MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e15bf322a7c587a47c91dad4734d8d56a941664ded7ddbd171416abeb1e34b47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e15bf322a7c587a47c91dad4734d8d56a941664ded7ddbd171416abeb1e34b47
SHA3-384 hash: 328b26e41d43cb9a4e9751f5967ebaa3ead420937dd770413917002e51d972a03be5086393552dfbfb1ebba78f26e3e6
SHA1 hash: 97ceb9a4c9f413f16817f043ff2955be99a340c9
MD5 hash: dcbd01f9cb6f8624784e662d49e11ef9
humanhash: colorado-apart-happy-robert
File name:rPO895634FGV_doc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:784'384 bytes
First seen:2025-08-15 06:30:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:aApcszAMQ426Z4slZW7deuBfTbLvu442W5ObLlXGEYigaIzeVfEZagPdzjezY26a:RmCPZsBPpfL5W5ObLlWegh6yLjezY26a
TLSH T126F401776B01CC07ED910BB00971D7F841BE6EC9A824D20758E8BE97BA77AC375B0295
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon ecf0c68ac2c298f2 (60 x SnakeKeylogger, 14 x Formbook, 6 x AgentTesla)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_e15bf322a7c587a47c91dad4734d8d56a941664ded7ddbd171416abeb1e34b47.exe
Verdict:
No threats detected
Analysis date:
2025-08-15 06:31:33 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/601af921-5a5f-435f-b43b-b8715f8b9d11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21488/
Detection(s):
Porcupine.MSIL.Kryptik.AOCK.416710.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689ed42148c64d68735c7701
Tags:
underscore shell virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap masquerade obfuscated obfuscated packed packed reconnaissance roboski stego vbnet
Link:
https://www.filescan.io/uploads/689ed41d2fbe0788fb2079ac/reports/e2cd6fc3-bd1b-4ca8-a208-b08b1b021708/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/e15bf322a7c587a47c91dad4734d8d56a941664ded7ddbd171416abeb1e34b47
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c195e128-eee2-4795-af06-fe89155da350
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e15bf322a7c587a47c91dad4734d8d56a941664ded7ddbd171416abeb1e34b47
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.33 Win 32 Exe x86
Link:
https://app.malva.re/file/dcbd01f9cb6f8624784e662d49e11ef9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e15bf322a7c587a47c91dad4734d8d56a941664ded7ddbd171416abeb1e34b47/
Verdict:
Malicious
Threat:
VHO:Trojan.MSIL.Taskun
Link:
https://tip.neiki.dev/file/e15bf322a7c587a47c91dad4734d8d56a941664ded7ddbd171416abeb1e34b47
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-08-15 06:11:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4fn7givhywd2i7er3lkhgtmnk2uuczsn5v65xulrifvl5mpdjndq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250815-g9xcestqw9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/865c7f0b-e0c4-4dbe-ab36-ad69b45c87a0
Unpacked files
SH256 hash:
e15bf322a7c587a47c91dad4734d8d56a941664ded7ddbd171416abeb1e34b47
MD5 hash:
dcbd01f9cb6f8624784e662d49e11ef9
SHA1 hash:
97ceb9a4c9f413f16817f043ff2955be99a340c9
Link:
https://www.unpac.me/results/0d81d273-3905-4192-bd95-1041111e7327/
SH256 hash:
cac7fb6a7876656d4bd8bf80711fb7a3a63b1e89d40acc6375ea4896a181fa25
MD5 hash:
924750c7dc8dfa7de870a439ff018086
SHA1 hash:
0ffffb6ae5e30971bb84bb00e31481874e36876f
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0d81d273-3905-4192-bd95-1041111e7327/
SH256 hash:
0aa60cb0fe205b051a8e420965a0659ced419e3045455f72de5e1611a6e7f456
MD5 hash:
8e66a7bf7973c554cf3b103722cad9fe
SHA1 hash:
5b34e05b35c1d295e293bbd885438b88c8fd9670
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0d81d273-3905-4192-bd95-1041111e7327/
Parent samples :
e15bf322a7c587a47c91dad4734d8d56a941664ded7ddbd171416abeb1e34b47
c335602ef52f9260cfb20828515938d3c335abce3e459464d802d4c17d2fe8d7
3cb3401f42c9b3847e85aa6cdae6e981b576d289a21a6b7d166879e2b6ae5d6f
c5658d0585c94a50f715384ed28507806352107648eafa58fd7764a16c382244
4f8d01ea75f23293c5424e8b5a7f3f552c16d64f53d66b115f45648a04ecdd7d
be989ee2ddc2062b73483aef4178dbb61ed5acb4754eb864b230d18c7e17b8af
SH256 hash:
45e6d9f786c2286fd40748578551149b5aec2f0cc09191b6b94988daef9289b4
MD5 hash:
61440746ed7b978d75e70598aac30f10
SHA1 hash:
6dfc1e5be22c249bb006bb6b5fc86c210249ec03
Link:
https://www.unpac.me/results/0d81d273-3905-4192-bd95-1041111e7327/
SH256 hash:
7aa749b762708964feba95e0bbba6474aad203e3c148382dadeb6d51d998ad0f
MD5 hash:
d8847695aaa7c972f9f828db3b993f7b
SHA1 hash:
37f0b840535a06b98819b2c22f91ed7dd5f12fc4
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/0d81d273-3905-4192-bd95-1041111e7327/
Malware family:
zgRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e15bf322a7c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e15bf322a7c587a47c91dad4734d8d56a941664ded7ddbd171416abeb1e34b47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win32_dotnet_form_obfuscate
Create hunting rule
Author:Reedus0
Description:Rule for detecting .NET form obfuscate malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e15bf322a7c587a47c91dad4734d8d56a941664ded7ddbd171416abeb1e34b47

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/21488/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments