MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d44959e93dc687dfdb0c21412c5adafe83b051e8f6f75b1063f77444b8997aa9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d44959e93dc687dfdb0c21412c5adafe83b051e8f6f75b1063f77444b8997aa9
SHA3-384 hash: 6e97cbdffafa5303b0967e267cf94d0fcc8cd7e8e028448ee1f66f84ee05e8958fa21a1acfd87e27f582d6618ab46338
SHA1 hash: 6d352144aa08f194fc644d67790695697b77ebe4
MD5 hash: 7ed531c449e466a01400f0cbb0fd52c3
humanhash: missouri-uncle-saturn-green
File name:SecuriteInfo.com.Variant.Strictor.299872.1985.31709
Download: download sample
Signature Formbook
Create hunting rule
File size:754'176 bytes
First seen:2025-08-06 03:23:21 UTC
Last seen:2025-08-08 13:36:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:bo3NzoRultRj9xECg9wPiylI8uOla/NXGMR7CJdyh+nzSIALDb:ANMkTsyPiylI5SaloJAh+nzSD
Threatray 4'220 similar samples on MalwareBazaar
TLSH T1E9F4225B2429C91BE06462F180B3E37A03AD8C6BE657D30AFBE8DDDB7A173915418347
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon d9b8e8e8e96982ce (6 x SnakeKeylogger, 4 x AgentTesla, 4 x Formbook)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
5
# of downloads :
57
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Variant.Strictor.299872.1985.31709
Verdict:
Malicious activity
Analysis date:
2025-08-06 03:23:57 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/93c5d918-1473-4b52-bb39-4d6d090e05aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19115/
Detection(s):
SecuriteInfo.com.Variant.Strictor.299872.1985.31709.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6892cac01e8a59ee04e62145
Tags:
virus micro msil
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed vbnet
Link:
https://www.filescan.io/uploads/6892cab7397fd3ce6f9e91bc/reports/bf0ff40d-00d7-46bc-843b-af3a4d062018/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d44959e93dc687dfdb0c21412c5adafe83b051e8f6f75b1063f77444b8997aa9
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d1db245c-49b2-402b-a0a4-c333a1d33a5b
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d44959e93dc687dfdb0c21412c5adafe83b051e8f6f75b1063f77444b8997aa9
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.46 Win 32 Exe x86
Link:
https://app.malva.re/file/7ed531c449e466a01400f0cbb0fd52c3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d44959e93dc687dfdb0c21412c5adafe83b051e8f6f75b1063f77444b8997aa9/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-08-06 02:40:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2revt2j5y2d57wymefasyww272b3aupi633vwedd652ejoezpkuq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
162e62a5fdd086d5d83c8d7cf95361fa0592c457b421e170bc00b525b7691bfc
Formbook
48e26c7deb209ebe078555fa63c90fa94b8848ad39695561e7945a70bfe4ae32
Formbook
5e9e96b9e53a7d849b545872cec08f3ec4dc1b2ce51c841f647a2212ecff5b3a
Formbook
95ea7cad1f5295a05a2084c870724c860063568375f9ac5ea4cfcda022486915
Formbook
d44959e93dc687dfdb0c21412c5adafe83b051e8f6f75b1063f77444b8997aa9
Formbook
ded67530b43d631ec743606859227570de9e18ce9d61a72b2641fdaff6dc78e6
Formbook
error
Formbook
+ 4'210 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/250806-dxsxpabl4z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d42d1c15-532e-4610-b6c4-a824ce02fc98
Unpacked files
SH256 hash:
d44959e93dc687dfdb0c21412c5adafe83b051e8f6f75b1063f77444b8997aa9
MD5 hash:
7ed531c449e466a01400f0cbb0fd52c3
SHA1 hash:
6d352144aa08f194fc644d67790695697b77ebe4
Link:
https://www.unpac.me/results/49b1f008-15a2-49e1-8dbd-572df0ada1ce/
SH256 hash:
bf055955186bbe08f6ca366549751310f1958eb528d0fb029c457425963c76ad
MD5 hash:
2db6bc1c88650472ee9780cef12e7a77
SHA1 hash:
02ba920c9a63374cf0ede1bef4a95ece6aa047b8
Link:
https://www.unpac.me/results/49b1f008-15a2-49e1-8dbd-572df0ada1ce/
SH256 hash:
78b7efd713d42402b7b2393aa73ad818b68766009e802f57bd5938a24cbf7d1c
MD5 hash:
43e6b4bdb476e105ec1fb1aa8719df41
SHA1 hash:
c62d7ffcae073f74d4e752dcfc25a15c0bd3cbfa
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/49b1f008-15a2-49e1-8dbd-572df0ada1ce/
SH256 hash:
6602459e917db58b17b53efcaa362098586828fb2cc861bf4158a64857483209
MD5 hash:
9d830fab59624d6820d261b39c5316b8
SHA1 hash:
e14d1e0eb5c9223920fef1028ab7f7c67f0782c5
Link:
https://www.unpac.me/results/49b1f008-15a2-49e1-8dbd-572df0ada1ce/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d44959e93dc6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d44959e93dc687dfdb0c21412c5adafe83b051e8f6f75b1063f77444b8997aa9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip fcfc5e8a181178160ae47464b97148989299c6f566f6d866af2c545418f6e112

Formbook

Executable exe d44959e93dc687dfdb0c21412c5adafe83b051e8f6f75b1063f77444b8997aa9

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/19115/
  
Dropped by
SHA256 fcfc5e8a181178160ae47464b97148989299c6f566f6d866af2c545418f6e112
  
Dropped by
MD5 496fcbacb5b64712cbb6e1d071f1e4b4

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments