MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef0bd2efdf9c627ba46eda7787db6cce870fc6eded31354d07a1075c81e23483. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef0bd2efdf9c627ba46eda7787db6cce870fc6eded31354d07a1075c81e23483
SHA3-384 hash: c20baef5638d77d3fad273fde0a848238ddc2cb0ac98bcdcf44fb05137479d06fecaa88cfd1da8496ed6d30b3af16ba3
SHA1 hash: 195c13eb8b4263d4bbe62aef31d19d947bd35606
MD5 hash: d9fe47c58b52b6c22eb3406703f796cc
humanhash: march-network-april-cold
File name:Halkbank.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:891'392 bytes
First seen:2025-07-12 19:07:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:a74jGYzSS3vouhmZFp1rCY/FgPVNmhECtP:O4jGY2S3vQaugPVgEC
TLSH T13D15DF2176B5AF51C5B943F81660E73107F25CAFE43AD31A1CC66CEF3978B814922A93
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe FormBook geo Halkbank TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
22
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_ef0bd2efdf9c627ba46eda7787db6cce870fc6eded31354d07a1075c81e23483.exe
Verdict:
No threats detected
Analysis date:
2025-07-12 19:10:01 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/b2636167-2c83-4520-9942-66c79ae63a2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14023/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6872b2ad900df8e7f86a4328
Tags:
underscore spawn shell virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/6872b2bb425a30d7acd7cee9/reports/d765f731-5157-40a1-9614-cc9f4f717e14/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ef0bd2efdf9c627ba46eda7787db6cce870fc6eded31354d07a1075c81e23483
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6907604-7f69-4e7a-bfdc-5ba9f1b52c20
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1734915
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1734915 Sample: Halkbank.pdf.exe Startdate: 12/07/2025 Architecture: WINDOWS Score: 100 42 www.bankstaking.xyz 2->42 44 www.eostech.xyz 2->44 46 4 other IPs or domains 2->46 68 Suricata IDS alerts for network traffic 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 Yara detected FormBook 2->72 76 8 other signatures 2->76 10 Halkbank.pdf.exe 4 2->10         started        14 svchost.exe 1 1 2->14         started        signatures3 74 Performs DNS queries to domains with low reputation 44->74 process4 dnsIp5 40 C:\Users\user\...\Halkbank.pdf.exe.log, ASCII 10->40 dropped 78 Adds a directory exclusion to Windows Defender 10->78 80 Injects a PE file into a foreign processes 10->80 17 Halkbank.pdf.exe 10->17         started        20 powershell.exe 23 10->20         started        22 Halkbank.pdf.exe 10->22         started        24 Halkbank.pdf.exe 10->24         started        54 127.0.0.1 unknown unknown 14->54 file6 signatures7 process8 signatures9 64 Maps a DLL or memory area into another process 17->64 26 8ci52uEX.exe 17->26 injected 66 Loading BitLocker PowerShell Module 20->66 28 WmiPrvSE.exe 20->28         started        30 conhost.exe 20->30         started        process10 process11 32 ROUTE.EXE 13 26->32         started        signatures12 56 Tries to steal Mail credentials (via file / registry access) 32->56 58 Tries to harvest and steal browser information (history, passwords, etc) 32->58 60 Modifies the context of a thread in another process (thread injection) 32->60 62 3 other signatures 32->62 35 JJ47RQ0Z.exe 32->35 injected 38 firefox.exe 32->38         started        process13 dnsIp14 48 www.pwrpal.app 75.119.206.187, 49692, 80 DREAMHOST-ASUS United States 35->48 50 wakingupbrave.info 3.33.130.190, 49693, 49694, 49695 AMAZONEXPANSIONGB United States 35->50 52 www.eostech.xyz 76.223.54.146, 49697, 49698, 49699 AMAZON-02US United States 35->52
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ef0bd2efdf9c627ba46eda7787db6cce870fc6eded31354d07a1075c81e23483
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef0bd2efdf9c627ba46eda7787db6cce870fc6eded31354d07a1075c81e23483/
Verdict:
Malicious
Threat:
ByteCode-MSIL.Backdoor.FormBook
Link:
https://tip.neiki.dev/file/ef0bd2efdf9c627ba46eda7787db6cce870fc6eded31354d07a1075c81e23483
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-07-10 13:02:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=54f5f367trrhxjdo3j3ypw3mz2dq7rxn5uytktihuedvzapcgsbq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250712-xtdhdafn7y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/47c8e254-a25f-444b-af9b-8ba2e62b037c
Unpacked files
SH256 hash:
ef0bd2efdf9c627ba46eda7787db6cce870fc6eded31354d07a1075c81e23483
MD5 hash:
d9fe47c58b52b6c22eb3406703f796cc
SHA1 hash:
195c13eb8b4263d4bbe62aef31d19d947bd35606
Link:
https://www.unpac.me/results/501c7e2d-e5a8-4336-87d8-c58bbd54a6db/
SH256 hash:
56dcf5f74e5b4c70fde7620fe680aec4eab102ad2b1a78acfcaa011f94d67367
MD5 hash:
c81f6a85dedaa9cc3531a934c5734d67
SHA1 hash:
1e51076c082803c7df05618a59f00fa6612f74af
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/501c7e2d-e5a8-4336-87d8-c58bbd54a6db/
SH256 hash:
9fef1a672aaec69721b459f3ff2e772a47d537ca6e9316b95d3895065dacb7bc
MD5 hash:
50cf0fdd21ac3f5d9fe0b39f7414e204
SHA1 hash:
68d6acb7cf15c5a17e514e0170a1ac0f9ebde67e
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/501c7e2d-e5a8-4336-87d8-c58bbd54a6db/
Parent samples :
49327b6fefdbd1c747e705e3f5c8cba7161aa3a55c626548fb39337b0d347571
9b8128d013706f374ddaab6573aaad7fb1767cc4459716597836d838acf2c80c
c9a5fff84aef8b46605c9414b3d20e1f190e902454757c1f89179c5436422109
bcd2512db9d2789cd0ad058f0c2fd676cf37368174a75a95306f229df5d66dd2
4ae6b4139407e03c9d0d67b1992ebd2db0000b4e261e0f18925a8fd72d99ffc5
ef0bd2efdf9c627ba46eda7787db6cce870fc6eded31354d07a1075c81e23483
85f0df12788fb83928af7c24022447312c0fb590c4bad7a205d533e96ac67f22
5ef6ec513cbff82ef5e357753db46627351be6fe83d83fe05485d06330735849
999d567fa7c54493dff984905511d54b94c7d0d6c8034994108ef387cd433946
SH256 hash:
01861a8c4eaf5802d895ab415e7521f3e4eefda4e83fde6b22ea7145f6a22cc3
MD5 hash:
4f9c73c28e0e65aba149a65b4d0cc351
SHA1 hash:
78b2e9d05f7e5da47ba0e489477dcb1c7269aea0
Link:
https://www.unpac.me/results/501c7e2d-e5a8-4336-87d8-c58bbd54a6db/
SH256 hash:
ab21aeb9802501be705343fdeb5173b849ed02c9fb4ad5133189d7fbd7ee0e58
MD5 hash:
97b41a981430c571570c11993d8cb626
SHA1 hash:
1871448587b9351fc884a26574d60435590c2962
Link:
https://www.unpac.me/results/501c7e2d-e5a8-4336-87d8-c58bbd54a6db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef0bd2efdf9c627ba46eda7787db6cce870fc6eded31354d07a1075c81e23483

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/14023/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments