MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18f5cac951415dfc29a7c41a77cd8878674035561d0425dfbefd8939ea368f0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 15 File information Comments

SHA256 hash:	18f5cac951415dfc29a7c41a77cd8878674035561d0425dfbefd8939ea368f0d
SHA3-384 hash:	7e68ca8e6036391f15e41cd12a695f56de6dddccc186c6068ff3713249c90bf83dfd753eabaf9671624daf600a76d8f2
SHA1 hash:	0915bc8d9495142d4e28640614eac29a103252db
MD5 hash:	41e5a7462c298963ff5e747de3d53f26
humanhash:	hotel-bravo-oregon-pasta
File name:	xloader.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	283'648 bytes
First seen:	2025-12-19 14:24:47 UTC
Last seen:	2026-01-02 14:58:08 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:QTeuatcQMFilXFGJlJCh5zy7jhORKLHaVLAH/CyZxd/gadi+uPqV:QTeBMFil1mg5zUKKEsqyZzuM
Threatray	2'397 similar samples on MalwareBazaar
TLSH	T19654232FB850E876CBEBA1757D05F4D41B9BE406997798A3CFD0259AE1103ABEF04324
TrID	35.7% (.EXE) Win32 Executable (generic) (4504/4/1) 16.3% (.ICL) Windows Icons Library (generic) (2059/9) 16.1% (.EXE) OS/2 Executable (generic) (2029/13) 15.8% (.EXE) Generic Win/DOS Executable (2002/3) 15.8% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

FormBook

Details

Link:

https://research.acce.ciphertechsolutions.com/results/78b7d117-3713-406f-b1ff-684b57be83f0/

Malware family:

n/a

ID:

File name:

_18f5cac951415dfc29a7c41a77cd8878674035561d0425dfbefd8939ea368f0d.exe

Verdict:

No threats detected

Analysis date:

2025-12-19 14:25:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/075ae102-3e5f-4787-837a-878092f7f3e2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/45517/

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6945605629df60c6e007bfbc

Tags:

injection obfusc

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

babar crypt formbook infostealer microsoft_visual_cc overlay packed zero

Link:

https://www.filescan.io/uploads/694560533f8fdbf8e94c316c/reports/efd44f6a-7e57-4bb8-bbc2-33e8657b8a0e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/18f5cac951415dfc29a7c41a77cd8878674035561d0425dfbefd8939ea368f0d

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-19T11:32:00Z UTC

Last seen:

2025-12-21T06:18:00Z UTC

Hits:

~100

Detections:

Trojan-Spy.Win32.Noon.sb Trojan-Spy.Win32.Noon.bpab Trojan-Spy.Noon.HTTP.ServerRequest Trojan-PSW.Win32.Stealer.sb Backdoor.Agent.HTTP.C&C

Link:

https://opentip.kaspersky.com/18f5cac951415dfc29a7c41a77cd8878674035561d0425dfbefd8939ea368f0d/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8fbb604d-0f66-4dd3-a297-826068bdb054

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/18f5cac951415dfc29a7c41a77cd8878674035561d0425dfbefd8939ea368f0d

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/41e5a7462c298963ff5e747de3d53f26

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/18f5cac951415dfc29a7c41a77cd8878674035561d0425dfbefd8939ea368f0d/

Verdict:

Malicious

Threat:

Trojan-Spy.Win32.Noon

Link:

https://tip.neiki.dev/file/18f5cac951415dfc29a7c41a77cd8878674035561d0425dfbefd8939ea368f0d

Threat name:

Win32.Backdoor.FormBook

Status:

Malicious

First seen:

2025-12-19 14:24:48 UTC

File Type:

PE (Exe)

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dd24vskrifo7yknhyqnhptmipbtuankwducclx567wett2rwr4gq._file

Verdict:

malicious

Label(s):

formbook

Formbook

3671a3f885f39f3793f4c88e8a54005b466e1e9b20f2a91d069cea42e25703b3

Formbook

3a279099e6b83675a0f1b4ad779734a1c718d6b19a9ab225c54be70c78108ab5

Formbook

3dc467a7a9bcfa23fe34b6dc2932597bb7bbe79108e3d11dbc52b0bd135ef8e2

Formbook

6ac566e9a69e4bd338cfa6665c04a954c891fc5c09698ae85a40d9565796f481

Formbook

85ad935b3f04ac7a537e4cf51894c03ed4764343f3b0d8c56657d9137d8e451e

Formbook

ac1bdadf98761eed39833d096c732ca61ede04535ecced46d1f662f9dab206f6

Formbook

error

Formbook

fec34000664e9453638769da3413cddb271e791cbc5f8fb9c7697aeec8133f33

Formbook

+ 2'387 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/251223-qa2brszmd1/

Behaviour

Suspicious behavior: EnumeratesProcesses

System Location Discovery: System Language Discovery

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3e78562c-a6e2-454a-aba3-3f8147e36b3d

Unpacked files

SH256 hash:

18f5cac951415dfc29a7c41a77cd8878674035561d0425dfbefd8939ea368f0d

MD5 hash:

41e5a7462c298963ff5e747de3d53f26

SHA1 hash:

0915bc8d9495142d4e28640614eac29a103252db

Link:

https://www.unpac.me/results/f1436834-a69b-4156-a63f-b2f85802e4ab/

SH256 hash:

20ada25a704152ce6bbcab1bfcc5bdeb1f57152ecbfb32e8bd3b58516a70d08e

MD5 hash:

40561682543d5eaeb66cdd3c14553cd7

SHA1 hash:

1d34cb1a9ea68e54fa4f8982f49d4c211a4d4340

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/f1436834-a69b-4156-a63f-b2f85802e4ab/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/18f5cac95141/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.34

Link:

https://yomi.yoroi.company/submissions/18f5cac951415dfc29a7c41a77cd8878674035561d0425dfbefd8939ea368f0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	TH_Win_ETW_Bypass_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Windows ETW Bypass Detection Rule - 2025
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/45517/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample