MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04cfb265adf28d7d0114768dc81913b801cccda13e09663bd5dca41827fb9cf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 25 File information Comments

SHA256 hash:	04cfb265adf28d7d0114768dc81913b801cccda13e09663bd5dca41827fb9cf9
SHA3-384 hash:	8e3708fecb43a5442438c580b56e263d3c3d592ac26b908895dd5924ba8ffd90d05d76228806848c25c10e5f7aaa848d
SHA1 hash:	22351ed0a0d96b362add906b4e12d72112d852c1
MD5 hash:	1b10d45d79d9794ba7b73d652b14b1ce
humanhash:	princess-mountain-snake-aspen
File name:	04cfb265adf28d7d0114768dc81913b801cccda13e09663bd5dca41827fb9cf9
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'062'912 bytes
First seen:	2026-06-08 08:45:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'066 x AgentTesla, 20'011 x Formbook, 12'352 x SnakeKeylogger)
ssdeep	24576:aiiAEFT0D1lbLj4/FnfzFVHjoBK1fnUvCSkSH0c7M:g3FQ5BLj8dfXjoBK1fneCSpHT
Threatray	184 similar samples on MalwareBazaar
TLSH	T1E7351258261AD817C4960FB00D70E7B965685FD8E911E603DFFBFEAFF86E6542801382
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	0000000000000000 (902 x AgentTesla, 555 x Formbook, 316 x RedLineStealer)
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/59e3d3ea-33e7-4e3e-aefb-07bc7088f670/

Malware family:

n/a

ID:

File name:

04cfb265adf28d7d0114768dc81913b801cccda13e09663bd5dca41827fb9cf9.exe

Verdict:

Malicious activity

Analysis date:

2026-06-08 08:48:29 UTC

Tags:

auto-reg netreactor

Link:

https://app.any.run/tasks/9c4a71ad-6643-47fb-ac66-e20d0f5a7c2d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/69638/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.3252.13273.8249.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a2681da3e9eff6a6b68b55d

Tags:

micro shell spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Adding an exclusion to Microsoft Defender

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed vbnet

Link:

https://www.filescan.io/uploads/6a26812dbf16337e43bb1163/reports/e4e1def8-89fe-4431-975e-2709e646ef90/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/04cfb265adf28d7d0114768dc81913b801cccda13e09663bd5dca41827fb9cf9

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-27T00:37:00Z UTC

Last seen:

2026-06-04T06:05:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/04cfb265adf28d7d0114768dc81913b801cccda13e09663bd5dca41827fb9cf9/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/2ec15750-0ddb-470c-b2de-9ec6b0703db0

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/04cfb265adf28d7d0114768dc81913b801cccda13e09663bd5dca41827fb9cf9

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/04cfb265adf28d7d0114768dc81913b801cccda13e09663bd5dca41827fb9cf9/

Verdict:

Malicious

Threat:

Family.FORMBOOK

Link:

https://tip.neiki.dev/file/04cfb265adf28d7d0114768dc81913b801cccda13e09663bd5dca41827fb9cf9

Threat name:

ByteCode-MSIL.Backdoor.FormBook

Status:

Malicious

First seen:

2026-05-27 03:43:24 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 36 (72.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ath3eznn6kgx2aiuo2g4qgitxaa4ztnbhyewmo6v3ssbqj73tt4q._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery execution persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/260608-kn35mabs7v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Family: Formbook

Formbook payload

Unpacked files

SH256 hash:

04cfb265adf28d7d0114768dc81913b801cccda13e09663bd5dca41827fb9cf9

MD5 hash:

1b10d45d79d9794ba7b73d652b14b1ce

SHA1 hash:

22351ed0a0d96b362add906b4e12d72112d852c1

Link:

https://www.unpac.me/results/fe609b6c-db11-4c2b-8d7c-97c5885f28c7/

SH256 hash:

bc182f2d934b3e8f2d8c93739d8c8383e60223af16c62359a10831f76d9d168a

MD5 hash:

e01f8eac49eefbab201ec555dc9ae891

SHA1 hash:

9539cb2e684aded0ee0d1213b1d2679220bef72d

Link:

https://www.unpac.me/results/fe609b6c-db11-4c2b-8d7c-97c5885f28c7/

SH256 hash:

664e822411403b50f1693cd9e283f028624a49726211b74606fa91e158ccb230

MD5 hash:

cc6b782c58b1c35a67b3e0ea21b45e99

SHA1 hash:

bd81125f660d4599fccecdd8c5798d29f8bd3eda

Link:

https://www.unpac.me/results/fe609b6c-db11-4c2b-8d7c-97c5885f28c7/

SH256 hash:

5aef543f2aaa09031143ed0b9734dd693fa81b56dfe75f546df36ea394210131

MD5 hash:

706cd7eac9f2ec43307b7b4538a39a95

SHA1 hash:

e31f3775922f260fc3ba943eb2f2770f7b3b1112

Link:

https://www.unpac.me/results/fe609b6c-db11-4c2b-8d7c-97c5885f28c7/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/04cfb265adf2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/04cfb265adf28d7d0114768dc81913b801cccda13e09663bd5dca41827fb9cf9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	TH_Win_ETW_Bypass_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Windows ETW Bypass Detection Rule - 2025
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/69638/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample