MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eeb5e41997b3f481c65fb14d82075abf1f5e2fb70adf6a06a01bb958932e5d7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	eeb5e41997b3f481c65fb14d82075abf1f5e2fb70adf6a06a01bb958932e5d7a
SHA3-384 hash:	17b02759bde04c84d9e952edbdbaa41174640cb6cce8f1333a8638c770e4a2e596ef137f216025e4c888c37c580fee73
SHA1 hash:	bab9a208852bf6b5646caf761b66f5e24b3ab0f5
MD5 hash:	755a4c1c408482eac40aa2979f501a0b
humanhash:	winter-angel-hydrogen-saturn
File name:	1746614224f09919e9862f409e681b25dbdfd92dfaab21b6c40d6578660a721965eedb5109973.dat-decoded
Download:	download sample
Signature	Formbook Create hunting rule
File size:	295'936 bytes
First seen:	2025-05-07 10:37:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:jQBinYf5RlVMMc9i4TCh3SrFGFc3Hn89tzzjXrquN:EBiunfbr0CMBGFc3n8jzzTrquN
TLSH	T1415423BDD0976093F199E2333F661F09B07E5F5B2752A0D3A0178C5CFB0CA54AA2C699
TrID	35.7% (.EXE) Win32 Executable (generic) (4504/4/1) 16.3% (.ICL) Windows Icons Library (generic) (2059/9) 16.1% (.EXE) OS/2 Executable (generic) (2029/13) 15.8% (.EXE) Generic Win/DOS Executable (2002/3) 15.8% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	abuse_ch
Tags:	base64-decoded exe FormBook

abuse_ch

Malware dropped as base64 encoded payload

Intelligence

File Origin

# of uploads :

# of downloads :

418

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1746614224f09919e9862f409e681b25dbdfd92dfaab21b6c40d6578660a721965eedb5109973.dat-decoded

Verdict:

No threats detected

Analysis date:

2025-05-07 11:32:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2270cf50-1d61-4355-b023-708a2e6e3b92

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.15917.18274.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=681b386b91991ead82b5c5b9

Tags:

injection obfusc virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

microsoft_visual_cc overlay packed packed packer_detected zero

Link:

https://www.filescan.io/uploads/681b37e20b64e174c41bc8d2/reports/f11abd9a-f883-4df1-a9a2-84d950849531/overview

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/eeb5e41997b3f481c65fb14d82075abf1f5e2fb70adf6a06a01bb958932e5d7a

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4e7a272e-7c7f-4290-b724-9a203b1a502e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1683171

Signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/eeb5e41997b3f481c65fb14d82075abf1f5e2fb70adf6a06a01bb958932e5d7a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eeb5e41997b3f481c65fb14d82075abf1f5e2fb70adf6a06a01bb958932e5d7a/

Threat name:

Win32.Backdoor.FormBook

Status:

Malicious

First seen:

2025-05-07 10:37:23 UTC

File Type:

PE (Exe)

AV detection:

29 of 36 (80.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5226igmxwp2idrs7wfgyeb22x4pv4l5xblpwubvado4vrezolv5a._file

Verdict:

malicious

Label(s):

formbook

Similar samples:

error

Formbook

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/250507-mnzhjstl17/

Behaviour

Suspicious behavior: EnumeratesProcesses

Program crash

System Location Discovery: System Language Discovery

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7f41b7b1-c073-4354-8435-76314f3322d6

Unpacked files

SH256 hash:

eeb5e41997b3f481c65fb14d82075abf1f5e2fb70adf6a06a01bb958932e5d7a

MD5 hash:

755a4c1c408482eac40aa2979f501a0b

SHA1 hash:

bab9a208852bf6b5646caf761b66f5e24b3ab0f5

Link:

https://www.unpac.me/results/0221ad59-44f7-4419-82ce-0893144f16d9/

SH256 hash:

ee6b9af3a8e7794526e63897f891f07cd48f473e2ede429713a2bfc2c2ce347f

MD5 hash:

c2f5cc37f64496f986156d17fe52bdbc

SHA1 hash:

aedbd846d34b1d3fd8d756c6f3551eaefa31710f

Link:

https://www.unpac.me/results/0221ad59-44f7-4419-82ce-0893144f16d9/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/eeb5e41997b3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.74

Link:

https://yomi.yoroi.company/submissions/eeb5e41997b3f481c65fb14d82075abf1f5e2fb70adf6a06a01bb958932e5d7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

ps1 f09919e9862f409e681b25dbdfd92dfaab21b6c40d6578660a721965eedb5109

Formbook

exe eeb5e41997b3f481c65fb14d82075abf1f5e2fb70adf6a06a01bb958932e5d7a

(this sample)

Dropped by

SHA256 f09919e9862f409e681b25dbdfd92dfaab21b6c40d6578660a721965eedb5109

Dropped by

MD5 cb59739a63aed32f5f33245ead216a7b

URLhaus

https://urlhaus.abuse.ch/url/3537707/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample