRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1696607
Signature
.NET source code contains potential unpacker
Detected potential unwanted application
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected FormBook
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1696607 Sample: DHL UK Invoice PO656-2025.exe Startdate: 22/05/2025 Architecture: WINDOWS Score: 100 45 www.eufi.xyz 2->45 47 www.u90hm.top 2->47 49 www.netbarg.com 2->49 65 Suricata IDS alerts for network traffic 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected ResolverRAT 2->69 73 10 other signatures 2->73 11 DHL UK Invoice PO656-2025.exe 15 5 2->11         started        16 wscript.exe 1 2->16         started        signatures3 71 Performs DNS queries to domains with low reputation 45->71 process4 dnsIp5 51 158.247.250.251, 49682, 49693, 80 FEWPBUS United States 11->51 39 C:\Users\user\AppData\Roaming\temp.exe, PE32 11->39 dropped 41 C:\Users\user\...\temp.exe:Zone.Identifier, ASCII 11->41 dropped 43 C:\Users\user\AppData\Roaming\...\temp.vbs, ASCII 11->43 dropped 83 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->83 85 Injects a PE file into a foreign processes 11->85 18 DHL UK Invoice PO656-2025.exe 11->18         started        87 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->87 21 temp.exe 14 2 16->21         started        file6 signatures7 process8 signatures9 59 Maps a DLL or memory area into another process 18->59 23 itVxuisQ3GSM.exe 18->23 injected 61 Multi AV Scanner detection for dropped file 21->61 63 Injects a PE file into a foreign processes 21->63 25 temp.exe 21->25         started        process10 process11 27 runonce.exe 13 23->27         started        signatures12 75 Tries to steal Mail credentials (via file / registry access) 27->75 77 Tries to harvest and steal browser information (history, passwords, etc) 27->77 79 Modifies the context of a thread in another process (thread injection) 27->79 81 3 other signatures 27->81 30 KfZtnYNgGA.exe 27->30 injected 33 chrome.exe 27->33         started        35 firefox.exe 27->35         started        process13 dnsIp14 53 www.u90hm.top 23.248.239.130, 49695, 80 CNSERVERSUS United States 30->53 55 www.eufi.xyz 13.248.169.48, 49696, 49697, 49698 AMAZON-02US United States 30->55 57 www.netbarg.com 185.143.235.201, 49700, 49701, 49702 ABRARVAN-ASAbrArvanCDNandIaaSIR Iran (ISLAMIC Republic Of) 30->57 37 WerFault.exe 4 33->37         started        process15
Score:
72%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cab399f07bf9083158af533a84fef44b4ca8b12edc3a9f45a682938c930b4caa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cab399f07bf9083158af533a84fef44b4ca8b12edc3a9f45a682938c930b4caa/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-21 13:28:21 UTC
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zkzzt4d37eedcwfpkm5ij7xujngkrmjo3q5j6rngqkjyzeyljsva._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
140b71c1dc8ccf24de4f4bdd0c1acd6db259b720eb263123b7c100d5a6051852
Formbook
1a543f2f8272bb0fc011fe46ecf0ce26a69d043ce9298ea3aa582eca9817d24d
Formbook
2f1ffb5dca9c01226ba8081747a61288a63f048eda76ce995970568a41a3fbbc
Formbook
34c06c3e40d9b454a9b8cad1b0a52ad8f1974f63f4badb9613ea07ef426ca3b8
Formbook
7796b1f3337cbf48250d70b2ec8c11faa588f5f44078f4a2296e53ef04f35f9e
Formbook
92bab94e0b81ebb7b78da95f1dd74fabc4799e8aa9e5eb6af4b1d64c4b603745
Formbook
cab399f07bf9083158af533a84fef44b4ca8b12edc3a9f45a682938c930b4caa
Formbook
error
Formbook
+ 97 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250522-g5n59ayqt5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Drops startup file
Unpacked files
SH256 hash:
cab399f07bf9083158af533a84fef44b4ca8b12edc3a9f45a682938c930b4caa
MD5 hash:
52a321e48902b8fbd1e984d9bd15f278
SHA1 hash:
ef581890bc75b31b914b513ccda53c7d3f25058f
Link:
https://www.unpac.me/results/5357fe75-0afa-49e4-9a32-d0534a33c900/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cab399f07bf9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cab399f07bf9083158af533a84fef44b4ca8b12edc3a9f45a682938c930b4caa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments