MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11cc53e72e2f50f162ecbf30fe545b9fbdec4527ae1fb36522a563e8303894fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11cc53e72e2f50f162ecbf30fe545b9fbdec4527ae1fb36522a563e8303894fc
SHA3-384 hash: 612d2524ce742da719d9e2a51ac2bce652d0f51dbafbdd87a971e2e4965fc07ddde69fd72eef43a57a0fd534f73d137c
SHA1 hash: b407c31fba5f7ba847f20fd03dce1add1abaf66f
MD5 hash: f01e7c38b1d307924929e21a4b394463
humanhash: sixteen-kansas-glucose-juliet
File name:INVOICE#R09.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'201'664 bytes
First seen:2025-11-05 04:04:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 91d07a5e22681e70764519ae943a5883 (93 x Formbook, 14 x RemcosRAT, 11 x AgentTesla)
ssdeep 24576:vtb20pkaCqT5TBWgNQ7aqzKMSGihRzDojBSL6A:sVg5tQ7aqOFGivojS5
Threatray 2'765 similar samples on MalwareBazaar
TLSH T1C445CF1373DEC365C3B25273BA16B701AEBB782506B5F96B2FD4093DE920122521E673
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE#R09.exe
Verdict:
No threats detected
Analysis date:
2025-11-05 04:07:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a0202819-0cc2-4cba-993f-d688c58fcc56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/35390/
Detection(s):
SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690acd2f706befaf4ecbc8da
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
DNS request
Connection attempt
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug autoit compiled-script fingerprint installer-heuristic keylogger masquerade microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/690acd2885b61a93a7363a0a/reports/8974b98a-ee37-4aeb-ba64-e44125e2a80f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/11cc53e72e2f50f162ecbf30fe545b9fbdec4527ae1fb36522a563e8303894fc
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-04T21:54:00Z UTC
Last seen:
2025-11-07T02:17:00Z UTC
Hits:
~1000
Detections:
Trojan-Spy.Noon.HTTP.ServerRequest Trojan-PSW.Win32.Stealer.sb Trojan.Win64.Injects.hhr Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb Trojan.Win32.Strab.sb Trojan.Win32.Inject.sb
Link:
https://opentip.kaspersky.com/11cc53e72e2f50f162ecbf30fe545b9fbdec4527ae1fb36522a563e8303894fc/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/447ab9ea-b4c2-47b1-b561-e34b4c222aab
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1808223
Signature
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: CMSTP Execution Process Creation
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1808223 Sample: INVOICE#R09.exe Startdate: 05/11/2025 Architecture: WINDOWS Score: 100 31 www.wllb.xyz 2->31 33 www.nwhz.xyz 2->33 35 9 other IPs or domains 2->35 43 Suricata IDS alerts for network traffic 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected FormBook 2->47 51 3 other signatures 2->51 11 INVOICE#R09.exe 4 2->11         started        signatures3 49 Performs DNS queries to domains with low reputation 33->49 process4 signatures5 61 Binary is likely a compiled AutoIt script file 11->61 63 Writes to foreign memory regions 11->63 65 Maps a DLL or memory area into another process 11->65 67 Switches to a custom stack to bypass stack traces 11->67 14 svchost.exe 11->14         started        process6 signatures7 69 Maps a DLL or memory area into another process 14->69 17 sX6GE2E9.exe 14->17 injected process8 process9 19 cmstp.exe 13 17->19         started        signatures10 53 Tries to steal Mail credentials (via file / registry access) 19->53 55 Tries to harvest and steal browser information (history, passwords, etc) 19->55 57 Modifies the context of a thread in another process (thread injection) 19->57 59 3 other signatures 19->59 22 lp2oVFamhu.exe 19->22 injected 25 chrome.exe 19->25         started        27 firefox.exe 19->27         started        process11 dnsIp12 37 www.maltrio.website 203.161.63.201, 49735, 49736, 49737 VNPT-AS-VNVNPTCorpVN Malaysia 22->37 39 www.fdaigy.info 47.239.79.48, 49743, 49744, 49745 CHARTER-20115US United States 22->39 41 5 other IPs or domains 22->41 29 WerFault.exe 4 25->29         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/11cc53e72e2f50f162ecbf30fe545b9fbdec4527ae1fb36522a563e8303894fc
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86
Link:
https://app.malva.re/file/f01e7c38b1d307924929e21a4b394463
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11cc53e72e2f50f162ecbf30fe545b9fbdec4527ae1fb36522a563e8303894fc/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/11cc53e72e2f50f162ecbf30fe545b9fbdec4527ae1fb36522a563e8303894fc
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2025-11-05 04:05:58 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=chgfhzzof5ipcyxmx4yp4vc3t666yrjhvyp3gzjcuvr6qmbyst6a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
autoit
Create hunting rule
Similar samples:
07351022141ffd0655322cbcb9bc66d32353fe5c7040d81324a2bceb23514126
Formbook
170c2b10322d1b2bbd5403091730544828633e2bdf59af1134b1ae1898a8d90c
Formbook
385a6144e684a9508f25fbec58476588f915f4194fd5233612128aad5b849ef7
Formbook
4c698e0233c7e45faa2c831a7263d330e6c62ce0120920275e333d7623378bde
Formbook
5fcfd8333c4687790ed53e4783d8b2ac2d082059f7f1b14e92dd24e41e831740
Formbook
90b33d8252b9470d19ac4aff278e6470c04bafe0a04cf143b61880257ca13157
Formbook
a21182bf32d320deebafbf52f06c370fe3762ec55793e09df10ce9e27bfe799a
Formbook
a684465a73338c71ef0b4094a7ea9cef4c7b75a9577286cbb9614bd6702a6917
Formbook
b99465dde28898f671538e21692d17def78b40a44b6765093ce3940668614cc7
Formbook
error
Formbook
faccf8d466113be926dc374092d8424d02329e469b4984d7f988b1a8cd1d1aa3
Formbook
+ 2'755 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/251105-en1rlssjhr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/04bbf2ee-796d-47e5-930c-edac38f9c41a
Unpacked files
SH256 hash:
11cc53e72e2f50f162ecbf30fe545b9fbdec4527ae1fb36522a563e8303894fc
MD5 hash:
f01e7c38b1d307924929e21a4b394463
SHA1 hash:
b407c31fba5f7ba847f20fd03dce1add1abaf66f
Link:
https://www.unpac.me/results/1684112d-36e2-420f-b9c0-5f07bbde27e2/
SH256 hash:
f20b0221d2b24d103f9b2c17d5926dad147cf729dccbf4c2ea455bd8bcdbdaf9
MD5 hash:
ef3327e79680e38ded1208ea8981d9c7
SHA1 hash:
c180b0448b2d92ecf725bca5c6b9c93dd6fc23cd
Link:
https://www.unpac.me/results/1684112d-36e2-420f-b9c0-5f07bbde27e2/
SH256 hash:
10ccda6c09cfe391fc3d5bfc56198e785908ce0da7a815b02c0223a922428078
MD5 hash:
6dd2ef688b6775918fc91ece2b031576
SHA1 hash:
691d06465af3feb53fd0f38195fe28d5a18e13a9
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/1684112d-36e2-420f-b9c0-5f07bbde27e2/
Parent samples :
f8b0f66cf4778ac6c5c91358e523994efec3065636e25d9487ec5d87dfbef14b
11cc53e72e2f50f162ecbf30fe545b9fbdec4527ae1fb36522a563e8303894fc
2968dbd64af4b7668158b729f043c71b653bec1d5e4c965359bbc662a4cd3fda
9adeec7138d5d6854c3632ed0560edf5566d75347ffb0b13aa441ba89aed930a
dfb26be7653792b528f1eebbf369f94a76c1f40ff8cb50377f8d49d0ed846417
3dc974c7c0c8f9661e021e383d86122d6053e45f1d42d7164d33a717b9b2bd02
0736bca6f642df69654f042e4ea38fe03d11a9dd6ac5e14fc5b6cba2a1facdfe
a68c8b552dc6416db42a98e331b13d30e6ba04d3dec7c9fe1636f1eebed71912
7051251ec9dccbd7571cb7b3c30e5f64ecf1feb7f3694b38a8307e24a3ba56ab
20d5148fc579f4d5cd970d13bce2f15136c8eb788037ffa40802d4f947946621
d35e98ed5ac77679e813b2a362ce37bc0a247b45758d60327ac5b8a4a048c0ab
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/11cc53e72e2f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11cc53e72e2f50f162ecbf30fe545b9fbdec4527ae1fb36522a563e8303894fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:TH_Win_ETW_Bypass_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Windows ETW Bypass Detection Rule - 2025
Reference:https://cyfare.net/
Rule name:YahLover
Create hunting rule
Author:Kevin Falcoz
Description:YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 11cc53e72e2f50f162ecbf30fe545b9fbdec4527ae1fb36522a563e8303894fc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35390/

Comments