MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c82b648de097a84476eae0187e6ae187b4ec872a57cb2dd80aa2c5fdac05df3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	0c82b648de097a84476eae0187e6ae187b4ec872a57cb2dd80aa2c5fdac05df3
SHA3-384 hash:	6428450b5f3fc7df0171294b648c681296b7be42d341d68f7deac64fd4ce6c14b9cc4eeba1429f56694f501b479cf842
SHA1 hash:	5c8ba31c6fb309bdddae49bd00be52f3dec48b46
MD5 hash:	7a023af69a900a8b99bf74b60d6689f1
humanhash:	happy-fruit-echo-victor
File name:	Swift Copy.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'105'920 bytes
First seen:	2026-02-11 14:49:34 UTC
Last seen:	2026-02-11 15:27:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'742 x Formbook, 12'286 x SnakeKeylogger)
ssdeep	24576:1ecDl2oRDrV4dyJGg3njZQX+1OI9ldPHU9cMiToV:XDAe14wJGOj8+1/9b0IU
Threatray	17 similar samples on MalwareBazaar
TLSH	T1A335124C7385BE55CE588B77D413220884F5D89FE572F3790AD52CF12FA9A89C48EA83
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

143

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

DeepSea

Details

DeepSea

DeepSea decrypted strings

Link:

https://research.acce.ciphertechsolutions.com/results/46616a48-9426-4a45-9c2b-6788bc6eab6e/

Malware family:

formbook

ID:

File name:

Swift Copy.exe

Verdict:

Malicious activity

Analysis date:

2026-02-11 14:51:47 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/7f5b7221-d6fd-426b-816c-b0c12723023c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/53013/

Detection(s):

Win.Packed.Genie-10059343-0

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=698c9735d255592b7e32fcf4

Tags:

virus micro sage

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated obfuscated packed

Link:

https://www.filescan.io/uploads/698c972d552d46acbff247e9/reports/b9bb6315-eab0-4e39-bd9b-411586d25bb1/overview

Verdict:

Malicious

Labled as:

Genie.8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/0c82b648de097a84476eae0187e6ae187b4ec872a57cb2dd80aa2c5fdac05df3

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-02-10T23:41:00Z UTC

Last seen:

2026-02-13T04:56:00Z UTC

Hits:

~1000

Detections:

Trojan.MSIL.Crypt.sb VHO:Backdoor.Win32.Agent.gen Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Noon.gen Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Inject.sb

Link:

https://opentip.kaspersky.com/0c82b648de097a84476eae0187e6ae187b4ec872a57cb2dd80aa2c5fdac05df3/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8a2297d6-303a-4980-9c4e-1d4c8e9b6700

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0c82b648de097a84476eae0187e6ae187b4ec872a57cb2dd80aa2c5fdac05df3

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.34 Win 32 Exe x86

Link:

https://app.malva.re/file/7a023af69a900a8b99bf74b60d6689f1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0c82b648de097a84476eae0187e6ae187b4ec872a57cb2dd80aa2c5fdac05df3/

Verdict:

Malicious

Threat:

Family.FORMBOOK

Link:

https://tip.neiki.dev/file/0c82b648de097a84476eae0187e6ae187b4ec872a57cb2dd80aa2c5fdac05df3

Threat name:

ByteCode-MSIL.Backdoor.FormBook

Status:

Malicious

First seen:

2026-02-11 03:46:36 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bsblmsg6bf5iir3ovyaypzvodb5u5sdsuv6lfxmaviwf7wwalxzq._file

Verdict:

malicious

Label(s):

formbook

Formbook

351d3d2274389081c215d37dd5ac36e03594eb42123afb49fa5447e60f8156bd

Formbook

479ca9e4974c18451cc33514037e524b1e04aea73d7ea1e2cec19ae5d443bb5d

Formbook

66d0c643f5aa03a5b4303caf17c128e0dc030530f22da3af6ed927cbc9e4f1d6

Formbook

b32d05c6d0606ae99980ac52e9acbae681e7c35936abca1aa7bbc66bc25bb0e5

Formbook

cb6107c4531b230c31244db28ca307058384a7ae968e0f0e41991f35a77b2e72

Formbook

e5f1feba5c6cd56201fd5eb64c4d9dbfae827f756ebbfeda3cb51f453d465d1b

Formbook

error

Formbook

+ 7 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/260211-r7rn9sgt8g/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Formbook payload

Formbook

Formbook family

Unpacked files

SH256 hash:

0c82b648de097a84476eae0187e6ae187b4ec872a57cb2dd80aa2c5fdac05df3

MD5 hash:

7a023af69a900a8b99bf74b60d6689f1

SHA1 hash:

5c8ba31c6fb309bdddae49bd00be52f3dec48b46

Link:

https://www.unpac.me/results/8e92c21f-e86f-4da5-9e05-74ae56b9bed2/

SH256 hash:

48fa91de316a3b8b9b173548ff297a529e8045cfba133655cb8d7bf2517df628

MD5 hash:

54f2d8dcde429e9fa2c0cef39b6bb0e7

SHA1 hash:

1b0181a02d9f36613fdd5170d1b84a5a8358b2af

Link:

https://www.unpac.me/results/8e92c21f-e86f-4da5-9e05-74ae56b9bed2/

SH256 hash:

8e3d39423babb2447012c40dfe95674a636203b3e351548b82055f862f3ccf01

MD5 hash:

c98cbde5f200af85d8cdc35272062280

SHA1 hash:

67ec5a84a2a2f18845e2e8505db1ff2c04db0ba2

Link:

https://www.unpac.me/results/8e92c21f-e86f-4da5-9e05-74ae56b9bed2/

SH256 hash:

e77c2e44cf5e52bc4fd32855678572343d61d96bf631c7f01eca78bc7b8994b4

MD5 hash:

e36adfcce51acb2e43425f036b78b6db

SHA1 hash:

d239acef1e6f52981dd8a1c3b346c0a65b807caf

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/8e92c21f-e86f-4da5-9e05-74ae56b9bed2/

SH256 hash:

34265b21d08db558cef3273edd46e78f5aef684b6da22c208e9d44c48f284918

MD5 hash:

239434cc0b1ad3e68938a8885552d26a

SHA1 hash:

ed54ac5753c012bf39e949e5eabb233b0bc55f7a

Link:

https://www.unpac.me/results/8e92c21f-e86f-4da5-9e05-74ae56b9bed2/

SH256 hash:

4850f9fee85436ebb5fe318320f8bb7a1727f1911f11515570521abe1991761e

MD5 hash:

dfc25f2f6ae2187721b2ebec76587852

SHA1 hash:

4eb8e8d247de7a761c54dbe5aba5f3bbbc3a25d5

Link:

https://www.unpac.me/results/8e92c21f-e86f-4da5-9e05-74ae56b9bed2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/0c82b648de097a84476eae0187e6ae187b4ec872a57cb2dd80aa2c5fdac05df3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/53013/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample