MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 046ca2dc433d9474ce7222ad4f6c0aa89a3caaab42e6c3c76f260a6c2ff241c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 046ca2dc433d9474ce7222ad4f6c0aa89a3caaab42e6c3c76f260a6c2ff241c8
SHA3-384 hash: 767097f5275c88bbee0e86a6511e573fdc21212e93c8e72a376a97263cfd3c4a7c68061153cb842ba4ff225229d17a44
SHA1 hash: 45799404d6edda377e9620551b48767471874b93
MD5 hash: b417f492a94b049c6bdaef52f6bcacbd
humanhash: mexico-potato-april-lithium
File name:PO 7864785.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:771'584 bytes
First seen:2025-09-09 13:02:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:94dp9tc3wpoTom8kHy41yF/IuyZ3q9enNoUVv0d9QRPEfnYfMNLQIV5s:9w2XompvmJyBMUu8OfnYeLN5s
Threatray 158 similar samples on MalwareBazaar
TLSH T14CF40114321AD902D0514FB55A72E3B41B696F9EF812C607EFCA7EEFB13AF501942362
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO 7864785.exe
Verdict:
No threats detected
Analysis date:
2025-09-09 13:05:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4c562858-5639-4fb1-aae6-1ff8045f8742

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26466/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c025696e66ba602d7966bf
Tags:
shell spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap obfuscated packed packed phishing reconnaissance roboski stego
Link:
https://www.filescan.io/uploads/68c02568a1a41633174e7e54/reports/297507d4-9ff9-4843-b9c0-b255953dfd1f/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/046ca2dc433d9474ce7222ad4f6c0aa89a3caaab42e6c3c76f260a6c2ff241c8
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-09T05:29:00Z UTC
Last seen:
2025-09-09T05:29:00Z UTC
Hits:
~1000
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Noon.gen HEUR:Trojan.MSIL.Injector.gen VHO:Backdoor.Win32.Agent.gen Trojan-Spy.Noon.HTTP.ServerRequest Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb
Link:
https://opentip.kaspersky.com/046ca2dc433d9474ce7222ad4f6c0aa89a3caaab42e6c3c76f260a6c2ff241c8/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc591bce-f427-4a43-9d1e-c62e572db55a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/046ca2dc433d9474ce7222ad4f6c0aa89a3caaab42e6c3c76f260a6c2ff241c8
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.43 Win 32 Exe x86
Link:
https://app.malva.re/file/b417f492a94b049c6bdaef52f6bcacbd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/046ca2dc433d9474ce7222ad4f6c0aa89a3caaab42e6c3c76f260a6c2ff241c8/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/046ca2dc433d9474ce7222ad4f6c0aa89a3caaab42e6c3c76f260a6c2ff241c8
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-09-09 09:59:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=arwkfxcdhwkhjttsekwu63akvcndzkvliltmhr3peyfgyl7sihea._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
046ca2dc433d9474ce7222ad4f6c0aa89a3caaab42e6c3c76f260a6c2ff241c8
Formbook
08b026f7abf7574f2c01bdfb97e78b406200a874f2638298c489155b84fcb1b2
Formbook
38c7e35b5c3ffd6988ed96a7edf1bfab263257f08740550324500b7f776e0de1
Formbook
5b50cbb52c090dd0bddb9d9cf1801147fef289051354e618344e27a1375c63f0
Formbook
a172deb94ea7c05df19865326d5b50e5e2b594f32e9f417b8f5544e2cf98cbcc
Formbook
d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a
Formbook
da8284106b636de03b241025ab845283131fb8df64a730a854ecad0eff718b3c
Formbook
e087ef304badb09dbb8b38a88337c5e2d4a0d3fc174d75817e622fdd8f5a6722
Formbook
e15bf322a7c587a47c91dad4734d8d56a941664ded7ddbd171416abeb1e34b47
Formbook
error
Formbook
ffc8f79b6654ee83f5afac0fa12a5eeb666dc73b11d05c7fba51e7acab5928de
Formbook
+ 148 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250909-p91nvasjx4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3803beff-4e8d-4f30-a7cc-250fd63af8ff
Unpacked files
SH256 hash:
046ca2dc433d9474ce7222ad4f6c0aa89a3caaab42e6c3c76f260a6c2ff241c8
MD5 hash:
b417f492a94b049c6bdaef52f6bcacbd
SHA1 hash:
45799404d6edda377e9620551b48767471874b93
Link:
https://www.unpac.me/results/34f67d09-d94f-463a-aefa-371731ed0888/
SH256 hash:
12dda0cd3b378fbced3071df357733426bb09e47c31fcc3ba6273650f67895dc
MD5 hash:
773c55854eb467033abb78bc2b667f80
SHA1 hash:
54bfd694185cd257abb4ee6b477dba12b971b9b9
Link:
https://www.unpac.me/results/34f67d09-d94f-463a-aefa-371731ed0888/
SH256 hash:
45e6d9f786c2286fd40748578551149b5aec2f0cc09191b6b94988daef9289b4
MD5 hash:
61440746ed7b978d75e70598aac30f10
SHA1 hash:
6dfc1e5be22c249bb006bb6b5fc86c210249ec03
Link:
https://www.unpac.me/results/34f67d09-d94f-463a-aefa-371731ed0888/
SH256 hash:
3b2b2e60dfddbc575cd789b82ff0be3d038c66660ef92103e3a4eee735cd3d48
MD5 hash:
48cb179e95ae90fac96e08e28611d1d7
SHA1 hash:
eb3da9ff65484e99533c5ad54b62cc19c6650cae
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/34f67d09-d94f-463a-aefa-371731ed0888/
SH256 hash:
958f663f7188005f54ea1373afe4e6353ce038026e152ba3103fbd1a4f381382
MD5 hash:
12ed5a3589be3ed6d0a2b64a58f465fe
SHA1 hash:
d0826259d664dfd2db013a0dbc6d28ad225ef63f
Link:
https://www.unpac.me/results/34f67d09-d94f-463a-aefa-371731ed0888/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/046ca2dc433d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/046ca2dc433d9474ce7222ad4f6c0aa89a3caaab42e6c3c76f260a6c2ff241c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26466/

Comments