MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e598b89b04fa29abdfdad5eca57c05401680597c5999160bc2963bcb5c2cf4f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e598b89b04fa29abdfdad5eca57c05401680597c5999160bc2963bcb5c2cf4f3
SHA3-384 hash: dc4ff2e4ad53234c45da1773f2fc74a3f1dcc1eb0d422c317f98b9f869a4244f41afea0089323076c69922c069f1abd1
SHA1 hash: 3c1694c891c4c105ebba6e7255da52121d49d44a
MD5 hash: d19710a60bbd0fb92fc185548c291c3a
humanhash: carpet-nuts-jupiter-stairway
File name:Quotation for the below-mentioned items.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:850'944 bytes
First seen:2025-08-07 15:11:15 UTC
Last seen:2025-08-29 17:42:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:MED+d+1QSjdxey9sZ63AlIZe7bS9sm56s:bvRjXevZ63AlOe7bSum5v
Threatray 98 similar samples on MalwareBazaar
TLSH T12B05F1123754E887D41646B02452F3F077B0AE877650FE89AED52D8F3AA4FD18AC6B43
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon e8d4f0e8e8f0d4f0 (3 x Formbook, 1 x DarkCloud, 1 x VIPKeylogger)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
76
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Quotation for the below-mentioned items.exe
Verdict:
Malicious activity
Analysis date:
2025-08-07 15:14:17 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/14377774-812c-4b3e-992d-86920ddcca9e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19512/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6894c23011d7f9b979e66ad9
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/6894c2472fbe0788fb1b919a/reports/afbba2f4-ee92-43f9-9386-40bf95399556/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/e598b89b04fa29abdfdad5eca57c05401680597c5999160bc2963bcb5c2cf4f3
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43f9197c-cf93-4a63-9af0-bd939391e93c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1752456
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1752456 Sample: Quotation for the below-men... Startdate: 07/08/2025 Architecture: WINDOWS Score: 100 34 www.wavekeith.media 2->34 36 www.reggiadiportici.info 2->36 38 8 other IPs or domains 2->38 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected FormBook 2->48 50 Yara detected AntiVM3 2->50 52 3 other signatures 2->52 11 Quotation for the below-mentioned items.exe 3 2->11         started        signatures3 process4 file5 32 Quotation for the ...ioned items.exe.log, ASCII 11->32 dropped 62 Injects a PE file into a foreign processes 11->62 15 Quotation for the below-mentioned items.exe 11->15         started        signatures6 process7 signatures8 64 Maps a DLL or memory area into another process 15->64 18 R2nBCvHp2HX.exe 15->18 injected process9 process10 20 cmd.exe 13 18->20         started        signatures11 54 Tries to steal Mail credentials (via file / registry access) 20->54 56 Tries to harvest and steal browser information (history, passwords, etc) 20->56 58 Modifies the context of a thread in another process (thread injection) 20->58 60 3 other signatures 20->60 23 EhqAdZLFCJqm.exe 20->23 injected 26 chrome.exe 20->26         started        28 firefox.exe 20->28         started        process12 dnsIp13 40 masterlang.net 107.6.184.118, 49732, 49733, 49734 SINGLEHOP-LLCUS United States 23->40 42 www.chillrocket.top 199.192.23.195, 80 NAMECHEAP-NETUS United States 23->42 44 6 other IPs or domains 23->44 30 WerFault.exe 4 26->30         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e598b89b04fa29abdfdad5eca57c05401680597c5999160bc2963bcb5c2cf4f3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e598b89b04fa29abdfdad5eca57c05401680597c5999160bc2963bcb5c2cf4f3/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/e598b89b04fa29abdfdad5eca57c05401680597c5999160bc2963bcb5c2cf4f3
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-08-07 04:49:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
42
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4wmlrgye7iu2xx622xwkk7afialiawl4lgmrmc6csy54wxbm6tzq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
225467899634b016ac58b9bb4bb3a49296d08400efdda9d60497f376bf851333
Formbook
71061c247762961b52c05043f9aad7acd24d6be55da97b79136685dc8d71fbcc
Formbook
aefde6d259b1398c252e898253588e747ac7aca311a143d3e694c644ccb47c3b
Formbook
d44959e93dc687dfdb0c21412c5adafe83b051e8f6f75b1063f77444b8997aa9
Formbook
e598b89b04fa29abdfdad5eca57c05401680597c5999160bc2963bcb5c2cf4f3
Formbook
error
Formbook
+ 88 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/250807-skwv5stvcv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6e597c13-b76d-4ebf-8c79-642ce6377996
Unpacked files
SH256 hash:
e598b89b04fa29abdfdad5eca57c05401680597c5999160bc2963bcb5c2cf4f3
MD5 hash:
d19710a60bbd0fb92fc185548c291c3a
SHA1 hash:
3c1694c891c4c105ebba6e7255da52121d49d44a
Link:
https://www.unpac.me/results/e80f1b1f-81b5-4dd2-b1a1-8115b55dd5dc/
SH256 hash:
ecf416558f02b2d950840b92242cab6bd0f60f2398f9665aaf4b8174020e5e53
MD5 hash:
539e0ff67cc63c9b653ed14de1f4be6d
SHA1 hash:
2b96170796470a5c18aa2962ecedf72a398202fb
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/e80f1b1f-81b5-4dd2-b1a1-8115b55dd5dc/
Parent samples :
1745c301e6a15413676f63dbef76e0582000b04cb1205a0ee9559178550c1225
e598b89b04fa29abdfdad5eca57c05401680597c5999160bc2963bcb5c2cf4f3
407e1cb8e679d920ea7b3369c2528a0a9c63380273e5ae2ef22f2934285c1d6d
SH256 hash:
e0c7e31494b0d8dfdbf5d23039d51c75ce096f287e9c060f70714f0de0035be4
MD5 hash:
8b63f16238b2e1b6806d665bc1e5e457
SHA1 hash:
5ec216c6875ec44fcea7bdba781702fc93cde0a6
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e80f1b1f-81b5-4dd2-b1a1-8115b55dd5dc/
SH256 hash:
6602459e917db58b17b53efcaa362098586828fb2cc861bf4158a64857483209
MD5 hash:
9d830fab59624d6820d261b39c5316b8
SHA1 hash:
e14d1e0eb5c9223920fef1028ab7f7c67f0782c5
Link:
https://www.unpac.me/results/e80f1b1f-81b5-4dd2-b1a1-8115b55dd5dc/
SH256 hash:
cb0131436b573bcbf4ee639396f60ec16b4e5d9ccf84bd0fda5ced42acc7099c
MD5 hash:
52900919e5984ed63cf0701e32d430c6
SHA1 hash:
77357da2cb1cf78493024ba0113b1e77dcc8a1a7
Link:
https://www.unpac.me/results/e80f1b1f-81b5-4dd2-b1a1-8115b55dd5dc/
SH256 hash:
499bed196e6aa713f820b78148af17c79be373c6c2a5807f36b1bb7b6c2163c6
MD5 hash:
676026853e2150b57a8d640e843f2024
SHA1 hash:
7ddd601a05d4daece288c7f20de98aee00aa45a5
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e80f1b1f-81b5-4dd2-b1a1-8115b55dd5dc/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e598b89b04fa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e598b89b04fa29abdfdad5eca57c05401680597c5999160bc2963bcb5c2cf4f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e598b89b04fa29abdfdad5eca57c05401680597c5999160bc2963bcb5c2cf4f3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/19512/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments