MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea50d3b284ad8dadcff8cb52541a9324404928b60d2ec521a04bf9762582c854. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea50d3b284ad8dadcff8cb52541a9324404928b60d2ec521a04bf9762582c854
SHA3-384 hash: 59ebbd6e2332a1ad942863644c9eee167242828f36e0c42c3d9a3786870c9faa3cf218ba9b041dbeabffb4f3271e89dc
SHA1 hash: 71b6ec6e2a1a7506f7d25e84c4f936d70089e072
MD5 hash: 7326f6fa581c06af70d264d4407eb584
humanhash: spring-grey-friend-hotel
File name:nethost.dll
Download: download sample
Signature Formbook
Create hunting rule
File size:487'912 bytes
First seen:2025-02-18 17:30:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:hSFa/Y4stjCWIVDsunoZZNciRNUxwMzdrlfzNoACLbWausSZTtpwXW5ku5PogzhQ:0Fa/Y4sUhs9nordewTtpwu5Pogzhzkh9
Threatray 35 similar samples on MalwareBazaar
TLSH T1B5A4DABE59625139DA4A40F82445876255B1B73B03B41FF311AED130271BAB2EED33F9
TrID 39.8% (.EXE) Generic Win/DOS Executable (2002/3)
39.7% (.EXE) DOS Executable Generic (2000/1)
20.0% (.SCORE) Music Craft Score (1007/6)
0.3% (.DBF) Sybase iAnywhere database files (19/3)
Magika pebin
Reporter JAMESWT_WT
Tags:exe FormBook signed tumbetgirislinki-fit

Code Signing Certificate

Organisation:Take-Two Interactive Software, Inc.
Issuer:VeriSign Class 3 Code Signing 2010 CA
Algorithm:sha1WithRSAEncryption
Valid from:2011-09-21T00:00:00Z
Valid to:2013-09-20T23:59:59Z
Serial number: 695043d68f15550fd5db370fa8817b04
Intelligence: 20 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 5d269a2e2102e52ecbbae4d3dd27cf260fd6b1edf83887802f05a9411efa8c44
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
464
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b4c511a0fd713c335b919a
Tags:
injection obfusc virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/ea50d3b284ad8dadcff8cb52541a9324404928b60d2ec521a04bf9762582c854
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/67cc09ec-de5d-4ace-b2a8-7515d2013fb0
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1618196
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1618196 Sample: nethost.dll.exe Startdate: 18/02/2025 Architecture: WINDOWS Score: 48 15 Multi AV Scanner detection for submitted file 2->15 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Score:
56%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/ea50d3b284ad8dadcff8cb52541a9324404928b60d2ec521a04bf9762582c854
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea50d3b284ad8dadcff8cb52541a9324404928b60d2ec521a04bf9762582c854/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5jinhmuevwg23t7yznjfiguteraeskfwbuxmkinajp4xmjmczbka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0a0369a61c8dc0a7993d213768939cdf23eaeb8549b96790ed01bd90f04c4219
Formbook
282a05d5e79cd8a8fecb470cdde28f483cc6fa7d70785f6e6e5e3de3dc39a979
Formbook
4b45b4ba58add286f9d46325ddf38565c31d7434101b551f1a5397e8359cef51
Formbook
4d03f7b73b2c841c296788b710a4e3157949b0197b0dfacca3879d20bc5ef3d5
Formbook
62d7cad9ee1f7d3d9055a757d542a9f46c8ada09500f3d5865004127737d9677
Formbook
7b53f972c7650851cafcb03440480cd71fb27b931874bd38f2eaaf1ccf0d1ac7
Formbook
95e45d55e2fc6dd48acddaeed3da271d42f1422fa49f13feeb42016a1a69816e
Formbook
9eff0d7534799160f8c8b4d4968d7a4640559aa2d3365e52ef4b8155426714b4
Formbook
e16a801f068e55f9b014ac4b4cde9415fec763830ef433cb4eb3e0ee9734bf04
Formbook
ea50d3b284ad8dadcff8cb52541a9324404928b60d2ec521a04bf9762582c854
Formbook
error
Formbook
+ 25 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/250218-v3sbsavkfk/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8e346558-4303-4af5-9068-95cd6126d4b9
Unpacked files
SH256 hash:
ea50d3b284ad8dadcff8cb52541a9324404928b60d2ec521a04bf9762582c854
MD5 hash:
7326f6fa581c06af70d264d4407eb584
SHA1 hash:
71b6ec6e2a1a7506f7d25e84c4f936d70089e072
Link:
https://www.unpac.me/results/ddc6cabe-89d7-4734-bea8-d7cb29d936bd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ea50d3b284ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea50d3b284ad8dadcff8cb52541a9324404928b60d2ec521a04bf9762582c854

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments