MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f928859c0f4fbad94986b1b6037b00bd2db31d9432e4ad8500cbfdbe26dc48ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 6 File information Comments

SHA256 hash:	f928859c0f4fbad94986b1b6037b00bd2db31d9432e4ad8500cbfdbe26dc48ba
SHA3-384 hash:	5c7c45edda4bc6a0495b535a30276dac026b7c04c182667244637dedfef94f0195f073f28029080335d0346117024ff1
SHA1 hash:	073fd70916167836d0c95ebd3ff56e66d0c3c035
MD5 hash:	883120f0ac863a52f960943d033435b8
humanhash:	venus-august-utah-magnesium
File name:	SecuriteInfo.com.Win32.MalwareX-gen.13721.17881
Download:	download sample
Signature	Formbook Create hunting rule
File size:	983'040 bytes
First seen:	2025-05-21 06:20:14 UTC
Last seen:	2025-06-06 13:27:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:NwhggYLYPchahpeKqvBRgqY+gZw5h4etGqJ6Fz7svy+t9/MurZOpWt1tbKQ:+dPDlQs5Zw5hVGq8Vs6+t59Pt
Threatray	295 similar samples on MalwareBazaar
TLSH	T1C825DF4026B88A16C03957B00A50C2B11BB97D596627E746FECE7CEBBF767214B87307
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	13ccc8ccccc8cc13 (8 x Formbook, 3 x SnakeKeylogger, 1 x Loki)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

529

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

SecuriteInfo.com.Win32.MalwareX-gen.13721.17881

Verdict:

Malicious activity

Analysis date:

2025-05-21 06:27:10 UTC

Tags:

netreactor formbook xloader

Link:

https://app.any.run/tasks/0ab18970-9739-4f5b-8b33-0981edbb99b3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.13721.17881.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=682d711c2f280a98fb42c5ab

Tags:

virus micro msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/682d70acc609634bd7cd164f/reports/35e3ea18-0b2c-43ca-b5e6-2d911d4f0a53/overview

Verdict:

Malicious

Labled as:

MSIL/GenKryptik_AGeneric.BDB trojan

Link:

https://www.hybrid-analysis.com/sample/f928859c0f4fbad94986b1b6037b00bd2db31d9432e4ad8500cbfdbe26dc48ba

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/844fa673-54ab-4328-a932-300418f929b6

Result

Threat name:

FormBook, PureLog Stealer

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1695622

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f928859c0f4fbad94986b1b6037b00bd2db31d9432e4ad8500cbfdbe26dc48ba

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f928859c0f4fbad94986b1b6037b00bd2db31d9432e4ad8500cbfdbe26dc48ba/

Threat name:

Win32.Trojan.Swotter

Status:

Malicious

First seen:

2025-05-20 17:02:10 UTC

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7euilhapj65nssmgwg3ag6yaxuw3ghmuglsk3biazp634jw4jc5a._file

Verdict:

malicious

Label(s):

unc_loader_037

Formbook

5e983a7357b431f6b43774024041e6bff410734e1ed8705de7032e3b5cf9f5ff

Formbook

8fb81d1cd3412c19f02fd834de979e6651cdc5a281a99230b0f41c9d3c2848ba

Formbook

bd9d4a2d5627b27b2e43afd37b07ce6c6b2d64a7017def2020c2c1434eae1a2a

Formbook

d56df9be7fc5ff907c8e58dc441a31bc7d75c354d83e96ba814e69138929583b

Formbook

error

Formbook

+ 285 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/250521-g31fhaymv5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/dd0c7299-926e-4500-bdd1-596144a90487

Unpacked files

SH256 hash:

f928859c0f4fbad94986b1b6037b00bd2db31d9432e4ad8500cbfdbe26dc48ba

MD5 hash:

883120f0ac863a52f960943d033435b8

SHA1 hash:

073fd70916167836d0c95ebd3ff56e66d0c3c035

Link:

https://www.unpac.me/results/c9eb1443-12d3-4571-a5e0-55fd55010237/

SH256 hash:

cc20d9969510195970a717f0ad43fe36afbba339e916e3d5946e2894d6924be7

MD5 hash:

6217d01f84e3d1414eea7d4a877fdaa3

SHA1 hash:

18e2a7f7e7415459e33e2da30cdef3e9cfc47eaa

Link:

https://www.unpac.me/results/c9eb1443-12d3-4571-a5e0-55fd55010237/

SH256 hash:

05f9ce752a29c05fc70056515513815fb518bd01246a735c7cc1bc0f40c9b089

MD5 hash:

960cd878150977a125941f6caa794ca0

SHA1 hash:

85508296a194593bea688321e9c203a7a561088e

Link:

https://www.unpac.me/results/c9eb1443-12d3-4571-a5e0-55fd55010237/

SH256 hash:

bb3dd6fda85b3e33ac4760e856734869c030775e5220b36c83c3d80ccbcbf704

MD5 hash:

f6f3ec473bc532578502d1cf05e8bc35

SHA1 hash:

bf1c705019a75fcdc8d415bc088588fb44510133

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/c9eb1443-12d3-4571-a5e0-55fd55010237/

SH256 hash:

4ddcb8901f95c52a2f8806da5c82f89e2d3ee184a2741c6e5fa09084287bf8cb

MD5 hash:

cffd7ae4e826d08c197cad5a369bdc0f

SHA1 hash:

a7808a1fe4db25a786ea9305c3bdfa9c5f4e30eb

Link:

https://www.unpac.me/results/c9eb1443-12d3-4571-a5e0-55fd55010237/

Malware family:

zgRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f928859c0f4f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f928859c0f4fbad94986b1b6037b00bd2db31d9432e4ad8500cbfdbe26dc48ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample