MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1fe0b9026bf4452a4f6d0a21af6c38e151fe5f1a8c6b547074798c25915456f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1fe0b9026bf4452a4f6d0a21af6c38e151fe5f1a8c6b547074798c25915456f
SHA3-384 hash: a21262b1fdd4fc1f636d3812ce926bfebb3ed9025bece3bc6e35ad77909af7a1c21683533b54431961d3af5bd60450db
SHA1 hash: c8bfd88c4d07d260732ed70e17d81c42be13d3c9
MD5 hash: 4630f837bdb7b515ea5da943216c33cf
humanhash: asparagus-maine-mango-london
File name:gQXV0lVdGeT5vj0.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'195'008 bytes
First seen:2025-09-10 06:52:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:rIObt95TKU4Nbk9Fih1yp3yKLdAJNq2GWQ+h7lf7iXD+dcTMQIV58iut+uXeGIQ:kGtju9MQh1yp9dWFGK70DTMN5AUIe
TLSH T1D545BF63E4019691DCA9CE72F613C3B60A2B1D759021711FD3C3BE2777B6C278B6A216
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
gQXV0lVdGeT5vj0.exe
Verdict:
No threats detected
Analysis date:
2025-09-10 06:55:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cb8ffb7e-3b87-4416-8338-73e9d30e914a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26627/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c1207c6e66ba602d79bdb1
Tags:
shell virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e1fe0b9026bf4452a4f6d0a21af6c38e151fe5f1a8c6b547074798c25915456f
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-09T07:19:00Z UTC
Last seen:
2025-09-09T07:19:00Z UTC
Hits:
~10
Detections:
Trojan.MSIL.Inject.sb HEUR:Trojan-Spy.MSIL.Noon.gen VHO:Trojan-Spy.Win32.Convagent.gen Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic Trojan.MSIL.Taskun.sb Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Injector.gen
Link:
https://opentip.kaspersky.com/e1fe0b9026bf4452a4f6d0a21af6c38e151fe5f1a8c6b547074798c25915456f/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/44f101af-e1dd-4282-8af4-2ee45310cd61
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1774473
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1774473 Sample: gQXV0lVdGeT5vj0.exe Startdate: 10/09/2025 Architecture: WINDOWS Score: 100 50 www.ugfnonline.top 2->50 52 www.surfclub.shop 2->52 54 19 other IPs or domains 2->54 56 Suricata IDS alerts for network traffic 2->56 58 Antivirus detection for URL or domain 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 7 other signatures 2->62 11 gQXV0lVdGeT5vj0.exe 4 2->11         started        signatures3 process4 file5 42 C:\Users\user\...\gQXV0lVdGeT5vj0.exe.log, ASCII 11->42 dropped 64 Adds a directory exclusion to Windows Defender 11->64 66 Injects a PE file into a foreign processes 11->66 15 gQXV0lVdGeT5vj0.exe 11->15         started        18 powershell.exe 23 11->18         started        20 gQXV0lVdGeT5vj0.exe 11->20         started        22 gQXV0lVdGeT5vj0.exe 11->22         started        signatures6 process7 signatures8 76 Maps a DLL or memory area into another process 15->76 24 4SqXNgyMFM8BpF.exe 15->24 injected 78 Loading BitLocker PowerShell Module 18->78 26 WmiPrvSE.exe 18->26         started        28 conhost.exe 18->28         started        process9 process10 30 net1.exe 13 24->30         started        signatures11 68 Tries to steal Mail credentials (via file / registry access) 30->68 70 Tries to harvest and steal browser information (history, passwords, etc) 30->70 72 Modifies the context of a thread in another process (thread injection) 30->72 74 3 other signatures 30->74 33 I20oTUruRXDN49.exe 30->33 injected 36 chrome.exe 30->36         started        38 firefox.exe 30->38         started        process12 dnsIp13 44 www.dropex.top 203.161.43.222, 49708, 49709, 49710 VNPT-AS-VNVNPTCorpVN Malaysia 33->44 46 blackembercoffee.shop 15.197.225.128, 49712, 49713, 49714 TANDEMUS United States 33->46 48 8 other IPs or domains 33->48 40 WerFault.exe 4 36->40         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e1fe0b9026bf4452a4f6d0a21af6c38e151fe5f1a8c6b547074798c25915456f
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1fe0b9026bf4452a4f6d0a21af6c38e151fe5f1a8c6b547074798c25915456f/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/e1fe0b9026bf4452a4f6d0a21af6c38e151fe5f1a8c6b547074798c25915456f
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-09-09 12:14:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4h7axebgx5cffjhw2crbv5wdrykr7zprvddlkryhi6mmewivivxq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250910-hqnfvafj5t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e7e1d26c-db73-4981-bef5-8fda38d7dd53
Unpacked files
SH256 hash:
e1fe0b9026bf4452a4f6d0a21af6c38e151fe5f1a8c6b547074798c25915456f
MD5 hash:
4630f837bdb7b515ea5da943216c33cf
SHA1 hash:
c8bfd88c4d07d260732ed70e17d81c42be13d3c9
Link:
https://www.unpac.me/results/d1772908-39cd-488f-ab91-1b7e7198610f/
SH256 hash:
9137dfce3b09b58c208b29f6091f26704c84b43dd6ab86f09300e2a236c94c16
MD5 hash:
d434c050342158af709458f1f9712e6a
SHA1 hash:
3aaf9a812cb54d95ed642eb679d36f89364cf02b
Link:
https://www.unpac.me/results/d1772908-39cd-488f-ab91-1b7e7198610f/
SH256 hash:
12dda0cd3b378fbced3071df357733426bb09e47c31fcc3ba6273650f67895dc
MD5 hash:
773c55854eb467033abb78bc2b667f80
SHA1 hash:
54bfd694185cd257abb4ee6b477dba12b971b9b9
Link:
https://www.unpac.me/results/d1772908-39cd-488f-ab91-1b7e7198610f/
SH256 hash:
8f2cf9adb3cd213d0f52b8c7e7e32a72794736acf623501995b19e2d8da420af
MD5 hash:
7ed9334400570b4b22014e5a2084c8d1
SHA1 hash:
7fe8f8a562fc84955b201955d8fbf0fa87ea3047
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d1772908-39cd-488f-ab91-1b7e7198610f/
SH256 hash:
e394ebb9d7ae52a9e4dd205832403f0f012f4e0bb931602ab63534a2b297b437
MD5 hash:
720ab5bfa591621e3a3d034642530cae
SHA1 hash:
3ccd1ce4bb51eafaa0fd3d86e8f915c739e2e60d
Link:
https://www.unpac.me/results/d1772908-39cd-488f-ab91-1b7e7198610f/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e1fe0b9026bf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1fe0b9026bf4452a4f6d0a21af6c38e151fe5f1a8c6b547074798c25915456f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe e1fe0b9026bf4452a4f6d0a21af6c38e151fe5f1a8c6b547074798c25915456f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3619354/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/26627/

Comments