MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1561ad922077feff2c52da3e2c2e514c0e8e897a49b3bf74237c53b86eb4e064. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1561ad922077feff2c52da3e2c2e514c0e8e897a49b3bf74237c53b86eb4e064
SHA3-384 hash: cd41c61ff7544cdb08c41097133eb900daff8eb62fe294738027a27eb818bfa297363b2e694fc210de398042683f0e2b
SHA1 hash: b9ac2219c288fc7bd9550de4a7adc0e785603cc7
MD5 hash: 6422d983d9620b7c075c2fc4f1b967aa
humanhash: butter-maryland-fanta-vegan
File name:PO_240103728.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'468'928 bytes
First seen:2026-05-21 14:04:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 279daa640d9140f9842860a738abd363 (40 x Formbook, 8 x AgentTesla, 2 x CastleLoader)
ssdeep 24576:RqDEvCTbMWu7rQYlBQcBiT6rprG8apYy7cmIjyXZY0lm+L64/J+:RTvC/MTQYxsWR7apYy7AyXekbR
TLSH T1D5656A0323BDC0E2FE9EBD720A55A31156786D160132E51FD25F3DE9E973163C22A6E2
TrID 29.5% (.EXE) Win64 Executable (generic) (6522/11/2)
22.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
File icon (PE):PE icon
dhash icon 31b09c969698b033 (56 x AgentTesla, 27 x AveMariaRAT, 18 x Formbook)
Reporter TomU
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
AutoIt AutoStones
Details
AutoIt
extracted scripts and files
AutoStones
the names of side-loaded components and, if available from processing of a parent file, the deobfuscated components
Link:
https://research.acce.ciphertechsolutions.com/results/b1ec1333-cab4-4a1c-b9ee-f54bb30c2269/
Malware family:
n/a
ID:
1
File name:
Purchase order.exe
Verdict:
No threats detected
Analysis date:
2024-07-28 02:03:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f9693d0b-3427-41b0-b9e0-aaa8b844de78

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/67251/
Detection(s):
SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0f133598070a72bb9c62aa
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Launching a service
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug autoit compiled-script fingerprint installer-heuristic keylogger microsoft_visual_cc packed phishing reconnaissance zusy
Link:
https://www.filescan.io/uploads/6a0f15e6056ea44c453752b6/reports/332b6579-535e-429f-be0f-273dfe6946d6/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/1561ad922077feff2c52da3e2c2e514c0e8e897a49b3bf74237c53b86eb4e064
Verdict:
Malicious
File Type:
exe x32
First seen:
2024-07-27T00:53:00Z UTC
Last seen:
2026-01-07T16:29:00Z UTC
Hits:
~1000
Detections:
Trojan.Win32.Agent.sb Trojan-Dropper.Win32.Dorifel.sbd PDM:Trojan.Win32.Generic Trojan.Win32.Zenpak.sb Trojan.Win32.Inject.sb HEUR:Trojan.Win32.Obfus.gen Trojan.Win64.Injects.dow Trojan.Win32.Strab.sb Trojan.Win32.Auzenpak.sb Trojan-Spy.Win32.Noon.sb HEUR:Trojan.Script.AUO.gen
Link:
https://opentip.kaspersky.com/1561ad922077feff2c52da3e2c2e514c0e8e897a49b3bf74237c53b86eb4e064/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9c051070-c526-4112-9147-bb8c420a3284
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1561ad922077feff2c52da3e2c2e514c0e8e897a49b3bf74237c53b86eb4e064
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1561ad922077feff2c52da3e2c2e514c0e8e897a49b3bf74237c53b86eb4e064/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/1561ad922077feff2c52da3e2c2e514c0e8e897a49b3bf74237c53b86eb4e064
Threat name:
Win32.Trojan.AutoInMalInjector
Create hunting rule
Status:
Malicious
First seen:
2024-07-27 04:43:58 UTC
File Type:
PE (Exe)
Extracted files:
29
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cvq23erao77p6lcs3i7cylsrjqhi5cl2jgz365bdprj3q3vu4bsa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/260521-retm6ahv6v/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
1561ad922077feff2c52da3e2c2e514c0e8e897a49b3bf74237c53b86eb4e064
MD5 hash:
6422d983d9620b7c075c2fc4f1b967aa
SHA1 hash:
b9ac2219c288fc7bd9550de4a7adc0e785603cc7
Link:
https://www.unpac.me/results/21c514b9-4be2-49b0-ac1f-0319812869d9/
SH256 hash:
92a97c95613e3b273bf2e0a36e8e2cf547c4754c18e0fa85cb2d769acf6c9693
MD5 hash:
4a4ac4dd84274cef1e5a239557ff024a
SHA1 hash:
6906a7e46d30b3152da03349ac7bf77d2c305dfc
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
triage_formbook
Create hunting rule
Link:
https://www.unpac.me/results/21c514b9-4be2-49b0-ac1f-0319812869d9/
Parent samples :
52d5c762af537da5608ae0f3d41a2333b67ded34eec044ef1bf2fb55ef64a346
916de120c4d2812634e1124697edf5bad6eebd8c863e55fec1603fdf5a3f8bf7
c90b07c5a8fc34bd981b78834dcf6822f48c81db37d3c4e078dbd77e64d6d03b
6e91e87caf50bb5082e3a47af60257d589180308263ec48f6d6d11d211b14565
de619620b09f8e87741e0b3976f0441e68223bce0fb5bf0484c433edb39dd362
a42b86a6e286e1f86fdfd5f60d42b7deac0eb1af0fb680950672ac1002ff1b97
572bac7bbc6f0698807db58bdd1004831a71bab2d53d0141cbe31dc853acae07
ec0abef5fb66cd68576c583e78297f1c1e270f66be5a04236b116d99b9ee5b0e
0854c21ed7648b1d45e780c75bf6dc9e72858c93caf2828ff5af718c21f63f13
1561ad922077feff2c52da3e2c2e514c0e8e897a49b3bf74237c53b86eb4e064
1e5bcefeb25537b33aa42e005a5fa97a0293d8f2c5e94dd6f4bc8ae2288736a9
2306569ae53954b8bee076cfb80432410510932168046b66920494c953b17aeb
SH256 hash:
319d82c9174f374060747104a9df9480375a6d12d11fec439143240e5d76dbde
MD5 hash:
9f76f1a91f013e068464f82588946e4e
SHA1 hash:
03dbd37be5543d4cf46bfc6609f5aa049ccac73e
Link:
https://www.unpac.me/results/21c514b9-4be2-49b0-ac1f-0319812869d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1561ad922077feff2c52da3e2c2e514c0e8e897a49b3bf74237c53b86eb4e064

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 1561ad922077feff2c52da3e2c2e514c0e8e897a49b3bf74237c53b86eb4e064

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/67251/

Comments