MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06052b42027916a8eb6ba0a4dc83929a23c8ac430749e524802b0b9fee7cf109. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 18

Intelligence 18 IOCs YARA 20 File information Comments

SHA256 hash:	06052b42027916a8eb6ba0a4dc83929a23c8ac430749e524802b0b9fee7cf109
SHA3-384 hash:	bbabddb225cb7c025a4d033c5b4b049a7df9b58615900347ad5cedcfb428076f3e1d09996b07fd023f97490bffe790d1
SHA1 hash:	a5754ed6c2b76f0451740ce2c7ae3b80f8317dee
MD5 hash:	4b870ebb986a4dd151e060cebbdf8279
humanhash:	pip-stairway-minnesota-golf
File name:	SecuriteInfo.com.Trojan.Remcos.650.849.15159
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'894'912 bytes
First seen:	2026-01-07 14:33:48 UTC
Last seen:	2026-01-07 15:23:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f8bf7b54f582b47a2308f7e0b43974d9 (2 x RemcosRAT, 2 x Formbook)
ssdeep	24576:1DUyD7vMf1/iw0/GUhCAk3Kk2BtUMQewKCXu/lR1THo:1tTDhCzaLcemXu/FTHo
Threatray	5'143 similar samples on MalwareBazaar
TLSH	T13295BF22F3905433D4735A384C2BA775482E7E202A1BA486FEED9E4C8F776417DE1297
TrID	26.4% (.EXE) Win64 Executable (generic) (10522/11/4) 25.1% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 16.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 11.3% (.EXE) Win32 Executable (generic) (4504/4/1) 5.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

formbook

ID:

File name:

SecuriteInfo.com.Trojan.Remcos.650.849.15159

Verdict:

Malicious activity

Analysis date:

2026-01-07 14:36:02 UTC

Tags:

delphi formbook stealer xloader

Link:

https://app.any.run/tasks/e573e8cc-25e5-4bd2-a7aa-3dd9e6d9201a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/48072/

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=695e6eebf50945831dfe53a1

Tags:

emotet spawn micro blic

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file

Creating a process from a recently created file

DNS request

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug borland_delphi fingerprint keylogger modiloader packed zusy

Link:

https://www.filescan.io/uploads/695e6ee66c34f71773c50d9d/reports/f708d597-ed07-4fca-9a17-47e6c9413e7f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/06052b42027916a8eb6ba0a4dc83929a23c8ac430749e524802b0b9fee7cf109

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-06T18:23:00Z UTC

Last seen:

2026-01-08T10:22:00Z UTC

Hits:

~100

Detections:

HEUR:Backdoor.Win32.Remcos.gen HEUR:Backdoor.Win32.Agent.gen Backdoor.Win32.Blakken.sb PDM:Trojan.Win32.Generic Trojan-Spy.Win32.Noon.sb Trojan-Dropper.Win32.Injector.sb Trojan.Win32.SpeedBit.sb Trojan.Win32.Agent.sb

Link:

https://opentip.kaspersky.com/06052b42027916a8eb6ba0a4dc83929a23c8ac430749e524802b0b9fee7cf109/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/43f1c5e9-6073-4f0c-b107-a03c70d8cc74

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/06052b42027916a8eb6ba0a4dc83929a23c8ac430749e524802b0b9fee7cf109

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/4b870ebb986a4dd151e060cebbdf8279

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/06052b42027916a8eb6ba0a4dc83929a23c8ac430749e524802b0b9fee7cf109/

Verdict:

Malicious

Threat:

Family.FORMBOOK

Link:

https://tip.neiki.dev/file/06052b42027916a8eb6ba0a4dc83929a23c8ac430749e524802b0b9fee7cf109

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2026-01-07 05:36:34 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aycswqqcpelkr23lucsnza4stir4rlcda5e6kjeafmfz73t46eeq._file

Verdict:

malicious

Label(s):

formbook

dbatloader

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:pe02 discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/260107-rxh95shv9g/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Executes dropped EXE

Formbook payload

Formbook

Formbook family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7456c703-6afb-444a-9304-752ba64c8770

Unpacked files

SH256 hash:

06052b42027916a8eb6ba0a4dc83929a23c8ac430749e524802b0b9fee7cf109

MD5 hash:

4b870ebb986a4dd151e060cebbdf8279

SHA1 hash:

a5754ed6c2b76f0451740ce2c7ae3b80f8317dee

Link:

https://www.unpac.me/results/bef5ac02-2565-4db4-bb5e-2e3568349334/

SH256 hash:

7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

MD5 hash:

c116d3604ceafe7057d77ff27552c215

SHA1 hash:

452b14432fb5758b46f2897aeccd89f7c82a727d

Link:

https://www.unpac.me/results/bef5ac02-2565-4db4-bb5e-2e3568349334/

SH256 hash:

0421211389d0de69a1ab24415c6b83cf1725e3643752a2858cdeb6baacd15638

MD5 hash:

26c425142b1f3c102b50aabb70e398f4

SHA1 hash:

3c492535e29b9c4522b09deed19ed168fd05bbc9

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

FormBook

Windows_Trojan_Formbook

Formbook

Link:

https://www.unpac.me/results/bef5ac02-2565-4db4-bb5e-2e3568349334/

Parent samples :

931ca0a82eeccadb3fd1078b372777109e1cf23c92f98e72e63d13c2c290bb37
06052b42027916a8eb6ba0a4dc83929a23c8ac430749e524802b0b9fee7cf109

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/06052b420279/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/06052b42027916a8eb6ba0a4dc83929a23c8ac430749e524802b0b9fee7cf109

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	TH_Win_ETW_Bypass_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Windows ETW Bypass Detection Rule - 2025
Reference:	https://cyfare.net/