MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd3876251da91bfe2d9af57cec442fc2c658a6841892f4ea8954c96260683393. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd3876251da91bfe2d9af57cec442fc2c658a6841892f4ea8954c96260683393
SHA3-384 hash: b8e44b48c9f71923d1c3a10ced6b489a78a2f55d5d756903aad8eef1457953e833cec6b1e160a62b8cb0feabe0db97ea
SHA1 hash: d739c1959e8f5afd02fabeedff3441399b18b24d
MD5 hash: c0f9ceba05b4d0cfed4d4fdecaefa090
humanhash: uniform-lithium-cola-thirteen
File name:0ZJ7siXFvpTZZoW.cmd
Download: download sample
Signature Formbook
Create hunting rule
File size:770'560 bytes
First seen:2025-11-03 10:26:55 UTC
Last seen:2025-11-10 09:00:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'841 x AgentTesla, 19'773 x Formbook, 12'296 x SnakeKeylogger)
ssdeep 12288:AmTAyKR2Ih7vulFsooqxdkTWXpYiRnKkd1waYynSnJmxhITtg+:bTAyyjGFhNWCzKQ1zYcSnJmxhITtg+
Threatray 2'138 similar samples on MalwareBazaar
TLSH T104F412693B62DB23C96763B599B2F2F0537E1DAEA100E2035EDA7DEB7522B004C045D7
TrID 35.4% (.EXE) Win64 Executable (generic) (10522/11/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_dd3876251da91bfe2d9af57cec442fc2c658a6841892f4ea8954c96260683393.exe
Verdict:
No threats detected
Analysis date:
2025-11-03 10:29:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/274e728e-438a-48db-b58b-3916770de4bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/35090/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6908838a9942f1282ecba50d
Tags:
shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated packed vbnet
Link:
https://www.filescan.io/uploads/69088390a3d16310952a9535/reports/1946aa9f-8ac2-421e-ae5c-2d29c28291fa/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dd3876251da91bfe2d9af57cec442fc2c658a6841892f4ea8954c96260683393
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-03T03:36:00Z UTC
Last seen:
2025-11-05T05:22:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Agent.gen Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb
Link:
https://opentip.kaspersky.com/dd3876251da91bfe2d9af57cec442fc2c658a6841892f4ea8954c96260683393/results?tab=lookup
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a599add-3733-4c54-8b72-f356a5e56ca2
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dd3876251da91bfe2d9af57cec442fc2c658a6841892f4ea8954c96260683393
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.33 Win 32 Exe x86
Link:
https://app.malva.re/file/c0f9ceba05b4d0cfed4d4fdecaefa090
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd3876251da91bfe2d9af57cec442fc2c658a6841892f4ea8954c96260683393/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/dd3876251da91bfe2d9af57cec442fc2c658a6841892f4ea8954c96260683393
Threat name:
ByteCode-MSIL.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-11-03 10:27:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3u4hmji5ven74lm26v6oyrbpyldfrjuedcjpj2ujkteweydigojq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
1f49a149f8a033e4d363aa8ab3bd5062aa2a096b121b0e925e799fd58f6ae367
Formbook
364e7e17deb7c093a0c50be1bc63b42688f05a0be7816d47cbd648b8e984861a
Formbook
412a097d36135d1c09ef2e81f3fac61e43037670822ff0ddea3a553bb81d0f8f
Formbook
6b38991a8e0af1e548cb2f17b257032ce4150bdf2236f63cdaf34cc5e5d424ce
Formbook
72e85d4b56147bbf739b9d717f2274a1a0bfb44188ba6d394e2829b8a4e024ed
Formbook
b78ac7ead04f796c03a2720933cfabd9ffcce365477ef0f9061fb02d9eb2d19b
Formbook
d80e5353fa1942cb04ab1f9616e401835a42d292e4b4630a79340f1776eebe8b
Formbook
da99e5e90a490e93120bd11d5bdb6226ad5e6fa21c10d5514b97d09b56dcc403
Formbook
error
Formbook
f5a2fcb5abc2713669bc271014e04c42c4e1019471616645ecacf791d53a3545
Formbook
+ 2'128 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/251103-mhc3cseq4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9b269eb2-99c9-4fd4-aed7-8ce80b950a99
Unpacked files
SH256 hash:
8134365e4433fe72148ae2f1be328fa392b7b7b70b488913c021e67e3d004db1
MD5 hash:
f505cf659782cf9f5d434cc41d430752
SHA1 hash:
6dd1fb9a7cc71558894896990091c45df2fb1f95
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/739272a6-2a07-40f0-bf20-8762d4288e2a/
SH256 hash:
c60c6c759be78f5e56d2628ac7a0679639cc5033d15f8b8563f2f2f7c9b18b3e
MD5 hash:
86b6d529bfcb37163f7e00c6ce7caa45
SHA1 hash:
8ead7567669d618ee47a1a316cf8ce5c2239baf1
Link:
https://www.unpac.me/results/739272a6-2a07-40f0-bf20-8762d4288e2a/
SH256 hash:
d53a5c7f9d1eb4dadfae42188fa6b0dfd12a6edaf42aa4ca29089bfcede3b3e5
MD5 hash:
932d1fc30a170392308350e6a2d92810
SHA1 hash:
b07cc676c4e7594390acb3e262be10330f59b3f4
Link:
https://www.unpac.me/results/739272a6-2a07-40f0-bf20-8762d4288e2a/
SH256 hash:
6248f8041c2194437e4ff80c52f3b91a59d075bed15cbda529e0f15a2e105a17
MD5 hash:
42a5bf166b2e186ecb08aea1f7759878
SHA1 hash:
111cf6514413d7a360075fbabf8e1b9728be2b72
Link:
https://www.unpac.me/results/739272a6-2a07-40f0-bf20-8762d4288e2a/
SH256 hash:
dd3876251da91bfe2d9af57cec442fc2c658a6841892f4ea8954c96260683393
MD5 hash:
c0f9ceba05b4d0cfed4d4fdecaefa090
SHA1 hash:
d739c1959e8f5afd02fabeedff3441399b18b24d
Link:
https://www.unpac.me/results/739272a6-2a07-40f0-bf20-8762d4288e2a/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dd3876251da9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd3876251da91bfe2d9af57cec442fc2c658a6841892f4ea8954c96260683393

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe dd3876251da91bfe2d9af57cec442fc2c658a6841892f4ea8954c96260683393

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35090/

Comments