MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff60ffef67945adacbec3f49fb146e1813d552d4477a74714fc6f0d951c9c5dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff60ffef67945adacbec3f49fb146e1813d552d4477a74714fc6f0d951c9c5dd
SHA3-384 hash: fbc4defd2e38f6d2d2cf2ddda0cb58126af7143cec683d6399245afd7749384db86fc1827e45b430f9542de0e290d628
SHA1 hash: e3c8ca6ed9c8aab22d3c0be162433ab78ad51716
MD5 hash: 896788202cb9472561affa8aea6cc84a
humanhash: yankee-six-leopard-cardinal
File name:ff60ffef67945adacbec3f49fb146e1813d552d4477a74714fc6f0d951c9c5dd
Download: download sample
Signature Formbook
Create hunting rule
File size:737'280 bytes
First seen:2025-04-07 14:02:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:N3pzxlloFe1dMOYES7aaStI34saJk5MbgVEhqfDgxD0zh6P3QMH0zWPVfT33:N1lZddFSd+I34saJHbdhqfA+6P3zLtfz
Threatray 4'525 similar samples on MalwareBazaar
TLSH T1F7F412156075DD07C48B1FB86C60C2B413F99EEEA212DB836FDDADAB70A73052680757
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'198
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/1087/
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f3db27e011fe619fac019d
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67f3db232d430c849e0ab923/reports/e6add01a-da2b-48bf-88ea-db22efe250f0/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/ff60ffef67945adacbec3f49fb146e1813d552d4477a74714fc6f0d951c9c5dd
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f6b38ac8-d59c-4b03-9e7a-9e3ae5cdcfcf
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1658390
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Process Parents
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1658390 Sample: iqHldGUZW1.exe Startdate: 07/04/2025 Architecture: WINDOWS Score: 100 33 www.tgwfj.xyz 2->33 35 www.irebel.xyz 2->35 37 11 other IPs or domains 2->37 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected FormBook 2->53 57 4 other signatures 2->57 10 iqHldGUZW1.exe 3 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 55 Performs DNS queries to domains with low reputation 35->55 process4 dnsIp5 31 C:\Users\user\AppData\...\iqHldGUZW1.exe.log, ASCII 10->31 dropped 16 iqHldGUZW1.exe 10->16         started        45 127.0.0.1 unknown unknown 13->45 file6 process7 signatures8 47 Maps a DLL or memory area into another process 16->47 19 Le0hU5r1zr5qQ.exe 16->19 injected process9 signatures10 59 Found direct / indirect Syscall (likely to bypass EDR) 19->59 22 bitsadmin.exe 13 19->22         started        process11 signatures12 61 Tries to steal Mail credentials (via file / registry access) 22->61 63 Tries to harvest and steal browser information (history, passwords, etc) 22->63 65 Modifies the context of a thread in another process (thread injection) 22->65 67 3 other signatures 22->67 25 Le0hU5r1zr5qQ.exe 22->25 injected 29 firefox.exe 22->29         started        process13 dnsIp14 39 garan.shop 206.221.176.239, 49706, 49707, 49708 RELIABLESITEUS United States 25->39 41 www.3dwjz3c5.top 103.80.18.251, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Hong Kong 25->41 43 6 other IPs or domains 25->43 69 Found direct / indirect Syscall (likely to bypass EDR) 25->69 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ff60ffef67945adacbec3f49fb146e1813d552d4477a74714fc6f0d951c9c5dd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff60ffef67945adacbec3f49fb146e1813d552d4477a74714fc6f0d951c9c5dd/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-04-07 14:03:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=75qp733hsrnnvs7mh5e7wfdodaj5kuwui55hi4kpy3ynsuojyxoq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
769cba836f991b58e8f70ebecb20c4e34fc5e1d1fc7c031b8fc704f43676d83a
Formbook
8671b523e51639f2655a3a66c01cc6b9d6db29eff0ad4c052560b137cc373f86
Formbook
8eccedb76290d5d3fa5b4385e20339757f264cb4f943df01b42762e6e69e18b3
Formbook
c07269f55d74289f36f6260586c9c0b32a88cdb43c6fda914170a585b37745e8
Formbook
e654880ee3c416a237988b239e29a282457ca35f05fde6a3268e6cb3fce3a2a3
Formbook
error
Formbook
f4e5ec593dcb18dca253d98f5133050e96f27f86c1e46b5882abf797fefe26b1
Formbook
+ 4'515 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250407-rcsyva1yay/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/22c12965-636a-4d3f-8732-4d0604b9fd50
Unpacked files
SH256 hash:
ff60ffef67945adacbec3f49fb146e1813d552d4477a74714fc6f0d951c9c5dd
MD5 hash:
896788202cb9472561affa8aea6cc84a
SHA1 hash:
e3c8ca6ed9c8aab22d3c0be162433ab78ad51716
Link:
https://www.unpac.me/results/3c74b0ac-ee4d-4369-858b-fd7c2ef38439/
SH256 hash:
45090736995073d956f6d1d7492a48aa6aff25247d44367c462d98acc416b8fa
MD5 hash:
f0dc051742401253a4b4b9ae8fec75b7
SHA1 hash:
03c822d0169724340993b2ae671e749c1e2ee6ba
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/3c74b0ac-ee4d-4369-858b-fd7c2ef38439/
Parent samples :
769cba836f991b58e8f70ebecb20c4e34fc5e1d1fc7c031b8fc704f43676d83a
8b6c728d7af964d8a35d544ec376c7ff16df2f329d514c82b315174a6dba0a29
a6918f34f6ec6b61354a88f4275de492bf08ac570525b76e40c11ef377c85718
c82c8f715142e8bb457caeef673c059332a6bbcc4dbb9c5648b5af9228fffda7
9dea2c8077ef669f375ee39b3696212613965aa7abc9cd511260700b274fb52e
ff60ffef67945adacbec3f49fb146e1813d552d4477a74714fc6f0d951c9c5dd
6d085e9fc9f8b798a52545a899121da1c6415a125f0adc9c056e5c162143f413
cf2142b71c02cebf4aca8910971c84f52b7692fdc6c7bdccebf8c93f6c9aca1c
SH256 hash:
2f2858b24c896e165e33f41978997d24aa40439dae0cca7d7cc100abd0f50bb5
MD5 hash:
a67fa8cbc2369f8829a23c53b3c7be16
SHA1 hash:
0fc832c3e1f5b06879c788e3d4b28ef55b463b25
Link:
https://www.unpac.me/results/3c74b0ac-ee4d-4369-858b-fd7c2ef38439/
SH256 hash:
61829328a8b0c11a6eab72aa6e3593a307a8e5b1428a7de6f9d9890317b9d6d3
MD5 hash:
444b3afca5648419ef4fff73d2a7663c
SHA1 hash:
1286deca9bbbe9fd70ee4e537bbdae608dfb690b
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/3c74b0ac-ee4d-4369-858b-fd7c2ef38439/
SH256 hash:
b1a9a78fe8c6a2256ef629aa5de828a53926bf954967b278c68666704f524bfe
MD5 hash:
94c294bcad561294bf29d648223f50f7
SHA1 hash:
3bb1027c513d3d465ea51d8b4a3a3b872539a913
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/3c74b0ac-ee4d-4369-858b-fd7c2ef38439/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ff60ffef6794/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff60ffef67945adacbec3f49fb146e1813d552d4477a74714fc6f0d951c9c5dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/1087/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments