MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e1dd4e60571b586ceda3023a3e51e7e576423a4f3b2d3423c59a27daa2c0106. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 5

Intelligence 5 IOCs YARA 23 File information Comments

SHA256 hash:	2e1dd4e60571b586ceda3023a3e51e7e576423a4f3b2d3423c59a27daa2c0106
SHA3-384 hash:	1247a11a486e15114a366bcb536e76aa957382920c64fcab8787924bd0e1f732d4741c68a663b44b1288b3e9c2815ecb
SHA1 hash:	7ac2e32835ce111c69e4fc5b5954796bb7a89756
MD5 hash:	5f7a654bfb737618bea271c0ec1715c4
humanhash:	fish-carolina-indigo-eight
File name:	Payment PT8106333.rar
Download:	download sample
Signature	Formbook Create hunting rule
File size:	674'163 bytes
First seen:	2025-06-18 06:29:52 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	12288:zBfgcMLcsJv+4CmpQMcEEMZmYook6/K93BMot0RgOZ5Mz4g87P/d7E:zBfvKHxpm8InoPsRMot0RJ5MvCdE
TLSH	T114E423878767BF8E2CEFD8A3CB44C113D6CA729C1C93660D763A48DDAA8EB545E15310
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	cocaman
Tags:	FormBook payment rar

cocaman

Malicious email (T1566.001)
From: "finance1@essexfreight.nl" (likely spoofed)
Received: "from [141.98.10.47] (unknown [141.98.10.47]) "
Date: "18 Jun 2025 08:02:57 +0200"
Subject: "Remittance Advice . Payment PT8106333"
Attachment: "Payment PT8106333.rar"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Payment PT8106333.exe
File size:	1'180'160 bytes
SHA256 hash:	7039cacccff280189a0abf06fecc5bd52ad7386fdc88b25a582a13a6eae02851
MD5 hash:	e402c76f71d97eca6af902c9f6c3087f
MIME type:	application/x-dosexec
Signature	Formbook

Vendor Threat Intelligence

Gathering data

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/2e1dd4e60571b586ceda3023a3e51e7e576423a4f3b2d3423c59a27daa2c0106

Verdict:

Malware

YARA:

1 match(es)

Tags:

AutoIt Decompiled Executable PE (Portable Executable) Rar Archive Suspect

Link:

https://app.malva.re/file/5f7a654bfb737618bea271c0ec1715c4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2e1dd4e60571b586ceda3023a3e51e7e576423a4f3b2d3423c59a27daa2c0106/

Threat name:

Win32.Trojan.Autoitinject

Status:

Malicious

First seen:

2025-06-18 06:29:55 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

16 of 36 (44.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fyo5jzqfog2yntw2gar2hzi6pzlwii5e6ozngqr4lgrh3krmaeda._file

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/250618-hp8qdsvrv2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/2e1dd4e60571b586ceda3023a3e51e7e576423a4f3b2d3423c59a27daa2c0106

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)