MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06d770563253e518dd207abb9bb30d0ba69b393bc4fa7f1cc9999f0ea1b661f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Intelligence 2 File information 3 Yara 2 Comments

SHA256 hash: 06d770563253e518dd207abb9bb30d0ba69b393bc4fa7f1cc9999f0ea1b661f0
SHA3-384 hash: ca59637d06a395029b4287303d0eb8b36b4b128ae6a9a7f7a6592c1f85ea226ebe1fce5b97d0d18d86159bd119c54568
SHA1 hash: 0ed6f49a4333fba64d5bed0037cf8c96b9f6a940
MD5 hash: 75f65167ca6e0e2a9495c6c014ada606
humanhash: johnny-batman-illinois-five
File name:PO 30091.exe
Download: download sample
Signature FormBook
File size:964'096 bytes
First seen:2020-06-30 12:13:56 UTC
Last seen:2020-06-30 13:11:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 175f794d98c9dcb0b47ae1ab1087c22c
ssdeep 24576:fOPXUWD6wEc0bp8RoMTKTNLDKhNPSOBPgI:f9+EFFhMQmhNP3BPgI
TLSH 5B258D22E2D28C37D1732A788D5BB3D4983ABE113D7858866BE53C485F3C6417D392A7
Reporter @abuse_ch
Tags:exe FormBook Yahoo

Malspam distributing FormBook:

Sending IP:
From: Helim Inc <>
Reply-To: Helim Inc <>
Subject: PO 30091
Attachment: PO 30091.LZH (contains "PO 30091.exe")


Mail intelligence
Trap location Impact
Global Low
# of uploads 2
# of downloads 32
Origin country FR FR
CAPE Sandbox Detection:Formbook
ClamAV PUA.Win.Adware.Slugin-6803969-0
CERT.PL MWDB Detection:formbook
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Injector
First seen:2020-06-30 12:15:06 UTC
AV detection:26 of 31 (83.87%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   8/10
Malware Family:n/a
Tags:persistence spyware evasion trojan
VirusTotal:Virustotal results 37.50%

Yara Signatures

Rule name:Formbook
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.



Executable exe 06d770563253e518dd207abb9bb30d0ba69b393bc4fa7f1cc9999f0ea1b661f0

(this sample)

Dropped by
MD5 bdac1b1ca24912f40e2f956da739562d
Delivery method
Distributed via e-mail attachment