MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1068b6049165dfad290648df7a0b36bbd110b98eed7f447a10fe7f62bd414ccc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 21


Intelligence 21 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1068b6049165dfad290648df7a0b36bbd110b98eed7f447a10fe7f62bd414ccc
SHA3-384 hash: fb5ad8d8daa47caf1da35131a708a5bb3c625149bb8fba159eb5e05192dc475a64c3cef3c704c732437c768af89145de
SHA1 hash: 92b5207a6e517c5f44297b2506027af2a1227114
MD5 hash: f53de96900c1d476f654dd8ea0b64dc1
humanhash: four-fillet-harry-mobile
File name:QUOTATION.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'070'080 bytes
First seen:2026-06-15 12:42:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'075 x AgentTesla, 20'033 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 12288:i9uua4mWjroWlzKi3E13hsBEhijE8wpVlSW/CKR15XpN9/6K/KcTh76PlXE4vKE:CmWlb0HsBsxpbrqKR1N9/407kl0a
TLSH T1D835D0297DC69648C5788F75C6731B8C27F1D90BD682D3077EDA30E8892F79AC504A27
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
DeepSea
Details
Link:
https://research.acce.ciphertechsolutions.com/results/54a7b099-7e55-4319-aa7a-17e52d70148b/
Malware family:
formbook
Create hunting rule
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-06-15 12:46:10 UTC
Tags:
netreactor formbook xloader auto-reg
Link:
https://app.any.run/tasks/c7a66b8c-b6dd-4a18-9169-80f8e790c0cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70788/
Detection(s):
SecuriteInfo.com.Trojan.Inoci.17.78243349.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2ff373a15110463ee60758
Tags:
micro shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Launching a process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated vbnet
Link:
https://www.filescan.io/uploads/6a2ff36f1f652d686580bc76/reports/255cc9eb-158a-44db-b7bc-208d4508051f/overview
Verdict:
Malicious
Labled as:
IL:Trojan.Inoci
Link:
https://www.hybrid-analysis.com/sample/1068b6049165dfad290648df7a0b36bbd110b98eed7f447a10fe7f62bd414ccc
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-15T09:34:00Z UTC
Last seen:
2026-06-17T05:26:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.MSIL.InjectorNetT.gen Trojan.MSIL.Inject.b Trojan-Spy.Win32.Noon.sb
Link:
https://opentip.kaspersky.com/1068b6049165dfad290648df7a0b36bbd110b98eed7f447a10fe7f62bd414ccc/results?tab=lookup
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7931de2a-ca28-4062-a8a2-02829d0d3bcb
Result
Threat name:
DarkTortilla, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1927999
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Unusual module load detection (module proxying)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected FormBook
Yara detected MSIL Injector
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1927999 Sample: QUOTATION.exe Startdate: 15/06/2026 Architecture: WINDOWS Score: 100 58 www.masterscoatsolutions.com 2->58 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 13 other signatures 2->72 13 QUOTATION.exe 3 2->13         started        signatures3 process4 file5 56 C:\Users\user\AppData\...\QUOTATION.exe.log, ASCII 13->56 dropped 16 cmd.exe 3 13->16         started        20 cmd.exe 1 13->20         started        process6 file7 52 C:\Users\user\AppData\Roaming\excel.exe, PE32 16->52 dropped 54 C:\Users\user\...\excel.exe:Zone.Identifier, ASCII 16->54 dropped 62 Uses ping.exe to sleep 16->62 22 excel.exe 2 16->22         started        25 conhost.exe 16->25         started        27 PING.EXE 1 16->27         started        29 PING.EXE 1 16->29         started        64 Uses ping.exe to check the status of other devices and networks 20->64 31 PING.EXE 1 20->31         started        34 conhost.exe 20->34         started        36 reg.exe 1 1 20->36         started        signatures8 process9 dnsIp10 74 Multi AV Scanner detection for dropped file 22->74 76 Tries to detect virtualization through RDTSC time measurements 22->76 78 Injects a PE file into a foreign processes 22->78 80 2 other signatures 22->80 38 excel.exe 22->38         started        41 excel.exe 22->41         started        60 127.0.0.1 unknown unknown 31->60 signatures11 process12 signatures13 82 Modifies the context of a thread in another process (thread injection) 38->82 84 Maps a DLL or memory area into another process 38->84 86 Sample uses process hollowing technique 38->86 88 Queues an APC in another process (thread injection) 38->88 43 explorer.exe 16 1 38->43 injected process14 process15 45 colorcpl.exe 43->45         started        signatures16 90 Modifies the context of a thread in another process (thread injection) 45->90 92 Maps a DLL or memory area into another process 45->92 94 Tries to detect virtualization through RDTSC time measurements 45->94 96 2 other signatures 45->96 48 cmd.exe 1 45->48         started        process17 process18 50 conhost.exe 48->50         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1068b6049165dfad290648df7a0b36bbd110b98eed7f447a10fe7f62bd414ccc
Gathering data
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1068b6049165dfad290648df7a0b36bbd110b98eed7f447a10fe7f62bd414ccc/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/1068b6049165dfad290648df7a0b36bbd110b98eed7f447a10fe7f62bd414ccc
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2026-06-15 12:43:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cbulmbermxp22kigjdpxuczwxpirbomo5v7ui6qq7z7wfpkbjtga._file
Verdict:
malicious
Label(s):
purecrypter
Create hunting rule
sorano
Create hunting rule
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/260615-px5r2ady6p/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Adds Run key to start application
.NET Reactor proctector
Executes dropped EXE
Unpacked files
SH256 hash:
1068b6049165dfad290648df7a0b36bbd110b98eed7f447a10fe7f62bd414ccc
MD5 hash:
f53de96900c1d476f654dd8ea0b64dc1
SHA1 hash:
92b5207a6e517c5f44297b2506027af2a1227114
Link:
https://www.unpac.me/results/e0b4e9ed-67a3-468f-a666-66ef17cb9208/
SH256 hash:
cad6f02bdd6527c30442d766a69e826e9f5f36a3b8df7ef88d9076964411d87b
MD5 hash:
19c9cab32601134a7cc3ce7d0b25c34a
SHA1 hash:
017b7554650afcd6ea8aaffaafe5ce71762739ee
Link:
https://www.unpac.me/results/e0b4e9ed-67a3-468f-a666-66ef17cb9208/
SH256 hash:
b9fbbc0882a9292051f67b55e19ce05642087cc0b28cfad9c4179ec83e10a260
MD5 hash:
e1bc2eed219732e90e59d2ca3556f7b9
SHA1 hash:
5ff3d4764df59d5c26bb66c0462e95c9ce5ef24f
Link:
https://www.unpac.me/results/e0b4e9ed-67a3-468f-a666-66ef17cb9208/
SH256 hash:
b6d110392f755acca61f24f24dd7a31899301ad8dc4311ffb8b9f5ef99866b88
MD5 hash:
8921df6ba977c93ac1071d058e6033df
SHA1 hash:
7a483ae988dde725b824e675870df550ec5e60ed
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Link:
https://www.unpac.me/results/e0b4e9ed-67a3-468f-a666-66ef17cb9208/
Parent samples :
93ff044e9247c1136e328b8bd3d225513ab3b2975c8e0e03b8f2c52aec9f0be9
ef6e6eeefd2da3e97e1c302f04eb3fbc38eb140c6bd1c3bd95b4f922b2012a49
1068b6049165dfad290648df7a0b36bbd110b98eed7f447a10fe7f62bd414ccc
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1068b6049165/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1068b6049165dfad290648df7a0b36bbd110b98eed7f447a10fe7f62bd414ccc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 1068b6049165dfad290648df7a0b36bbd110b98eed7f447a10fe7f62bd414ccc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70788/

Comments