MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d374091cdaf72ea9673f8e9d63eebaefc9315a3511f0194dda15252ebb517c66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d374091cdaf72ea9673f8e9d63eebaefc9315a3511f0194dda15252ebb517c66
SHA3-384 hash: 6a8c7fd979c2fbc772f760eca933940988ada94cf6b6d4e6a9b97c62351409a4245b969e9dbe57c3b555dd32606d2ecd
SHA1 hash: f08934d3d87fa954a648da60425ac98965146e81
MD5 hash: 4cd290cac6d9c4e1de99add6781965ad
humanhash: blue-moon-carpet-don
File name:Doc Proposed Checklist.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:780'808 bytes
First seen:2025-10-28 10:50:32 UTC
Last seen:2025-11-06 11:30:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Kq2mqA5s3GO67L5GU8oJ3/NfU/YLfp3qwTXQllCC/W2YQZikR:K3mB5s3Gj9FZVfUwLVaOC+N4
Threatray 2'012 similar samples on MalwareBazaar
TLSH T10DF4126463A4E503DDA99B3049F0F27817BA7DC9EA30C3475AD9ADDFB9A4E609C40313
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter cocaman
Tags:exe FormBook scr Shipping

Intelligence

File Origin
# of uploads :
19
# of downloads :
126
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_d374091cdaf72ea9673f8e9d63eebaefc9315a3511f0194dda15252ebb517c66.exe
Verdict:
Suspicious activity
Analysis date:
2025-10-28 10:57:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0a726502-bbda-4f52-9028-bb8e00990e14

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34498/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6900a0119942f1282ec99e19
Tags:
spawn shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Creating a file
Сreating synchronization primitives
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature masquerade obfuscated packed packed packer_detected signed vbnet
Link:
https://www.filescan.io/uploads/6900a01dacdc0d13837f5f18/reports/69d57ed4-56b5-471e-81ff-250a28f2722e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d374091cdaf72ea9673f8e9d63eebaefc9315a3511f0194dda15252ebb517c66
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-28T05:33:00Z UTC
Last seen:
2025-10-30T08:31:00Z UTC
Hits:
~1000
Detections:
Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Agent.gen HEUR:Trojan.MSIL.Taskun.gen
Link:
https://opentip.kaspersky.com/d374091cdaf72ea9673f8e9d63eebaefc9315a3511f0194dda15252ebb517c66/results?tab=lookup
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab1cc21d-9005-47e4-8ea7-4bfa9f209762
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1803124
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Antivirus detection for URL or domain
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1803124 Sample: Doc Proposed Checklist.scr.exe Startdate: 28/10/2025 Architecture: WINDOWS Score: 100 38 www.dmetis.xyz 2->38 40 www.atomicmanager.xyz 2->40 42 19 other IPs or domains 2->42 50 Suricata IDS alerts for network traffic 2->50 52 Antivirus detection for URL or domain 2->52 54 Multi AV Scanner detection for submitted file 2->54 58 7 other signatures 2->58 11 Doc Proposed Checklist.scr.exe 4 2->11         started        signatures3 56 Performs DNS queries to domains with low reputation 40->56 process4 file5 36 C:\...\Doc Proposed Checklist.scr.exe.log, ASCII 11->36 dropped 68 Adds a directory exclusion to Windows Defender 11->68 15 RegSvcs.exe 11->15         started        18 powershell.exe 23 11->18         started        signatures6 process7 signatures8 70 Maps a DLL or memory area into another process 15->70 20 epg2WsC7Q.exe 15->20 injected 72 Loading BitLocker PowerShell Module 18->72 22 conhost.exe 18->22         started        process9 process10 24 ARP.EXE 13 20->24         started        signatures11 60 Tries to steal Mail credentials (via file / registry access) 24->60 62 Tries to harvest and steal browser information (history, passwords, etc) 24->62 64 Modifies the context of a thread in another process (thread injection) 24->64 66 3 other signatures 24->66 27 ZJgt6OILbEj3NZ.exe 24->27 injected 30 chrome.exe 24->30         started        32 firefox.exe 24->32         started        process12 dnsIp13 44 bentleybella.info 195.110.124.133, 49769, 49770, 49771 REGISTER-ASIT Italy 27->44 46 horeamsare.cfd 84.32.84.32, 49729, 49730, 49731 NTT-LT-ASLT Lithuania 27->46 48 9 other IPs or domains 27->48 34 WerFault.exe 4 30->34         started        process14
Score:
85%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d374091cdaf72ea9673f8e9d63eebaefc9315a3511f0194dda15252ebb517c66
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.18 Win 32 Exe x86
Link:
https://app.malva.re/file/4cd290cac6d9c4e1de99add6781965ad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d374091cdaf72ea9673f8e9d63eebaefc9315a3511f0194dda15252ebb517c66/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/d374091cdaf72ea9673f8e9d63eebaefc9315a3511f0194dda15252ebb517c66
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-28 08:43:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
23 of 38 (60.53%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2n2ashg264xkszz7r2owh3v257etcwrvchybsto2cuss5o2rprta._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
3103bad7a756dbde298af3162f848f2a3101354148fec4f4b341a7ce17adf4c5
Formbook
515261ba7c77ffd970a3bb7e09d3f54fc5184d72ee48082fd3ac145f004f6e6e
Formbook
65140ae2ddd1e19e3dcdd80ad3b6bd652e7388334e1bd1c526486a12b25df026
Formbook
6e949357f4dcb358dc0ce30daf7d688490f41fbba41a6368059fccb6b24e5230
Formbook
8c9fd9ea38c16b4b38039c60d03c499aff67451f6fcd00d56abd4c81a6f2c3c2
Formbook
9112615ba411d6052895da2d4a276289c21a36e2ae4ff93634d9d207f5e75427
Formbook
c34753d6a802dcb3570354a7ecc7e930d957a28cca0d63e698ac0c0cbe67e6cc
Formbook
cb4788741b2c7792c25c956a4c2dab349fed2e93c175cc79c112d6faf95ec8bd
Formbook
decdb74ebd6bcdf8e64941b717e7830a401490f3d37437cc2110afcbc64d6606
Formbook
ee75983f41e1cbcb6571d23f4753b6c361707331e1de552a1c5a6635ff285f4b
Formbook
error
Formbook
+ 2'002 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251028-mxtcwsxlex/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9b52fc26-e06a-4132-a717-4593d0cca839
Unpacked files
SH256 hash:
d374091cdaf72ea9673f8e9d63eebaefc9315a3511f0194dda15252ebb517c66
MD5 hash:
4cd290cac6d9c4e1de99add6781965ad
SHA1 hash:
f08934d3d87fa954a648da60425ac98965146e81
Link:
https://www.unpac.me/results/e082a3df-35d5-417e-8062-466e3be1ed85/
SH256 hash:
9e3ce924f9bd4f48b4b16102eef4d22e99a5724eda3101c4505c68ed555f27d7
MD5 hash:
2a0103aced705d9d2610c1b99853a382
SHA1 hash:
16bf8cccddb43a18167187482926b4f0225064e3
Link:
https://www.unpac.me/results/e082a3df-35d5-417e-8062-466e3be1ed85/
SH256 hash:
f823e6e8ca9bd52588534ec40fa9ec2e7e9621e61783aa58a9ccc9dab49b8d85
MD5 hash:
1e52bc0a874392d7af97f59df70c8c3b
SHA1 hash:
202f6ae7d619fb0fd74cf2f6e0fcd54d89f1c0d3
Link:
https://www.unpac.me/results/e082a3df-35d5-417e-8062-466e3be1ed85/
SH256 hash:
9dbc3207031c7174a69e0ce6aa7466c62e3a8efb268b6e065d630ef610042666
MD5 hash:
2f6ae95ece783a5519e999d26ec2af23
SHA1 hash:
f06d3dda2718f624e6f046650dff9075cde31e88
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e082a3df-35d5-417e-8062-466e3be1ed85/
SH256 hash:
0259508f3db506efb244e2c94aa50d88b25a514a14d57c9e278b36d6beecc4d0
MD5 hash:
2e6b287312c0477bebfdd43861d2a149
SHA1 hash:
0e86638370ba98db513ebf605b8a22423f3e8a7f
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e082a3df-35d5-417e-8062-466e3be1ed85/
Parent samples :
65140ae2ddd1e19e3dcdd80ad3b6bd652e7388334e1bd1c526486a12b25df026
6e949357f4dcb358dc0ce30daf7d688490f41fbba41a6368059fccb6b24e5230
d374091cdaf72ea9673f8e9d63eebaefc9315a3511f0194dda15252ebb517c66
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d374091cdaf7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d374091cdaf72ea9673f8e9d63eebaefc9315a3511f0194dda15252ebb517c66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 543b79100c980122ce6bfa54b78765da0089ff34b33ca6cf5e9ecdc7ba5e43b2

Formbook

Executable exe d374091cdaf72ea9673f8e9d63eebaefc9315a3511f0194dda15252ebb517c66

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 543b79100c980122ce6bfa54b78765da0089ff34b33ca6cf5e9ecdc7ba5e43b2
Cape
Cape
https://www.capesandbox.com/analysis/34498/
  
Dropped by
MD5 1a09938f23fe83b135ba3b157912b2aa

Comments