MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ff8a207bf56f8ad568fe2ccf540cab84a202c04aa1dbe691b6202c98b39f806. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 19

Intelligence 19 IOCs YARA 6 File information Comments

SHA256 hash:	0ff8a207bf56f8ad568fe2ccf540cab84a202c04aa1dbe691b6202c98b39f806
SHA3-384 hash:	6c2718267ca6fe31939ed736bc1a80e6bd589879cfc3be85ce75c9af054c84d8c6f7a6c685c61168b39e0f22eb270abc
SHA1 hash:	dc16e766d663af7774f9bef31d361d1b32aff0b5
MD5 hash:	8f88380cf87ac0070cfe4bea8defcf44
humanhash:	video-december-carpet-zebra
File name:	0ff8a207bf56f8ad568fe2ccf540cab84a202c04aa1dbe691b6202c98b39f806
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'109'504 bytes
First seen:	2026-06-08 08:41:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'076 x AgentTesla, 20'040 x Formbook, 12'353 x SnakeKeylogger)
ssdeep	24576:7ulRwL24vpVMCMgwoLnSz8ssA/uAicAfwrbu6/0SSSk:e6Xvdej8sHmASN6/
Threatray	1'913 similar samples on MalwareBazaar
TLSH	T10D3502542216CD09E5928BB98C70E7B417341F84F571D723AFEA7EAF787B60258243E2
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	eaeaa8a8eaaaa8aa (3 x Formbook, 1 x PhantomStealer, 1 x DarkCloud)
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/771619d3-3ca7-410a-aef9-aabf90be88ac/

Malware family:

n/a

ID:

File name:

d3bba689350882ef033145c32103e422.zip

Verdict:

No threats detected

Analysis date:

2026-05-26 08:40:44 UTC

Tags:

arch-exec

Link:

https://app.any.run/tasks/e2da0d9b-83f1-4fa2-a51c-0f707b93d2fd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/69614/

Detection(s):

SecuriteInfo.com.Trojan.Siggen32.45020.19048.5585.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a26814eae2f98c00a68bff2

Tags:

virus micro msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed vbnet

Link:

https://www.filescan.io/uploads/6a26806fbf16337e43bb100c/reports/9a0a8f0a-de5f-4999-8fa5-48e83fb100b9/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/0ff8a207bf56f8ad568fe2ccf540cab84a202c04aa1dbe691b6202c98b39f806

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-26T01:58:00Z UTC

Last seen:

2026-06-10T04:55:00Z UTC

Hits:

~1000

Detections:

Trojan.Win32.SpeedBit.sb Trojan-Spy.Noon.HTTP.ServerRequest Backdoor.Win32.Blakken.sb Trojan.Win32.Agent.sb Trojan.MSIL.Crypt.sb Trojan.MSIL.Dnoper.sb PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C Trojan.MSIL.Inject.sb Trojan-Spy.Win32.Noon.sb Trojan-Dropper.Win32.Injector.sb HEUR:Trojan.MSIL.InjectorNetT.gen Backdoor.Win32.Androm.sb VHO:Backdoor.Win32.Androm.gen

Link:

https://opentip.kaspersky.com/0ff8a207bf56f8ad568fe2ccf540cab84a202c04aa1dbe691b6202c98b39f806/results?tab=lookup

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a478d07a-6a3d-4c6d-8d3a-995cc66604a8

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0ff8a207bf56f8ad568fe2ccf540cab84a202c04aa1dbe691b6202c98b39f806

Gathering data

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/0ff8a207bf56f8ad568fe2ccf540cab84a202c04aa1dbe691b6202c98b39f806/

Verdict:

Malicious

Threat:

Family.FORMBOOK

Link:

https://tip.neiki.dev/file/0ff8a207bf56f8ad568fe2ccf540cab84a202c04aa1dbe691b6202c98b39f806

Threat name:

Win32.Trojan.Znyonm

Status:

Malicious

First seen:

2026-05-26 05:19:54 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 36 (72.22%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=b74keb57k34k2vup4lgpkqgkxbfcalaevio342i3mibmtczz7ada._file

Verdict:

malicious

Label(s):

formbook

Formbook

099aab7e93cc90414b63769dba429546e4f98953f1c8304f6b8109e6fa0a824e

Formbook

0b6626a93de029cfa30a8b9e33aaa49f648bf75d36a8cba9fe199cfae9bb86c0

Formbook

0cfbc10a408c5747c977cbac7e92bee4aaac42f6fb8d3d73b6e3b0de05208ba0

Formbook

23992ab41872ac21dcd499a48a743e51afa43d873d8564a95f03f4a639d3bfbc

Formbook

27541e7a2b03816dc453852b1251e72fae6e6081984e94248d3edb7e13c780e6

Formbook

62641672222e838c59836451c910b29233433eb80581fc7f3672de2b6a33b365

Formbook

69ae2e849e4b148f879630ae9e3a4f991602cc6a658dd732dd775c31839d69ce

Formbook

ebc963782a30a3e6cc360a6e4fda16d2acac2de13ee0d8db863082e699dabd5a

Formbook

+ 1'903 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:be04 discovery execution persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/260608-kmcahsbs4t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Family: Formbook

Formbook payload

Unpacked files

SH256 hash:

0ff8a207bf56f8ad568fe2ccf540cab84a202c04aa1dbe691b6202c98b39f806

MD5 hash:

8f88380cf87ac0070cfe4bea8defcf44

SHA1 hash:

dc16e766d663af7774f9bef31d361d1b32aff0b5

Link:

https://www.unpac.me/results/1dad6f20-5083-4176-add4-10749085825e/

SH256 hash:

677ffa48203d31693b87a70cbeee209a3e0e06a7dfd24daa3f46007aae7da49f

MD5 hash:

f1ea4e8a27cd5c258b9c71f701489d33

SHA1 hash:

dfe7ffaf3c80b7f3882fdde4486fb743b3577813

Link:

https://www.unpac.me/results/1dad6f20-5083-4176-add4-10749085825e/

SH256 hash:

a314d7708b70a681c0a56334a04387fadee8f65ddd396c9543125a9d0ba4aaff

MD5 hash:

b62602bf0a0265457fdb9cf77a9c9911

SHA1 hash:

f07f9838f4ee59acb1982764482bc131bf143c5e

Link:

https://www.unpac.me/results/1dad6f20-5083-4176-add4-10749085825e/

SH256 hash:

1d2546f54c2e0236f49eb733160c4fc49828d612416c7e09379aa23f5df01e4e

MD5 hash:

02dcd52eaed5e2133ebffc427d7befcc

SHA1 hash:

96911e8c81efaa5875390ac27b136c09b570fe3b

Detections:

win_formbook_w0

win_formbook_g0

win_formbook_auto

FormBook

Link:

https://www.unpac.me/results/1dad6f20-5083-4176-add4-10749085825e/

Parent samples :

0cfbc10a408c5747c977cbac7e92bee4aaac42f6fb8d3d73b6e3b0de05208ba0
0ff8a207bf56f8ad568fe2ccf540cab84a202c04aa1dbe691b6202c98b39f806
b09ba69fa3bf6102addb87e1c01b51a310509a96a66775bb1cacd94ec3c6875e
7fd7bd2b8be87e7a7d1f1a35b8e2f115a9393b11684ee7e94b5d66b938906afc
35460d0ed6ddee3f707f73eaacf6e49f09f789bdbf460c21f491ba2ff2bb78ef
63dc260a747b9043efb746b691bfc5a9237d1b152321a901bfe156b33e723c9c
c40f8295708cd278252addbc5f42bc9ee1c221efa8c1bbc2b3e7dbb8f8ea8eb3

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0ff8a207bf56/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0ff8a207bf56f8ad568fe2ccf540cab84a202c04aa1dbe691b6202c98b39f806

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/69614/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample