MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f98c2c567f36a0d6f93d0727d1635ae56ff00987ed1090c9783104bc99b77654. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f98c2c567f36a0d6f93d0727d1635ae56ff00987ed1090c9783104bc99b77654
SHA3-384 hash: 2bbdd85bd226203075f81aabfe2d52607864303d407c29bfafdb830dce224f245b9fdcfba2bd2b8f140f303ddd1e6450
SHA1 hash: b12f77e2b413f470e516f2e495ddf779c3d7c0b3
MD5 hash: b49e8d8467cfc7ee52cb05ac8d5092f6
humanhash: december-utah-quebec-yellow
File name:msedge_elf.dll
Download: download sample
Signature Formbook
Create hunting rule
File size:1'281'024 bytes
First seen:2025-12-19 14:11:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2b6f1f9b9c01fd7c207f27beb4a86c02 (2 x Formbook)
ssdeep 24576:me/SFGaZZP1d2OvKDD8u5yPTQywDGNluuAbf5YGbqru+w:me6zTKDD8u5+TQywDG7uvf5YGbqq
Threatray 2'518 similar samples on MalwareBazaar
TLSH T16855AE11A3E40BB8D277D278CAB78732D7B1784057709ACF1255D61D2E33BD06A7A32A
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Malware family:
formbook
Create hunting rule
ID:
1
File name:
_f98c2c567f36a0d6f93d0727d1635ae56ff00987ed1090c9783104bc99b77654.dll
Verdict:
Malicious activity
Analysis date:
2025-12-19 14:12:57 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/85e28528-31ab-48df-bf4a-e84528fd1079

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45515/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69455d4129df60c6e007bfad
Tags:
malware
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypto masquerade microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/69455d3de126b9ff4388d059/reports/96a613fb-7635-4c14-a7b0-9d54c1c552b9/overview
Verdict:
Malicious
Labled as:
Win64/Agent.ECK trojan
Link:
https://www.hybrid-analysis.com/sample/f98c2c567f36a0d6f93d0727d1635ae56ff00987ed1090c9783104bc99b77654
Verdict:
Malicious
File Type:
dll x64
First seen:
2025-12-19T08:45:00Z UTC
Last seen:
2025-12-21T12:42:00Z UTC
Hits:
~1000
Detections:
VHO:Trojan-Dropper.Win32.Agent.gen UDS:DangerousObject.Multi.Generic Trojan-Spy.Win32.Noon.sb Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C VHO:Trojan-Spy.Win32.Noon.bozz Trojan.Win32.Injector.sb Trojan.Win32.Inject.sb VHO:Backdoor.Win32.Convagent.gen VHO:Backdoor.Win32.Agent.gen Trojan-Spy.Win32.Noon.bozz
Link:
https://opentip.kaspersky.com/f98c2c567f36a0d6f93d0727d1635ae56ff00987ed1090c9783104bc99b77654/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c205c44c-924f-4012-824b-bcc33bc772fd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1836307
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1836307 Sample: msedge_elf.dll.exe Startdate: 19/12/2025 Architecture: WINDOWS Score: 100 57 www.kickersketch.com 2->57 59 www.escalabranding.com 2->59 61 4 other IPs or domains 2->61 69 Suricata IDS alerts for network traffic 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected FormBook 2->73 75 2 other signatures 2->75 11 loaddll64.exe 1 2->11         started        signatures3 process4 process5 13 rundll32.exe 11->13         started        16 cmd.exe 1 11->16         started        18 rundll32.exe 11->18         started        20 23 other processes 11->20 signatures6 101 Writes to foreign memory regions 13->101 103 Allocates memory in foreign processes 13->103 105 Injects a PE file into a foreign processes 13->105 22 ngen.exe 13->22         started        25 rundll32.exe 16->25         started        27 ngen.exe 18->27         started        29 ngen.exe 20->29         started        31 ngen.exe 20->31         started        33 ngen.exe 20->33         started        35 ngen.exe 20->35         started        process7 signatures8 81 Maps a DLL or memory area into another process 22->81 83 Unusual module load detection (module proxying) 22->83 37 7EeIhwwflkz.exe 22->37 injected 85 Writes to foreign memory regions 25->85 87 Allocates memory in foreign processes 25->87 89 Injects a PE file into a foreign processes 25->89 39 ngen.exe 25->39         started        42 vxBA9P6BMfq.exe 27->42 injected process9 signatures10 44 msra.exe 13 37->44         started        91 Maps a DLL or memory area into another process 39->91 47 P4zl3jXbI6yYe.exe 39->47 injected 50 msra.exe 42->50         started        process11 dnsIp12 93 Tries to steal Mail credentials (via file / registry access) 44->93 95 Tries to harvest and steal browser information (history, passwords, etc) 44->95 97 Modifies the context of a thread in another process (thread injection) 44->97 99 Maps a DLL or memory area into another process 44->99 63 cdqvc.com 178.63.45.142, 49743, 80 HETZNER-ASDE Germany 47->63 65 kickersketch.com 66.235.200.171, 49749, 49751, 49752 CLOUDFLARENETUS United States 47->65 67 2 other IPs or domains 47->67 52 msra.exe 47->52         started        55 msra.exe 47->55         started        signatures13 process14 signatures15 77 Unusual module load detection (module proxying) 52->77 79 Switches to a custom stack to bypass stack traces 52->79
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f98c2c567f36a0d6f93d0727d1635ae56ff00987ed1090c9783104bc99b77654
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/b49e8d8467cfc7ee52cb05ac8d5092f6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f98c2c567f36a0d6f93d0727d1635ae56ff00987ed1090c9783104bc99b77654/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/f98c2c567f36a0d6f93d0727d1635ae56ff00987ed1090c9783104bc99b77654
Threat name:
Win64.Spyware.Noon
Create hunting rule
Status:
Suspicious
First seen:
2025-12-19 11:56:32 UTC
File Type:
PE+ (Dll)
AV detection:
9 of 24 (37.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ggcyvt7g2qnn6j5a4t5cy224vx7acmh5uijbslygeclzgnxozka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0d2d887adcdf6309c4532e75ddb508db33402c7a488c3e2b8943c6721dab6708
Formbook
31b67bb6dab9508f2c6d14e2401bc290ee930609cee21c515158c72537680bf2
Formbook
ac1bdadf98761eed39833d096c732ca61ede04535ecced46d1f662f9dab206f6
Formbook
error
Formbook
f98c2c567f36a0d6f93d0727d1635ae56ff00987ed1090c9783104bc99b77654
Formbook
fec34000664e9453638769da3413cddb271e791cbc5f8fb9c7697aeec8133f33
Formbook
+ 2'508 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/251223-qaxzcazmdv/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2a3487f0-781c-4851-af10-5c7eff050667
Unpacked files
SH256 hash:
f98c2c567f36a0d6f93d0727d1635ae56ff00987ed1090c9783104bc99b77654
MD5 hash:
b49e8d8467cfc7ee52cb05ac8d5092f6
SHA1 hash:
b12f77e2b413f470e516f2e495ddf779c3d7c0b3
Link:
https://www.unpac.me/results/64a262e1-60b5-4479-ac88-eab7a836af7a/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f98c2c567f36/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f98c2c567f36a0d6f93d0727d1635ae56ff00987ed1090c9783104bc99b77654

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f98c2c567f36a0d6f93d0727d1635ae56ff00987ed1090c9783104bc99b77654

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/45515/

Comments