MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e96a2b993722bee3393df92be9f4ec233673a7057c4fc8d31c5463f28368994b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 22 File information Comments

SHA256 hash:	e96a2b993722bee3393df92be9f4ec233673a7057c4fc8d31c5463f28368994b
SHA3-384 hash:	b2753b2ad3b3e38c678d55bd0b7b9aa251f4785949da9d3a5e83d3eba8c4dc434477e85d700e900bf7a3168779adb75e
SHA1 hash:	4130875c4257297b9cc734740d6de7cbff2a79e7
MD5 hash:	cef1e86f5c8e0068cdcec6f0150110b5
humanhash:	lima-alpha-south-timing
File name:	90087261762132.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'701'376 bytes
First seen:	2025-06-30 14:33:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e2abca3a680b21f6252a3cf4bb41e3d1 (1 x DBatLoader, 1 x Formbook, 1 x XWorm)
ssdeep	24576:WEXBExG0rr/P6w031o1ogt3ZxJebXLLJP1d3JDFlMu9h9G:WEruSwSzgt3ZxJeDvMu9a
Threatray	4'637 similar samples on MalwareBazaar
TLSH	T1E475BFC6638F863DD13606347CFAA7AC582D7EEA3B1476CD1DA26D0C8E292D1E5191C3
TrID	38.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 28.2% (.EXE) Win64 Executable (generic) (10522/11/4) 12.0% (.EXE) Win32 Executable (generic) (4504/4/1) 5.5% (.EXE) Win16/32 Executable Delphi generic (2072/23) 5.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	7cf0a49c94988894 (8 x SnakeKeylogger, 5 x RemcosRAT, 2 x XWorm)
Reporter	threatcat_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

493

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

90087261762132.exe

Verdict:

Malicious activity

Analysis date:

2025-06-30 15:29:51 UTC

Tags:

delphi dbatloader loader formbook stealer xloader

Link:

https://app.any.run/tasks/13a0a877-d385-4b2b-a561-d70a8df62032

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/11674/

Detection(s):

SecuriteInfo.com.Trojan.Inject5.58749.10096.23486.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6862a06b37c343677947cf2f

Tags:

autorun delphi emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the process to change network settings

Launching cmd.exe command interpreter

Setting browser functions hooks

Moving of the original file

Enabling autorun by creating a file

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug borland_delphi fingerprint keylogger packed

Link:

https://www.filescan.io/uploads/6862a074320dea0dabb67c6f/reports/6e6ca845-d038-4620-a890-3e43f2958be2/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/e96a2b993722bee3393df92be9f4ec233673a7057c4fc8d31c5463f28368994b

Malware family:

ModiLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f09a6d51-9f64-42a0-bb74-2cbb4b0c3e83

Score:

92%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e96a2b993722bee3393df92be9f4ec233673a7057c4fc8d31c5463f28368994b

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/cef1e86f5c8e0068cdcec6f0150110b5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e96a2b993722bee3393df92be9f4ec233673a7057c4fc8d31c5463f28368994b/

Verdict:

Malicious

Threat:

Win32.Backdoor.FormBook

Link:

https://tip.neiki.dev/file/e96a2b993722bee3393df92be9f4ec233673a7057c4fc8d31c5463f28368994b

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2025-06-30 05:58:28 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 36 (47.22%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5fvcxgjxek7ogoj57ev6t5hmem3hhjyfprh4ruy4krr7fa3itffq._file

Verdict:

malicious

Label(s):

dbatloader

formbook

Formbook

5f8469ff520ad563203f02d05f56eb5733cac27fb4361dc15ff3bc80aa78745d

Formbook

7ccc6e02a9571b7e04dd21f1571e3db4f5af3c61d6fbb17c691014621a4b4eb7

Formbook

8b56b1ed9616f633179ff6997d01c9a0dfd1d55330466fe965a69fbedc1d12c0

Formbook

e96a2b993722bee3393df92be9f4ec233673a7057c4fc8d31c5463f28368994b

Formbook

ea2202c4b0c1249b69feae8f54620de216873ced23bb957931fcf943f73e8ef9

Formbook

error

Formbook

+ 4'627 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader discovery trojan

Link:

https://tria.ge/reports/250630-rxgrbazth1/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

ModiLoader Second Stage

ModiLoader, DBatLoader

Modiloader family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/37a4b61d-8ef9-4bac-a2bb-2dfb06720239

Unpacked files

SH256 hash:

e96a2b993722bee3393df92be9f4ec233673a7057c4fc8d31c5463f28368994b

MD5 hash:

cef1e86f5c8e0068cdcec6f0150110b5

SHA1 hash:

4130875c4257297b9cc734740d6de7cbff2a79e7

Link:

https://www.unpac.me/results/71333413-2f80-4d7c-b48d-3648d57ee75d/

Malware family:

DBatLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e96a2b993722/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e96a2b993722bee3393df92be9f4ec233673a7057c4fc8d31c5463f28368994b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dependsonpythonailib Create hunting rule
Author:	Tim Brown
Description:	Hunts for dependencies on Python AI libraries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe e96a2b993722bee3393df92be9f4ec233673a7057c4fc8d31c5463f28368994b

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/11674/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample