MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b4068937a44dd0cae5a1bb2eac56a4d60da190adbcf43a5dc05332dd97857b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 11 File information Comments

SHA256 hash:	0b4068937a44dd0cae5a1bb2eac56a4d60da190adbcf43a5dc05332dd97857b6
SHA3-384 hash:	05519fd7f9ead8c2ac958e3b5c82af18c20f8d83bf1a70ddf26fd0672f9ec0960c0bb3cafa1bbca0518ad28e24e75633
SHA1 hash:	231fe2695c8d79a6aa8077224754e0722048b2a4
MD5 hash:	bd4a09a435771defffab5d8fb0460f5d
humanhash:	hotel-golf-hawaii-may
File name:	Request for Quotation #RFQ0447453.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'308'672 bytes
First seen:	2025-06-25 21:20:51 UTC
Last seen:	2025-07-07 14:53:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0b768923437678ce375719e30b21693e (143 x Formbook, 25 x MassLogger, 22 x SnakeKeylogger)
ssdeep	24576:w5EmXFtKaL4/oFe5T9yyXYfP1ijXda5Vadxo/oG8pNjL3CyZ:wPVt/LZeJbInQRa5VOiipVT
Threatray	113 similar samples on MalwareBazaar
TLSH	T12F55CF0273C1C062FFAB91734B5AF6115BBC79260123A62F13981DB9BE705B1563E7A3
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

521

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

rl_0b4068937a44dd0cae5a1bb2eac56a4d60da190adbcf43a5dc05332dd97857b6

Verdict:

No threats detected

Analysis date:

2025-06-25 21:21:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/77d6f66f-eeef-4a68-bb35-a93b555a7561

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/11159/

Detection(s):

SecuriteInfo.com.Trojan.Inject5.58301.22078.30753.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=685c685c32ed47a3a8d736bc

Tags:

autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug autoit compiled-script entropy fingerprint keylogger microsoft_visual_cc packed packed packer_detected

Link:

https://www.filescan.io/uploads/685c6917f8f8abe4f8b90eb8/reports/18859275-c1c3-4fec-8db2-a09c7d830498/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/0b4068937a44dd0cae5a1bb2eac56a4d60da190adbcf43a5dc05332dd97857b6

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f82a919e-e3ce-43e8-ab52-752587d7991a

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1723036

Signature

Binary is likely a compiled AutoIt script file

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0b4068937a44dd0cae5a1bb2eac56a4d60da190adbcf43a5dc05332dd97857b6

Verdict:

Malware

YARA:

7 match(es)

Tags:

AutoIt Decompiled Executable PE (Portable Executable) Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/bd4a09a435771defffab5d8fb0460f5d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0b4068937a44dd0cae5a1bb2eac56a4d60da190adbcf43a5dc05332dd97857b6/

Threat name:

Win32.Worm.DorkBot

Status:

Malicious

First seen:

2025-06-25 14:06:17 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 36 (52.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bnagre32itoqzls2dozovrlkjvqnugik3phuhjo4auzs3wlyk63a._file

Verdict:

malicious

Label(s):

formbook

Formbook

2256f1e172b1ea07f131b3963557469893c4a78de76c62c10ae5399a13b51b00

Formbook

efa23692aeb1a3c3365ba0c850e3248f4f0009bf386ff101dcd8dafe65f70024

Formbook

error

Formbook

fc10f8a2cb7e5b03783b730fd3446f94ad4f86276ef9259a73b2bcba910da11d

Formbook

+ 103 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/250625-z84n8aer9t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2b2d3526-6748-48cd-b521-8b3109d1e4da

Unpacked files

SH256 hash:

0b4068937a44dd0cae5a1bb2eac56a4d60da190adbcf43a5dc05332dd97857b6

MD5 hash:

bd4a09a435771defffab5d8fb0460f5d

SHA1 hash:

231fe2695c8d79a6aa8077224754e0722048b2a4

Link:

https://www.unpac.me/results/0809aaa7-56e7-4a7a-aa55-67e40d5fd2d3/

SH256 hash:

b17ed7e79ad5329b1261cfd4a7e54752abbdc17a32e9d88264a7ba3f8d8dec27

MD5 hash:

02364b5cfdc549c0a628a5c287ee2ffc

SHA1 hash:

57f5786958d8afe9aa4161b34aba10220c37d184

Link:

https://www.unpac.me/results/0809aaa7-56e7-4a7a-aa55-67e40d5fd2d3/

SH256 hash:

b9b4b55306aeb0524834dae0a28344d46e0cd38fc8a531c42e2553746236991e

MD5 hash:

9208c5a17f6b9c4248d9ba9050e6dcc6

SHA1 hash:

5d4a72336a090da5ec4177d3f754c9bb886af58b

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/0809aaa7-56e7-4a7a-aa55-67e40d5fd2d3/

Parent samples :

111469403327253b4112522b93d08d8dabef4f14258baaa4e2fb889e67beb231
0c38914220795dbd1b8adbdb2ba2b7d2236099f7720f0d4426a77b15e0a2934b
4fe0933a0bf1ade46b1dfe96a881c8528246b40d32aa3d08c18ab25d71e0946c
efa23692aeb1a3c3365ba0c850e3248f4f0009bf386ff101dcd8dafe65f70024
e5fbe89156a39d6398a8536176f3e983b9b052c2e2e79b61f270e033328edf3b
23323a33069681bab514aeb89322790e97f02099685bcfbeefd43afccca67141
10c502a060f3625e5ec841bf87e3f1e04f1ef0794edfcdc4225dd7d6cde0e2f1
5b3289beac94dff2d22258090d7b1a8af7f5527606fc7e0e24f772e94f5cf7a1
2256f1e172b1ea07f131b3963557469893c4a78de76c62c10ae5399a13b51b00
0b4068937a44dd0cae5a1bb2eac56a4d60da190adbcf43a5dc05332dd97857b6

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0b4068937a44/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0b4068937a44dd0cae5a1bb2eac56a4d60da190adbcf43a5dc05332dd97857b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Formbook Create hunting rule
Author:	kevoreilly
Description:	Formbook Payload

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/11159/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample