MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef2a54c5688d0e055fffd22394c168c81f80ec4a8ab33ceb87e70a6eddf97942. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef2a54c5688d0e055fffd22394c168c81f80ec4a8ab33ceb87e70a6eddf97942
SHA3-384 hash: 0b4d5a8a1e1cb6dfc714caecf4edc85261082903287ffeb3bf87e5b9280dcf192f8ac115c98db1bf68b70b1f543ad53e
SHA1 hash: 9507b5a4e9260e3282c854f63a2e621e3eb746d0
MD5 hash: 0dc0e153ff0d96dd3e163aa5577719b9
humanhash: robert-one-sweet-bulldog
File name:ORDER No. 201945.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:869'376 bytes
First seen:2025-08-05 07:50:21 UTC
Last seen:2025-08-06 07:15:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:vtwHmSjABbu8wn/8yEdCUU8sAJV7r4k1QqO+/KI4S:vtUCu9n/8y6X4AJV78om+/KU
Threatray 4'011 similar samples on MalwareBazaar
TLSH T17B05F11073549EB7F4AE2FB596A0E63023686D594CE5D34E0ECDBECB783578248F1A42
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
64
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
ORDERNo.201945.exe
Verdict:
Malicious activity
Analysis date:
2025-08-05 07:55:06 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/1488a827-7c15-4f28-bd4f-e90cb86daadf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18968/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.16346115.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6891b7c21e8a59ee04e579d3
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap lolbin masquerade msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks stego vbc zero
Link:
https://www.filescan.io/uploads/6891b7fe73b8ef6f4aff9ce3/reports/051be889-0078-4566-8346-57a3f244b951/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ef2a54c5688d0e055fffd22394c168c81f80ec4a8ab33ceb87e70a6eddf97942
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/38873ee3-afbe-4bfc-815d-0d35623b0adc
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1750350
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ef2a54c5688d0e055fffd22394c168c81f80ec4a8ab33ceb87e70a6eddf97942
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.45 Win 32 Exe x86
Link:
https://app.malva.re/file/0dc0e153ff0d96dd3e163aa5577719b9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef2a54c5688d0e055fffd22394c168c81f80ec4a8ab33ceb87e70a6eddf97942/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/ef2a54c5688d0e055fffd22394c168c81f80ec4a8ab33ceb87e70a6eddf97942
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-08-04 09:05:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=54vfjrliruhakx772irzjqlizapyb3ckrkztz24h44fg5xpzpfba._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
229143d66574d5d01e18ec3078b0d3de25b91c21dfb79e9f75032a7d8d555f68
Formbook
bde181e1225b6cb39fadcaf7a03659dcb8ba059eee626219b994f739b90e028c
Formbook
ded67530b43d631ec743606859227570de9e18ce9d61a72b2641fdaff6dc78e6
Formbook
e646f69ab13559c8f45cf9ec17c23b359bfd93a61d4932da2d81aab6f25c9d79
Formbook
+ 4'001 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/250805-jp1kfshj81/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/129fcadf-9833-47c5-aee1-6d880d6df1e0
Unpacked files
SH256 hash:
7b457e79525fdb79fc6a01ecb8ec904ef7dd2b57ae5b9229fc3fed807ba24149
MD5 hash:
7bb566e4739a4252f2bf73076cd289d0
SHA1 hash:
00e87658b74e5b71eece71b5dc92c7ad518145fd
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/e7c7845c-f6d0-44d8-9e33-714a6e230102/
Parent samples :
bde181e1225b6cb39fadcaf7a03659dcb8ba059eee626219b994f739b90e028c
e646f69ab13559c8f45cf9ec17c23b359bfd93a61d4932da2d81aab6f25c9d79
3645c06970210b79497c43087a250f575d11106851521861c8b068e434c280f7
ded67530b43d631ec743606859227570de9e18ce9d61a72b2641fdaff6dc78e6
229143d66574d5d01e18ec3078b0d3de25b91c21dfb79e9f75032a7d8d555f68
ef2a54c5688d0e055fffd22394c168c81f80ec4a8ab33ceb87e70a6eddf97942
SH256 hash:
929f07dc02c773e4bd51ce7405e2bc3d8460b0b2c3315875d7dc00a3c4814745
MD5 hash:
9a5507d165f8688348dad24bf793a9f9
SHA1 hash:
6cf4b8abe496742a573302805565bad9df84d1e8
Link:
https://www.unpac.me/results/e7c7845c-f6d0-44d8-9e33-714a6e230102/
SH256 hash:
44a503a4a920421e6e344be82a3468012171b7e63f93d82e17ebe083b1b6044f
MD5 hash:
0bfa8eb0eef81e067751e4dde68e0024
SHA1 hash:
fca38edf0c8c080cab221c36a2af36e43725fb14
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e7c7845c-f6d0-44d8-9e33-714a6e230102/
SH256 hash:
d5382bbdde86d82811eaf1c8f460b96d5b6b37e64e57d1db37e5103d8c62d28a
MD5 hash:
cbca0304e7a007f4f1d55ae3b82b3695
SHA1 hash:
1f5dfc00e67f6aca751bef987cb2b4c38645fcbb
Link:
https://www.unpac.me/results/e7c7845c-f6d0-44d8-9e33-714a6e230102/
SH256 hash:
ef2a54c5688d0e055fffd22394c168c81f80ec4a8ab33ceb87e70a6eddf97942
MD5 hash:
0dc0e153ff0d96dd3e163aa5577719b9
SHA1 hash:
9507b5a4e9260e3282c854f63a2e621e3eb746d0
Link:
https://www.unpac.me/results/e7c7845c-f6d0-44d8-9e33-714a6e230102/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ef2a54c5688d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/ef2a54c5688d0e055fffd22394c168c81f80ec4a8ab33ceb87e70a6eddf97942

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 64335811f3d65455be2cb759ce21f0fe420abb4fa12ba4732606f18cd2cd9c92

Formbook

Executable exe ef2a54c5688d0e055fffd22394c168c81f80ec4a8ab33ceb87e70a6eddf97942

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 64335811f3d65455be2cb759ce21f0fe420abb4fa12ba4732606f18cd2cd9c92
  
Dropped by
MD5 5fa4afbff3be8ae360e491bf123f6c36
Cape
Cape
https://www.capesandbox.com/analysis/18968/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments