MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebd2046bad994314fb7af77d32ddc47327100bd8b9607bc7567dfcf2bf701e32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebd2046bad994314fb7af77d32ddc47327100bd8b9607bc7567dfcf2bf701e32
SHA3-384 hash: f9ed193902108ec9a2276355dc848bdfd595dfa1b54eb8dc1bd3687e9f8fe1e61213b3059ef5d9e48e4a4b28d71bf1a0
SHA1 hash: 482ab3f4c1fc299d2097c3084a549c9b721cbf79
MD5 hash: 20a1551ba84e0e078645adfbdfeaf6ee
humanhash: double-georgia-maine-single
File name:rShippingDocuments.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:999'424 bytes
First seen:2025-05-20 17:00:09 UTC
Last seen:2025-06-06 13:28:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'655 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 24576:0uP6lQ91L1rJrMv7a1a9H/4rScG+0wBc3l:0Wj8TfHA7GdwBc3
Threatray 638 similar samples on MalwareBazaar
TLSH T16B25DF0026B84A15C03857B10A50C1B11BB97D596A67E34AFECE3CEBBF7A721478770B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon 13ccc8ccccc8cc13 (8 x Formbook, 3 x SnakeKeylogger, 1 x Loki)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
522
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rShippingDocuments.exe
Verdict:
Suspicious activity
Analysis date:
2025-05-20 17:06:47 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/d8d460b9-57c1-461c-a34d-319d90e2153c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.23698.18301.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682cb52d2f280a98fb4243ae
Tags:
micro krypt msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/682cb54d15ed82cd53d82039/reports/8cc54447-8982-4340-ae79-57e9d5bb850f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ebd2046bad994314fb7af77d32ddc47327100bd8b9607bc7567dfcf2bf701e32
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d470381-df86-45f0-a9bc-5f67d031b81e
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1695253
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1695253 Sample: rShippingDocuments.exe Startdate: 20/05/2025 Architecture: WINDOWS Score: 100 58 www.tempoproje.xyz 2->58 60 www.sexsecurity.xyz 2->60 62 22 other IPs or domains 2->62 74 Suricata IDS alerts for network traffic 2->74 76 Sigma detected: Scheduled temp file as task from temp location 2->76 78 Multi AV Scanner detection for submitted file 2->78 82 8 other signatures 2->82 11 rShippingDocuments.exe 7 2->11         started        15 ZQSFoXpnJBsJ.exe 5 2->15         started        signatures3 80 Performs DNS queries to domains with low reputation 60->80 process4 file5 50 C:\Users\user\AppData\...\ZQSFoXpnJBsJ.exe, PE32 11->50 dropped 52 C:\Users\...\ZQSFoXpnJBsJ.exe:Zone.Identifier, ASCII 11->52 dropped 54 C:\Users\user\AppData\Local\...\tmpF18D.tmp, XML 11->54 dropped 56 C:\Users\user\...\rShippingDocuments.exe.log, ASCII 11->56 dropped 92 Uses schtasks.exe or at.exe to add and modify task schedules 11->92 94 Writes to foreign memory regions 11->94 96 Allocates memory in foreign processes 11->96 98 Adds a directory exclusion to Windows Defender 11->98 17 vbc.exe 11->17         started        20 powershell.exe 23 11->20         started        22 schtasks.exe 1 11->22         started        100 Multi AV Scanner detection for dropped file 15->100 102 Injects a PE file into a foreign processes 15->102 24 schtasks.exe 1 15->24         started        26 vbc.exe 15->26         started        signatures6 process7 signatures8 70 Maps a DLL or memory area into another process 17->70 28 3RgNfg0bAaiM.exe 17->28 injected 72 Loading BitLocker PowerShell Module 20->72 30 WmiPrvSE.exe 20->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        process9 process10 38 fsutil.exe 13 28->38         started        signatures11 84 Tries to steal Mail credentials (via file / registry access) 38->84 86 Tries to harvest and steal browser information (history, passwords, etc) 38->86 88 Modifies the context of a thread in another process (thread injection) 38->88 90 3 other signatures 38->90 41 L1Z1W1LxtLJ.exe 38->41 injected 44 chrome.exe 38->44         started        46 firefox.exe 38->46         started        process12 dnsIp13 64 www.bluedart.com 199.40.253.49, 49717, 49718, 49719 DHLNETCZ Czech Republic 41->64 66 www.dfsdfgergrrtth.online 208.91.197.27, 49696, 80 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 41->66 68 6 other IPs or domains 41->68 48 WerFault.exe 4 44->48         started        process14
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ebd2046bad994314fb7af77d32ddc47327100bd8b9607bc7567dfcf2bf701e32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebd2046bad994314fb7af77d32ddc47327100bd8b9607bc7567dfcf2bf701e32/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2025-05-20 16:08:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5pjai25ntfbrj632656tfxoeomtrac6yxfqhxr2wpx6pfp3qdyza._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
32c83ad0392161e5cb654bc817fd6798bf95f3afe176d28f38d326d375599968
Formbook
5e983a7357b431f6b43774024041e6bff410734e1ed8705de7032e3b5cf9f5ff
Formbook
e81120da828bfc636cb5cadb20a4e5418bfd3c66b8211a30510d686c8bb02bc5
Formbook
ebd2046bad994314fb7af77d32ddc47327100bd8b9607bc7567dfcf2bf701e32
Formbook
error
Formbook
f928859c0f4fbad94986b1b6037b00bd2db31d9432e4ad8500cbfdbe26dc48ba
Formbook
+ 628 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250520-vh525shl71/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
ebd2046bad994314fb7af77d32ddc47327100bd8b9607bc7567dfcf2bf701e32
MD5 hash:
20a1551ba84e0e078645adfbdfeaf6ee
SHA1 hash:
482ab3f4c1fc299d2097c3084a549c9b721cbf79
Link:
https://www.unpac.me/results/d1422a07-2a6e-4d9f-b3dc-232cf01005f3/
SH256 hash:
cc20d9969510195970a717f0ad43fe36afbba339e916e3d5946e2894d6924be7
MD5 hash:
6217d01f84e3d1414eea7d4a877fdaa3
SHA1 hash:
18e2a7f7e7415459e33e2da30cdef3e9cfc47eaa
Link:
https://www.unpac.me/results/d1422a07-2a6e-4d9f-b3dc-232cf01005f3/
SH256 hash:
f5ad310d982dc5137e0b82ad46c6719925258c5c47c4372550ce5183a990a112
MD5 hash:
85d2fcd05b8a0a4bcd05126cb6fe3dbb
SHA1 hash:
3453d72e037439eb03e8adf2eca8f498d88263ad
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d1422a07-2a6e-4d9f-b3dc-232cf01005f3/
SH256 hash:
46f04cc163ae9e9662f98d4c2fd3b23aa392611c6b4cc990f7d0e294260aea61
MD5 hash:
ec08a2d6ed1593704cfbe7c3e912d251
SHA1 hash:
5e502ae8fb53101463f96de51a6e94621b8cb5a3
Link:
https://www.unpac.me/results/d1422a07-2a6e-4d9f-b3dc-232cf01005f3/
SH256 hash:
0f51666aec7c0374cb48a5f68f8b93c46708de6373b5b11a951968e37c3dbed6
MD5 hash:
b495b7d8c06033550f82a6489bf69299
SHA1 hash:
30be8080bf11ef04455aff2eaef390c62625d276
Link:
https://www.unpac.me/results/d1422a07-2a6e-4d9f-b3dc-232cf01005f3/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ebd2046bad99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ebd2046bad994314fb7af77d32ddc47327100bd8b9607bc7567dfcf2bf701e32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ebd2046bad994314fb7af77d32ddc47327100bd8b9607bc7567dfcf2bf701e32

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments