MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 deca7db53ff396d47de38b30c0ba01d5c8c8412acc257a0342f0021139fec0fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: deca7db53ff396d47de38b30c0ba01d5c8c8412acc257a0342f0021139fec0fe
SHA3-384 hash: cd094b200ce0e6ededdd65dfbec96382f33a8c995e2197754895fce52e1ee57aca87d39328a305772df35d82cee54ef5
SHA1 hash: d889d3fbd1f4e2811740a7eb6ea03dded897a439
MD5 hash: a57783577096887dcc65dbeaedba9a6a
humanhash: gee-minnesota-xray-hamper
File name:deca7db53ff396d47de38b30c0ba01d5c8c8412acc257a0342f0021139fec0fe
Download: download sample
Signature Formbook
Create hunting rule
File size:763'904 bytes
First seen:2025-10-10 06:24:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'819 x AgentTesla, 19'743 x Formbook, 12'286 x SnakeKeylogger)
ssdeep 12288:KKqOZQ856l4C1di4KaEMUmHjeUDwcpPT3UcpvBplHETjgZezyvzMUFbEod:hRQQo4NMbyQwcZ4cLjHYgxLHld
Threatray 2'305 similar samples on MalwareBazaar
TLSH T145F40244222FC902E4859FB11D32D7B41BA5BF99E861D60BDFCA7EEFB837A501944342
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
deca7db53ff396d47de38b30c0ba01d5c8c8412acc257a0342f0021139fec0fe
Verdict:
Malicious activity
Analysis date:
2025-10-10 06:30:00 UTC
Tags:
auto-sch-xml formbook xloader
Link:
https://app.any.run/tasks/aa38db2a-ff7c-49ce-913f-fa2f17b0f756

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/31995/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e8a6f48b7b147cc4b68734
Tags:
virus shell msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
krypt obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68e8a76571883144ef2fe0e6/reports/ffb3e85d-10e6-4095-af73-ae25c14d7c16/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/deca7db53ff396d47de38b30c0ba01d5c8c8412acc257a0342f0021139fec0fe
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-12T09:05:00Z UTC
Last seen:
2025-09-21T04:38:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/deca7db53ff396d47de38b30c0ba01d5c8c8412acc257a0342f0021139fec0fe/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38fa61aa-3136-4426-ac80-53f6c362d592
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/deca7db53ff396d47de38b30c0ba01d5c8c8412acc257a0342f0021139fec0fe
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.28 Win 32 Exe x86
Link:
https://app.malva.re/file/a57783577096887dcc65dbeaedba9a6a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/deca7db53ff396d47de38b30c0ba01d5c8c8412acc257a0342f0021139fec0fe/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-09-12 11:54:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=33fh3nj76olni7pdrmymboqb2xemqqjkzqsxua2c6abbcop6yd7a._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
unc_loader_078
Create hunting rule
Similar samples:
3f319e9659fb83474cc2b231bf4eea48f565e8aee82c9eb017ce5b991215106b
Formbook
65032d50c2a6525b8b9cc9636278a4228bbe65ed478c4cea87e40370b2954c1d
Formbook
787d67c191fa30763a476236491b3b4c7e9b09e6734fad056be745dc5897a6d6
Formbook
b7243dcf764700c2e87bf6a530e095222dbd38c741a4ac4fabc0f6acba7271ce
Formbook
cab82749acbaf6bab5ad3c2bb077bac408ae9d1e798e54b8599ca2ce12c88311
Formbook
error
Formbook
+ 2'295 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251010-g71bas1lz4/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6f24db55-7aa3-4a86-b3a8-82cfba7790ca
Unpacked files
SH256 hash:
deca7db53ff396d47de38b30c0ba01d5c8c8412acc257a0342f0021139fec0fe
MD5 hash:
a57783577096887dcc65dbeaedba9a6a
SHA1 hash:
d889d3fbd1f4e2811740a7eb6ea03dded897a439
Link:
https://www.unpac.me/results/31a435b7-5da1-40c7-b18d-d7da0c4fe673/
SH256 hash:
0e548d1a3f7f1b75e45a72e0b03ca6dd8359b636d18685c673246945744ae5eb
MD5 hash:
685a9bdd48a42097da04262e1cac7701
SHA1 hash:
2a3dd0b850c3d95cf25520bce330d6d99fecf5a9
Link:
https://www.unpac.me/results/31a435b7-5da1-40c7-b18d-d7da0c4fe673/
SH256 hash:
a6e999fe04ae654b579581acda5f9cf0bd434d025f54c9f757a420b595e4c4c5
MD5 hash:
77a22330bb9a4b0880e6697290967b7f
SHA1 hash:
0297b32756d1a958834f727c59940a9179e9ff39
Link:
https://www.unpac.me/results/31a435b7-5da1-40c7-b18d-d7da0c4fe673/
SH256 hash:
b0399b5d1caffa906289af87610ed0a7ab9ff9b9d5dfd26d3ec29e11917847ae
MD5 hash:
0cb86f03ac51725b0c44f74159184418
SHA1 hash:
16fc51cdb1439e306b16d30dd0f9146303dd2910
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/31a435b7-5da1-40c7-b18d-d7da0c4fe673/
SH256 hash:
dc31ced9db030528e03adf3a185935d0ae47a9a13ca1ed1be5169cbc023bbc86
MD5 hash:
d1baf78256c8a397bd72e168f60272ce
SHA1 hash:
c3c280e2a646eb63c97f1f0e6a07f960b94946fb
Link:
https://www.unpac.me/results/31a435b7-5da1-40c7-b18d-d7da0c4fe673/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/deca7db53ff396d47de38b30c0ba01d5c8c8412acc257a0342f0021139fec0fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/31995/

Comments