MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3b87b7bee6b850a82cafbbad5445031cbbead5a30e750b629798aad7370270b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3b87b7bee6b850a82cafbbad5445031cbbead5a30e750b629798aad7370270b
SHA3-384 hash: 95c6580c8c33b6bb6b0484cbdf2f473b882692bcae188eab67de9e53434e8127c01bbca11525dcb666ce0a8e23b9d932
SHA1 hash: f66f6db7e77221dc99b00f9252d915fdc1b41b2c
MD5 hash: e0fd019d518f4283a19c72164212a6dc
humanhash: failed-wolfram-princess-hamper
File name:New_Order R_F_Q316891.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:857'088 bytes
First seen:2025-04-29 07:00:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:cQGaKsGDZj4AGggCi0stMKAT6+NHlKlC6Y9kiOXopH4Qc3Mj2P5+kv9jArOizTP:mDGEUynHlKlbYaiOXoZuskv9caiH
Threatray 19 similar samples on MalwareBazaar
TLSH T1650501161654F603D4DA6BB42B70F27913BC6DD97801DB5A8FDA7DEBBE32A000D19283
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
473
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New_Order R_F_Q316891.exe
Verdict:
No threats detected
Analysis date:
2025-04-29 08:13:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/30b387e0-d7d1-4be2-8610-8730ceb4bb4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/4941/
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68107cadc8b2e86d0ac43212
Tags:
virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
entropy masquerade obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/6810793d46fe05453ca9a4e0/reports/d1866cd9-a1c3-427e-acda-8741661adda5/overview
Verdict:
Malicious
Labled as:
Genie8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/f3b87b7bee6b850a82cafbbad5445031cbbead5a30e750b629798aad7370270b
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f1aaf1ef-ea38-47ee-afdf-f2c49ad770ff
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1677060
Signature
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1677060 Sample: New_Order R_F_Q316891.exe Startdate: 29/04/2025 Architecture: WINDOWS Score: 100 30 www.whalenavi.xyz 2->30 32 www.factio.xyz 2->32 34 17 other IPs or domains 2->34 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 48 Yara detected AntiVM3 2->48 52 3 other signatures 2->52 10 New_Order R_F_Q316891.exe 3 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 32->50 process4 file5 28 C:\Users\...28ew_Order R_F_Q316891.exe.log, ASCII 10->28 dropped 13 New_Order R_F_Q316891.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 16 zSRCrX4N.exe 13->16 injected process8 signatures9 42 Found direct / indirect Syscall (likely to bypass EDR) 16->42 19 MuiUnattend.exe 13 16->19         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 19->54 56 Tries to harvest and steal browser information (history, passwords, etc) 19->56 58 Modifies the context of a thread in another process (thread injection) 19->58 60 3 other signatures 19->60 22 zSRCrX4N.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 36 www.factio.xyz 13.248.169.48, 49734, 49870, 49887 AMAZON-02US United States 22->36 38 www.minttide.website 63.250.47.57, 49973, 49974, 49975 NAMECHEAP-NETUS United States 22->38 40 8 other IPs or domains 22->40 62 Found direct / indirect Syscall (likely to bypass EDR) 22->62 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f3b87b7bee6b850a82cafbbad5445031cbbead5a30e750b629798aad7370270b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3b87b7bee6b850a82cafbbad5445031cbbead5a30e750b629798aad7370270b/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-04-29 06:47:36 UTC
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6o4hw67onocqvawk7o5nkrcqghf35lk2gdtvbnrjpgfk243qe4fq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
0bc24152db0f975574e94db1827007947731d0d95fed9927d27515475e8f1f47
Formbook
750c0b5cd8ecc25f79e725e1184401806154c3d4880cfabdc3641040a21798d6
Formbook
756abd1273244ba91c1b9bd7bb86182e9012e12f2599cb715f9757cc34e3a81e
Formbook
97bc060177fce1b452b8474da11b19a05eca49b554eb923e4fac8987bcf88caa
Formbook
c6ebddfc8508a9943f5f9aae5e7d4406cbadd60a6471fdaf54913e33bc6bc235
Formbook
dac971c09595219e2190a7e73cd539496d26f4981c8a3e8a566aecd2dec7e7a4
Formbook
error
Formbook
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250429-htc5aayl19/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0de325dc-68dd-435a-a291-e5408c471870
Unpacked files
SH256 hash:
f3b87b7bee6b850a82cafbbad5445031cbbead5a30e750b629798aad7370270b
MD5 hash:
e0fd019d518f4283a19c72164212a6dc
SHA1 hash:
f66f6db7e77221dc99b00f9252d915fdc1b41b2c
Link:
https://www.unpac.me/results/914e94ea-6e8c-461d-892c-f2d0f2527733/
SH256 hash:
c09e0e64718e1b45af19885feddc86f902bc18cb5fa5e64dade87ee1c4f0f3f2
MD5 hash:
2e4fe6630c31bbf4ad9558dbdb64ae4d
SHA1 hash:
030852dcab9532308aefb31b1b719416c5840d24
Link:
https://www.unpac.me/results/914e94ea-6e8c-461d-892c-f2d0f2527733/
SH256 hash:
1cf44777b603ff20d89adca8191275a502f883244535d797fb28419fe66eb9d7
MD5 hash:
a9f4601f2f104608c67f1079c9c82967
SHA1 hash:
30dbfa8697d84a53dc65f3222b81da1e11e3943b
Link:
https://www.unpac.me/results/914e94ea-6e8c-461d-892c-f2d0f2527733/
SH256 hash:
d490e675be4f2ed54012bff5ce57ba26eb24dc1868962658532e50f8c2b5e3a7
MD5 hash:
886b3103ef0793d6cbc035dca0251b59
SHA1 hash:
eef75c11c0f3211b04fd29c43247b45fe7b0a10a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/914e94ea-6e8c-461d-892c-f2d0f2527733/
SH256 hash:
177bb9fc5beab5c52d3ae3580f12f2c5318edaf784c8400f3028211d92d7afc0
MD5 hash:
30343c7bd7ee92c9df14dc02c53bf5c3
SHA1 hash:
2124261175217539e346b2d0a2e61f9ca5c7ca5b
Link:
https://www.unpac.me/results/914e94ea-6e8c-461d-892c-f2d0f2527733/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f3b87b7bee6b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3b87b7bee6b850a82cafbbad5445031cbbead5a30e750b629798aad7370270b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f3b87b7bee6b850a82cafbbad5445031cbbead5a30e750b629798aad7370270b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/4941/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments