MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f30ccd8d6bd65a6c172e6233220523d984516e145b06d986bc6c0736e53dfde8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f30ccd8d6bd65a6c172e6233220523d984516e145b06d986bc6c0736e53dfde8
SHA3-384 hash: a5b99c16bab576b4d2e1d421d62efe358680e7cb74eb79baf8d84d715111677f2eff0fa3d0f140c0933854146fd99d79
SHA1 hash: 95f154753e37e45d1020efdd7b9df84bed2393aa
MD5 hash: b7f43cd267dbbf40d9a372dd7ddd121b
humanhash: don-quebec-pasta-connecticut
File name:f30ccd8d6bd65a6c172e6233220523d984516e145b06d986bc6c0736e53dfde8
Download: download sample
Signature Formbook
Create hunting rule
File size:708'608 bytes
First seen:2025-01-10 14:32:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:tQpIR4R52J+XtahfgMf9rG2DTgQz1NjiKLacKj4N9GROF1CICoMDPwlYHPkCKPRv:CpIeePhfU2ow7iwacJP5nCoMxI
TLSH T131E4E09C3A11F54FC907C5354EB1ED78AA586DAEA60393039AD72DEFFA1D856CE000D2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon e44ad8ccc8a4a0c0 (22 x Formbook, 4 x RemcosRAT, 3 x AgentTesla)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f30ccd8d6bd65a6c172e6233220523d984516e145b06d986bc6c0736e53dfde8
Verdict:
No threats detected
Analysis date:
2025-01-10 20:10:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/69c4d0a9-bb34-4c30-85b7-d174cf8d9cc8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Ratx-10038422-0
Create hunting rule

Win.Packed.Ratx-10038456-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67812ff21e9cdec7dbbb75e5
Tags:
virus shell msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67812fb010df0fde5dd4159c/reports/7d8b6a42-4bd6-4d47-aa5e-f6666202b533/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f30ccd8d6bd65a6c172e6233220523d984516e145b06d986bc6c0736e53dfde8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d400507f-15f6-46ea-af83-3ad10200ab29
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1588668
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Reads the DNS cache
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588668 Sample: FV9P9aHIuG.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 36 www.w165.top 2->36 38 www.tpanekatotosite.top 2->38 40 9 other IPs or domains 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 7 other signatures 2->48 11 FV9P9aHIuG.exe 4 2->11         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\FV9P9aHIuG.exe.log, ASCII 11->34 dropped 60 Adds a directory exclusion to Windows Defender 11->60 62 Tries to detect virtualization through RDTSC time measurements 11->62 64 Injects a PE file into a foreign processes 11->64 66 Switches to a custom stack to bypass stack traces 11->66 15 FV9P9aHIuG.exe 11->15         started        18 powershell.exe 23 11->18         started        signatures6 process7 signatures8 68 Modifies the context of a thread in another process (thread injection) 15->68 70 Maps a DLL or memory area into another process 15->70 72 Sample uses process hollowing technique 15->72 76 2 other signatures 15->76 20 explorer.exe 59 1 15->20 injected 74 Loading BitLocker PowerShell Module 18->74 23 WmiPrvSE.exe 18->23         started        25 conhost.exe 18->25         started        process9 signatures10 50 Uses ipconfig to lookup or modify the Windows network settings 20->50 27 ipconfig.exe 20->27         started        process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 27->52 54 Reads the DNS cache 27->54 56 Maps a DLL or memory area into another process 27->56 58 2 other signatures 27->58 30 cmd.exe 1 27->30         started        process13 process14 32 conhost.exe 30->32         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f30ccd8d6bd65a6c172e6233220523d984516e145b06d986bc6c0736e53dfde8
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f30ccd8d6bd65a6c172e6233220523d984516e145b06d986bc6c0736e53dfde8/
Threat name:
ByteCode-MSIL.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-12-04 05:01:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
27 of 38 (71.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6mgm3dll2zngyfzomizsebjd3gcfc3qulmdntbv4nqdtnzj57xua._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:k49s discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250110-rwv8baxjdt/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
Win.Packed.Ratx-10038422-0
YARA:
n/a
Link:
https://app.threat.zone/submission/b71a020b-a5e5-408d-8f65-82e72c5937a9
Unpacked files
SH256 hash:
83444a43ba472442e2b0fa4d01a2cb7a556ec37f4cd1ba63d17f0ed2809a31a0
MD5 hash:
3cc82489a99c6d951eab4626dc9dd5ba
SHA1 hash:
bb13c4f857a49e23ce51878b6f00778452a2e98e
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/203b2fbf-8153-412d-81eb-4f6a423bcffe/
Parent samples :
bcc41988bc560c5ddf3e58165cc25daec67e3a33529b2179868f1b4b7746db7a
36ac663aee997b4b8da3bd498abcbdb91ca180f7afe402ce8ab166099c098cbf
792bdecda049100bcddb388c74b9fa5aa21d30a167786f1e5a99091a6e77c430
f30ccd8d6bd65a6c172e6233220523d984516e145b06d986bc6c0736e53dfde8
ba331599bb06083aa97ac39010b2d6b5c1078ed519b5ed4dcab97276c84ecedb
f0b540b1edbd94b9a7b330505529477cbbf6742ad78008979661d30b8f54731a
SH256 hash:
043c1a821d9a5486206130e0c7bfbc548dc38e64ca5b065e92abe4176a77b07b
MD5 hash:
b0f59faf9de79475d38a36bf65a41bc4
SHA1 hash:
d1b85d0f3c4b8e797cea00617a0ce7e9b13c6007
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/203b2fbf-8153-412d-81eb-4f6a423bcffe/
SH256 hash:
acf09c80699691d3a6a8d52577d06a7054c1bda1953a55527251e92e15ba037f
MD5 hash:
69473b5123488cff4aae599aa14eb3a4
SHA1 hash:
1d3562fd2fb55582cb97441b9f01065dd80373fc
Link:
https://www.unpac.me/results/203b2fbf-8153-412d-81eb-4f6a423bcffe/
SH256 hash:
f30ccd8d6bd65a6c172e6233220523d984516e145b06d986bc6c0736e53dfde8
MD5 hash:
b7f43cd267dbbf40d9a372dd7ddd121b
SHA1 hash:
95f154753e37e45d1020efdd7b9df84bed2393aa
Link:
https://www.unpac.me/results/203b2fbf-8153-412d-81eb-4f6a423bcffe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f30ccd8d6bd65a6c172e6233220523d984516e145b06d986bc6c0736e53dfde8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments