MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da8284106b636de03b241025ab845283131fb8df64a730a854ecad0eff718b3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da8284106b636de03b241025ab845283131fb8df64a730a854ecad0eff718b3c
SHA3-384 hash: 21bb682ce62f2db8d353a392382f3e7fe6e29fb3958119e8e75048f6f50b2967f26df58a6c35ad9a89158097180b45c5
SHA1 hash: 3397ae45931386ce83086035472c5d047d1b940c
MD5 hash: f9a3cceff69ad0a54fae2d3493218e32
humanhash: floor-steak-december-carpet
File name:DHL - RECORDATORIO FINAL_8623.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:913'408 bytes
First seen:2025-08-14 13:05:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:UbPLRnnf4ijjqmFCKkL90COPWI3cTefWD:iPZf9fqw407DIx
Threatray 232 similar samples on MalwareBazaar
TLSH T1C015D08C3201F89FC85789718D58EDF8A5206C67B717DE03B0D72D9BB92D6968E061E3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 04d2d0c06c743800 (9 x Formbook, 1 x RemcosRAT, 1 x VIPKeylogger)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_da8284106b636de03b241025ab845283131fb8df64a730a854ecad0eff718b3c.exe
Verdict:
No threats detected
Analysis date:
2025-08-14 13:08:13 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/06ea9c26-7295-4864-9f77-8ab91149ea4d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21384/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689ddf9f48c64d68735c606a
Tags:
micro spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
confuserex confuserex masquerade obfuscated obfuscated packed vbnet
Link:
https://www.filescan.io/uploads/689ddfa4397fd3ce6fa9419c/reports/3efafef8-37de-4efa-8eb2-f10960811ec3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/da8284106b636de03b241025ab845283131fb8df64a730a854ecad0eff718b3c
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76c02f10-f37a-4a66-80e9-aa441ad8d5b9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1757018
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1757018 Sample: DHL - RECORDATORIO FINAL_8623.exe Startdate: 14/08/2025 Architecture: WINDOWS Score: 100 46 www.youpartnership.xyz 2->46 48 www.opendawn.xyz 2->48 50 15 other IPs or domains 2->50 58 Suricata IDS alerts for network traffic 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for submitted file 2->62 66 7 other signatures 2->66 10 DHL - RECORDATORIO FINAL_8623.exe 4 2->10         started        14 svchost.exe 1 1 2->14         started        signatures3 64 Performs DNS queries to domains with low reputation 48->64 process4 dnsIp5 38 C:\...\DHL - RECORDATORIO FINAL_8623.exe.log, ASCII 10->38 dropped 68 Adds a directory exclusion to Windows Defender 10->68 70 Injects a PE file into a foreign processes 10->70 17 DHL - RECORDATORIO FINAL_8623.exe 10->17         started        20 powershell.exe 23 10->20         started        22 DHL - RECORDATORIO FINAL_8623.exe 10->22         started        24 DHL - RECORDATORIO FINAL_8623.exe 10->24         started        52 127.0.0.1 unknown unknown 14->52 file6 signatures7 process8 signatures9 54 Maps a DLL or memory area into another process 17->54 26 Xi2p08VFtaPbxL.exe 17->26 injected 56 Loading BitLocker PowerShell Module 20->56 28 conhost.exe 20->28         started        process10 process11 30 cacls.exe 13 26->30         started        signatures12 72 Tries to steal Mail credentials (via file / registry access) 30->72 74 Tries to harvest and steal browser information (history, passwords, etc) 30->74 76 Modifies the context of a thread in another process (thread injection) 30->76 78 3 other signatures 30->78 33 JllGnUdQ.exe 30->33 injected 36 firefox.exe 30->36         started        process13 dnsIp14 40 www.78448970.xyz 5.189.151.248, 49732, 49733, 49734 CONTABODE Germany 33->40 42 408.design 3.33.130.190, 49696, 49697, 49698 AMAZONEXPANSIONGB United States 33->42 44 10 other IPs or domains 33->44
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/da8284106b636de03b241025ab845283131fb8df64a730a854ecad0eff718b3c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da8284106b636de03b241025ab845283131fb8df64a730a854ecad0eff718b3c/
Verdict:
Malicious
Threat:
Trojan.MSIL.Taskun
Link:
https://tip.neiki.dev/file/da8284106b636de03b241025ab845283131fb8df64a730a854ecad0eff718b3c
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-08-13 19:15:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3kbiiedlmnw6aozecas2xbcsqmjr7og7msttbkcu5swq573rrm6a._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
1583f581b4aed3b58c6dfaa9e8934acb0afbfe12ebc7a5c99ee8757242b4f7fa
Formbook
1de83b987288b4280bc4b6fad76085039e6331176c878c6c6f0987ac130f9bfb
Formbook
50c0d11e8f7153f1129643673ded00e74fe4cb9e929b0a97d9c5bcf983805e41
Formbook
b9efbbd81183b0e4b818455b4409b3b7c5852069130614ff175abc9d9277edc9
Formbook
cc6de21ebaf5b1da25218987714320f9dcc9dd38acad71a9513a42323621a2ed
Formbook
dc2a9a4798984f2bee384db6530edd8a610201207c6799733700c4b623b1157d
Formbook
e3f0db807199f2c11edacf8fa4a177b047b984f1fb5e85418c43d64c63bddf6d
Formbook
ea64b5ce174c5c197fdcb0cdd9c9371e941c3cebb1a990fdf069b596c02d411d
Formbook
error
Formbook
+ 222 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250814-qcy97atqs8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f967a879-02e0-4791-aba8-4e91808edc07
Unpacked files
SH256 hash:
da8284106b636de03b241025ab845283131fb8df64a730a854ecad0eff718b3c
MD5 hash:
f9a3cceff69ad0a54fae2d3493218e32
SHA1 hash:
3397ae45931386ce83086035472c5d047d1b940c
Link:
https://www.unpac.me/results/4ca8a694-3982-4ee2-814e-a0b317a6d470/
SH256 hash:
e833b4c040a54da76ec316ed0a58bd962c104ecfaf27de4113af7d3e7246a3a9
MD5 hash:
ad7cf108545cde32ec3ee332ce267e83
SHA1 hash:
39aeb72728b1c9e64593766e73435886fdd485b0
Link:
https://www.unpac.me/results/4ca8a694-3982-4ee2-814e-a0b317a6d470/
SH256 hash:
9485dba36ff93583b154f4ab11730ed448f7ee199d2203e0166349e8a3640ef7
MD5 hash:
ccfd69f655d4d803882b790df1d2be62
SHA1 hash:
813de8f1af8fedc5fec1f608824b2d7fec05f830
Link:
https://www.unpac.me/results/4ca8a694-3982-4ee2-814e-a0b317a6d470/
SH256 hash:
a6cc291d1541f12492463b0a788a5ed83471664bcb0304912692dd47b036a79f
MD5 hash:
7a5945836269f5ef605251a6fe36acdd
SHA1 hash:
e7e241956cb94bad0d9b362b14ad2a241b69288f
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4ca8a694-3982-4ee2-814e-a0b317a6d470/
SH256 hash:
7fdb90f50f25a2ee61893a56a53cadba49274b71143bff854d40a104f53ea6e9
MD5 hash:
6a9e392389d0ad136892b19d8355c7ac
SHA1 hash:
3b9a9bee21adb3f0dc2caa82cf048589b0848639
Link:
https://www.unpac.me/results/4ca8a694-3982-4ee2-814e-a0b317a6d470/
Malware family:
zgRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/da8284106b63/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da8284106b636de03b241025ab845283131fb8df64a730a854ecad0eff718b3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/21384/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments