MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e07e7df88008f8d1ba3b459a3e8907c78c7a22cadfcb2ab439ffda155d3e2fc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e07e7df88008f8d1ba3b459a3e8907c78c7a22cadfcb2ab439ffda155d3e2fc0
SHA3-384 hash: 47ef041ba9115fc5b0d6d13faeb87dc931e38399782a2ed837d93de3e1f816a879bf8f8b7f52780eb76dee42f761ec24
SHA1 hash: 5dc3539b6fed4f9905e5a6e29bf13909a7c6e1e6
MD5 hash: 9a8a88ad4308cad8814369cb40e93bc5
humanhash: robert-cold-mountain-maryland
File name:Quotation.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:837'632 bytes
First seen:2025-12-02 08:48:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:F0WbnbtCKNB1QoV2PEZ9Z9Y5RmPk+686QiHqK7rqmDFEUyfxUPm5UX50585QQ+:aYtzVS3Rq6QiH+mJyecUey1
TLSH T1D505F08BF2C4E803C8425A743B61F6B4CDEE6DD9980ED697AFE83E5B3D795151A23001
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/b7bc13e4-1162-40fe-911c-ec12bc5d4a2a/
Malware family:
n/a
ID:
1
File name:
Quotation.scr
Verdict:
No threats detected
Analysis date:
2025-12-02 08:51:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a4f946fa-ce30-44ff-bb11-401697402b29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/42137/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692ea814264b106bd645e9b8
Tags:
virus msil
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin masquerade packed tracker vbnet
Link:
https://www.filescan.io/uploads/692ea821a5368816fdb4282b/reports/394fc247-0b0c-4360-bc0f-17f9916ae17b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e07e7df88008f8d1ba3b459a3e8907c78c7a22cadfcb2ab439ffda155d3e2fc0
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-24T08:24:00Z UTC
Last seen:
2025-12-04T00:59:00Z UTC
Hits:
~1000
Detections:
Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C Trojan.MSIL.Taskun.sb HEUR:Trojan-Spy.MSIL.Noon.gen VHO:Backdoor.Win32.Agent.gen Trojan-Spy.Win32.Noon.sb Trojan-Spy.Noon.HTTP.ServerRequest
Link:
https://opentip.kaspersky.com/e07e7df88008f8d1ba3b459a3e8907c78c7a22cadfcb2ab439ffda155d3e2fc0/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78ca5515-a2ed-42c6-b292-5863a3720a00
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e07e7df88008f8d1ba3b459a3e8907c78c7a22cadfcb2ab439ffda155d3e2fc0
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.21 Win 32 Exe x86
Link:
https://app.malva.re/file/9a8a88ad4308cad8814369cb40e93bc5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e07e7df88008f8d1ba3b459a3e8907c78c7a22cadfcb2ab439ffda155d3e2fc0/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/e07e7df88008f8d1ba3b459a3e8907c78c7a22cadfcb2ab439ffda155d3e2fc0
Threat name:
ByteCode-MSIL.Trojan.NegaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-11-24 11:37:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4b7h36eabd4ndor3iwnd5cihy6ghuiwk37fsvnbz77nbkxj6f7aa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/251202-kqr55ssqep/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d3eebccd-777e-4572-8f78-5d56a4f91dfe
Unpacked files
SH256 hash:
e07e7df88008f8d1ba3b459a3e8907c78c7a22cadfcb2ab439ffda155d3e2fc0
MD5 hash:
9a8a88ad4308cad8814369cb40e93bc5
SHA1 hash:
5dc3539b6fed4f9905e5a6e29bf13909a7c6e1e6
Link:
https://www.unpac.me/results/fb11f8d1-a977-4f27-80d3-7551aa9217a6/
SH256 hash:
42474303d63c1ce4c6a74e683d20f21797ecf3c4e3978e863e79656d0a92e8de
MD5 hash:
5546f6520a2c11d50e68f561d05a1e3f
SHA1 hash:
12814a26e3fbe36a6b61f2672ffc07fee6b95745
Link:
https://www.unpac.me/results/fb11f8d1-a977-4f27-80d3-7551aa9217a6/
SH256 hash:
80eacabfdb8cee3bfd7e326b5815bed528682e676013957e803868633313c4c9
MD5 hash:
5287a850d90369eeef40a8ba40b968cd
SHA1 hash:
3f670d7110c1be6a8158f6d16b265db55aafb674
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/fb11f8d1-a977-4f27-80d3-7551aa9217a6/
SH256 hash:
14d3b29a002901bc3db5d913d9f931f4a0e937942e909c492744db83de09e378
MD5 hash:
fa183d2a5050f010e198fe3bbdf5bc65
SHA1 hash:
aa03260b5b5695c3cc437db9ca12bf860654073e
Link:
https://www.unpac.me/results/fb11f8d1-a977-4f27-80d3-7551aa9217a6/
SH256 hash:
19eaaf117a9bef6cac17677161a702b7cda399343ff3d9cfe5d494c10fe5026a
MD5 hash:
319e9ceb561a471509598becfb550dab
SHA1 hash:
ab22a41e5e816e4ccc392fab8d4eb182bd18ae1e
Link:
https://www.unpac.me/results/fb11f8d1-a977-4f27-80d3-7551aa9217a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e07e7df88008f8d1ba3b459a3e8907c78c7a22cadfcb2ab439ffda155d3e2fc0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e07e7df88008f8d1ba3b459a3e8907c78c7a22cadfcb2ab439ffda155d3e2fc0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/42137/

Comments