MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 044dd1aeb6480570ad0fb2382ae6216f99346ea6775f0e53131364512d09852f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 9 File information Comments

SHA256 hash:	044dd1aeb6480570ad0fb2382ae6216f99346ea6775f0e53131364512d09852f
SHA3-384 hash:	a80cd59487ad14b31df325f66b07b7df6c0a1cef00aebc864695fe3804a0ded7013320dd42a70d1148a72d39d58237a5
SHA1 hash:	117931fd921674455cc4feea99ef362fffb1f7fc
MD5 hash:	53d771972f7628cae827ad4d13d90fcf
humanhash:	rugby-oxygen-bacon-robin
File name:	044dd1aeb6480570ad0fb2382ae6216f99346ea6775f0e53131364512d09852f
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'417'728 bytes
First seen:	2025-09-05 13:24:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1895460fffad9475fda0c84755ecfee1 (308 x Formbook, 52 x AgentTesla, 36 x SnakeKeylogger)
ssdeep	24576:f5EmXFtKaL4/oFe5T9yyXYfP1ijXdaWRRe9cV0O4635VSIe6xPpeM:fPVt/LZeJbInQRaWRofqek
Threatray	837 similar samples on MalwareBazaar
TLSH	T11665BF0233819066FE5756730E6FE220567C7E6A0133D60F23953E7AB9B1261163FBA7
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

01092025_1543_26082025_ORDEN_3450-09.arj

Verdict:

Suspicious activity

Analysis date:

2025-09-01 15:48:19 UTC

Tags:

arch-exec

Link:

https://app.any.run/tasks/4885c6be-ec93-4e24-a4ab-83c679ba5a9b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/25716/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68bae51feb163e0ec18488be

Tags:

autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context autoit compiled-script fingerprint keylogger microsoft_visual_cc obfuscated packed packed packer_detected threat

Link:

https://www.filescan.io/uploads/68baf787fe1969faa8a6ccb3/reports/4ad78a39-ee36-43ba-ac0a-84e904f39b20/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/044dd1aeb6480570ad0fb2382ae6216f99346ea6775f0e53131364512d09852f

Result

Verdict:

UNKNOWN

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-08-26T14:15:00Z UTC

Last seen:

2025-08-26T14:15:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/044dd1aeb6480570ad0fb2382ae6216f99346ea6775f0e53131364512d09852f/results?tab=lookup

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/575dff6d-e687-4911-bb2c-c7b718000a07

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/044dd1aeb6480570ad0fb2382ae6216f99346ea6775f0e53131364512d09852f

Verdict:

Malware

YARA:

7 match(es)

Tags:

AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/53d771972f7628cae827ad4d13d90fcf

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/044dd1aeb6480570ad0fb2382ae6216f99346ea6775f0e53131364512d09852f/

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2025-08-27 01:16:41 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 38 (76.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=arg5dlvwjacxblipwi4cvzrbn6mti3vgo5pq4uytcnsfclijquxq._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/250905-r2ht6s1xhy/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Formbook payload

Formbook

Formbook family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5387382f-1f75-4f03-b564-a8f63823cb13

Unpacked files

SH256 hash:

9485dba36ff93583b154f4ab11730ed448f7ee199d2203e0166349e8a3640ef7

MD5 hash:

ccfd69f655d4d803882b790df1d2be62

SHA1 hash:

813de8f1af8fedc5fec1f608824b2d7fec05f830

Link:

https://www.unpac.me/results/ba5396fa-a92b-421b-b924-1fa0eb0b53a8/

SH256 hash:

9e7fb0fb601ed14e3db662ad778aa6e0af4ce67d072e4edfd658c1e0e8c469f5

MD5 hash:

643c4ec4e941054c83fd4b0741933a84

SHA1 hash:

312c672cd8de2554772ce942d1ce76738f91adfd

Link:

https://www.unpac.me/results/ba5396fa-a92b-421b-b924-1fa0eb0b53a8/

SH256 hash:

044dd1aeb6480570ad0fb2382ae6216f99346ea6775f0e53131364512d09852f

MD5 hash:

53d771972f7628cae827ad4d13d90fcf

SHA1 hash:

117931fd921674455cc4feea99ef362fffb1f7fc

Link:

https://www.unpac.me/results/ba5396fa-a92b-421b-b924-1fa0eb0b53a8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/044dd1aeb6480570ad0fb2382ae6216f99346ea6775f0e53131364512d09852f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/25716/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample