MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11ac85099031a8d3c666ae8295d1b36a0115bd9b3c319481ee7f39450613054a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11ac85099031a8d3c666ae8295d1b36a0115bd9b3c319481ee7f39450613054a
SHA3-384 hash: 179cf4a89bed9e3e2d37b0501cac065d3ca45066a4379e4811fe73036f9c2e7722507dfe76cc419b63ef5aacb2a68cc1
SHA1 hash: 02fc0e6a25d4fb7bf699cc909e0cc11fbe9b4848
MD5 hash: edc95bcace6376a960cbb45745985b36
humanhash: venus-bakerloo-colorado-quiet
File name:RFQ Q00641626.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'156'096 bytes
First seen:2026-01-16 02:09:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 91d07a5e22681e70764519ae943a5883 (126 x Formbook, 32 x a310Logger, 27 x AgentTesla)
ssdeep 24576:/tb20pkaCqT5TBWgNQ7ax6A+JiVZRQEE36A:8Vg5tQ7axV+yZ2EK5
Threatray 2'736 similar samples on MalwareBazaar
TLSH T1E435C01373DD8361C3B25273BA65B701AEBF782506A5F86B2FD8093DB920162521E773
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
AutoIt AutoStones
Details
AutoIt
extracted scripts and files
AutoStones
the names of side-loaded components and, if available from processing of a parent file, the deobfuscated components
Link:
https://research.acce.ciphertechsolutions.com/results/0833daf9-2dfa-4e59-aa71-6d64c33f5ee1/
Malware family:
n/a
ID:
1
File name:
RFQ Q00641626.exe
Verdict:
No threats detected
Analysis date:
2026-01-16 02:09:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3c416b8a-00f3-4721-a60b-59b1c644f45e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/49058/
Detection(s):
SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69699dd7ef906a21abcda501
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug autoit compiled-script fingerprint keylogger microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/69699dd33dd9d20950567068/reports/2893bd51-8db7-4661-96bd-250922b6a2f4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/11ac85099031a8d3c666ae8295d1b36a0115bd9b3c319481ee7f39450613054a
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-15T23:03:00Z UTC
Last seen:
2026-01-18T00:11:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-Dropper.Win32.Dorifel.sbd Backdoor.Agent.HTTP.C&C Trojan.Win32.Zenpak.sb Trojan.Win32.Strab.sb Trojan.Win32.Inject.sb Trojan.Win32.Auzenpak.sb Trojan-Spy.Noon.HTTP.ServerRequest Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic Trojan-Spy.Win32.Noon.sb Trojan-Spy.Win32.Noon.bpjr VHO:Trojan-Spy.Win32.Noon.bpjr
Link:
https://opentip.kaspersky.com/11ac85099031a8d3c666ae8295d1b36a0115bd9b3c319481ee7f39450613054a/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e84b12d3-0a1d-4f1f-81d3-40a31fd375bd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1851793
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1851793 Sample: RFQ Q00641626.exe Startdate: 16/01/2026 Architecture: WINDOWS Score: 100 28 xt_skip.outgedns770.com 2->28 30 www.we5ityx.cyou 2->30 32 19 other IPs or domains 2->32 48 Suricata IDS alerts for network traffic 2->48 50 Antivirus detection for URL or domain 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 7 other signatures 2->54 10 RFQ Q00641626.exe 4 2->10         started        signatures3 process4 signatures5 56 Binary is likely a compiled AutoIt script file 10->56 58 Writes to foreign memory regions 10->58 60 Maps a DLL or memory area into another process 10->60 13 svchost.exe 10->13         started        process6 signatures7 62 Maps a DLL or memory area into another process 13->62 64 Unusual module load detection (module proxying) 13->64 16 NhpNEVJnf.exe 13->16 injected process8 process9 18 reg.exe 13 16->18         started        signatures10 40 Tries to steal Mail credentials (via file / registry access) 18->40 42 Tries to harvest and steal browser information (history, passwords, etc) 18->42 44 Modifies the context of a thread in another process (thread injection) 18->44 46 4 other signatures 18->46 21 2ItevsLX5RAHG.exe 18->21 injected 24 firefox.exe 18->24         started        26 chrome.exe 18->26         started        process11 dnsIp12 34 www.feoa.site 104.207.65.180, 49750, 49751, 49752 WINNE-IPV4-1US United States 21->34 36 hindustan.ist 15.197.225.128, 49723, 49729, 49731 TANDEMUS United States 21->36 38 11 other IPs or domains 21->38
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/11ac85099031a8d3c666ae8295d1b36a0115bd9b3c319481ee7f39450613054a
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11ac85099031a8d3c666ae8295d1b36a0115bd9b3c319481ee7f39450613054a/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/11ac85099031a8d3c666ae8295d1b36a0115bd9b3c319481ee7f39450613054a
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-01-16 02:09:27 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cgwikcmqggunhrtgv2bjluntniarlpm3hqyzjapop44ukbqtavfa._file
Verdict:
malicious
Label(s):
autoit
Create hunting rule
formbook
Create hunting rule
Similar samples:
05da500934c4ab1b7bbc5e366f571bfe47d99a24efb4419966029f6fb8732de2
Formbook
4139421ed55c3e312d485d67869250d329a4f2e50407e0fcddd74ee419abf216
Formbook
43b5215b6259c91a50783e08627245c8fa4d77c90030c3b043c26e4ce61fba32
Formbook
5a13dd5d13e094fa6d10b545dd72855d21143c478ebb5bb589f7334767cd4d34
Formbook
901891aee909a9e9c4deccca42311c0b7b5aaedea79082512b6e81db2f2e4323
Formbook
90b33d8252b9470d19ac4aff278e6470c04bafe0a04cf143b61880257ca13157
Formbook
a21182bf32d320deebafbf52f06c370fe3762ec55793e09df10ce9e27bfe799a
Formbook
affbb0db85505a477fad583411e0361f0502ef4d9c46059da31ca85eb0e0b5d6
Formbook
cc3ca5fb64666cfb1860c997333b0cc43f10fcc71a4a4840e47815fd659b907d
Formbook
e890b563d8866db21a60bd0eed524503a8769125f31949836da4c67ab1a704d9
Formbook
error
Formbook
+ 2'726 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/260116-clbnlacq3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0ba16e25-a646-43f7-92b6-bcac3dfbf100
Unpacked files
SH256 hash:
11ac85099031a8d3c666ae8295d1b36a0115bd9b3c319481ee7f39450613054a
MD5 hash:
edc95bcace6376a960cbb45745985b36
SHA1 hash:
02fc0e6a25d4fb7bf699cc909e0cc11fbe9b4848
Link:
https://www.unpac.me/results/4b17c61f-67e2-4456-8ffd-1a93f33d37a6/
SH256 hash:
333440f1ec3ee5d6b5cb6dcad3e08fbb4b94e1bbd9ecb866b01d7e9b27749f71
MD5 hash:
cf6c3ab5ffdf60532336db0677ec676e
SHA1 hash:
0d3e6f1f52050b075331b5660e0c0eb154a85311
Link:
https://www.unpac.me/results/4b17c61f-67e2-4456-8ffd-1a93f33d37a6/
SH256 hash:
6de8e7b8b4aeb1b9fa68a57029c25aa004478a808877036f3de2ec526b130959
MD5 hash:
c765ef9ec487f57f232a03ae1addcc16
SHA1 hash:
1bbdd8f976a1f08c70d703245d6d6e2775f7a38c
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/4b17c61f-67e2-4456-8ffd-1a93f33d37a6/
Parent samples :
901891aee909a9e9c4deccca42311c0b7b5aaedea79082512b6e81db2f2e4323
11ac85099031a8d3c666ae8295d1b36a0115bd9b3c319481ee7f39450613054a
a21cea52a66cb02df71c42492bf7acf4d6393327fc9cfc20a7dbf246477df853
ca1d88d18d99a6f7f3fbe805327a369ba75594669c02d8f86e30f1ad8c56a2b4
0cc5a2fd9f73331cd37bef1667d4057e325c098602c61de8aa3a94cfe08cc519
ccb84b327afb07bccbe3367be35abe53ccb8f0ad9a815bb098e30029387def10
8a226b58f29599b98ff089f0dd5ecb845dbac90982ed15337734886e15912952
60cd8949dd366aa94383409dde4e7840d85db4f2cea2eef7f773b9fe2d36bc68
544c6d4ae8075826b97fd416d9ff441989a785bf3e945851494d0db18728f604
9fc9401b548091b02b74da0ea58aa279db23c47c5ab2bfaacea4605df89d511d
750d0ef6eaaac00190a10d38493cf765fcb9a9076ecf4d52ca356af4a650585f
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/11ac85099031/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11ac85099031a8d3c666ae8295d1b36a0115bd9b3c319481ee7f39450613054a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:TH_Win_ETW_Bypass_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Windows ETW Bypass Detection Rule - 2025
Reference:https://cyfare.net/
Rule name:YahLover
Create hunting rule
Author:Kevin Falcoz
Description:YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 11ac85099031a8d3c666ae8295d1b36a0115bd9b3c319481ee7f39450613054a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/49058/

Comments