MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5398021213a4e2d98a3eec3b19d4e14458ed62400eaeb3e329c9d287c0ca8b02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5398021213a4e2d98a3eec3b19d4e14458ed62400eaeb3e329c9d287c0ca8b02
SHA3-384 hash: 1c2e613d12cefa7d1206a4a6d05644b46cc84b7ee2795e9336866d5c62944c72d5c77592e98f8576980cf19424b60ad2
SHA1 hash: 44f557fc30b1e2bf72d75e71e0ffc82e092727dd
MD5 hash: 2615e1fe93b28db838e8537c309cb139
humanhash: grey-asparagus-island-early
File name:5398021213a4e2d98a3eec3b19d4e14458ed62400eaeb3e329c9d287c0ca8b02
Download: download sample
Signature Formbook
Create hunting rule
File size:274'432 bytes
First seen:2026-06-08 13:08:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2b5b37775389edc1abc7a75f91ca6d8e (1 x Formbook)
ssdeep 3072:NWiOpS4lNRLhIoTkceC5M16tYdQo5k5/5R+QZdGmNq/sjQavABliK:cimS4lSoTkcefoAQo2/5R/DOri
Threatray 2'507 similar samples on MalwareBazaar
TLSH T17C440278D720DA5BDFA84B31D953DA182AA53C4EE6743C6E068B724F1CB130374166BB
TrID 77.2% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
6.1% (.EXE) Win64 Executable (generic) (6522/11/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon b232ecccfcfcf4f0 (1 x Formbook)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
FR FR
Vendor Threat Intelligence
Malware configuration found for:
GuLoader
Details
Link:
https://research.acce.ciphertechsolutions.com/results/562a83af-4cab-49ea-b830-ea0b5d51ad63/
Malware family:
n/a
ID:
1
File name:
5398021213a4e2d98a3eec3b19d4e14458ed62400eaeb3e329c9d287c0ca8b02.exe
Verdict:
No threats detected
Analysis date:
2026-06-08 13:12:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/80b83844-1efe-4b09-9997-1c00054c82bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70071/
Detection(s):
Win.Packer.VbPack-0-6334882-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a26bee03e9eff6a6b68cd34
Tags:
shellcode virus pony
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context packed visual_basic
Link:
https://www.filescan.io/uploads/6a26bf101f652d68656f2504/reports/25306f33-4aef-4940-a3ff-5b406c5b9d4f/overview
Verdict:
Malicious
Labled as:
PonyStealer.Generic
Link:
https://www.hybrid-analysis.com/sample/5398021213a4e2d98a3eec3b19d4e14458ed62400eaeb3e329c9d287c0ca8b02
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-24T00:14:00Z UTC
Last seen:
2025-08-24T01:21:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.VBKryjetor Trojan.Win32.Inject.sb Trojan.Win32.Alkhaser.c Trojan-Dropper.Win32.VB HEUR:Trojan.Win32.Generic Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic Trojan-Spy.Win32.Noon.sb Trojan-Downloader.Win32.Minix.sb Trojan-Downloader.Win32.GuLoader.sb Trojan-Spy.Noon.HTTP.ServerRequest Backdoor.Agent.HTTP.C&C
Link:
https://opentip.kaspersky.com/5398021213a4e2d98a3eec3b19d4e14458ed62400eaeb3e329c9d287c0ca8b02/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1bf31e43-7559-4832-b90e-fdef8dd7a1b8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5398021213a4e2d98a3eec3b19d4e14458ed62400eaeb3e329c9d287c0ca8b02
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5398021213a4e2d98a3eec3b19d4e14458ed62400eaeb3e329c9d287c0ca8b02/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/5398021213a4e2d98a3eec3b19d4e14458ed62400eaeb3e329c9d287c0ca8b02
Threat name:
Win32.Infostealer.Pony
Create hunting rule
Status:
Malicious
First seen:
2025-08-24 05:02:25 UTC
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=komaeeqtutrntcr65q5rtvhbirmo2ysab2xlhyzjzhjipqgkrmba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1f9e0b93f46f8d3a082b8504b723df366b34fe38c093dbf910660a259ee1761d
Formbook
41eaa4d9ca00fdef1f8ac2b02ffbb0498b8ed8565916247c20b4a41beaa102a8
Formbook
4f897b135d89fd4fae9653b4ee0e7ac959c478cc12734ec5fe887d6ac92680cc
Formbook
5ce77e84e2cd14e6127858e392fdc37d53bc87a5af9f9321cf7d336c18c10b03
Formbook
94976e161177276c6c1f03697f87bbbda781fedb937342a311728f51a3bce501
Formbook
aebe8d0e01c9c905de67582daeb2dd28854f33dd41825fd78824a30fc018d499
Formbook
c2f65520679a99af012fb9ba6d2eab1beb9af9de7d5acc28aa34c80f1b49c736
Formbook
dcba50a5be328e080a5496812c9c9d0d2f3bda66372fb376b716997e6323c16d
Formbook
ea250eba25fa7ecae8c440aff7a402f04b959b0722a8bfd068352bc31697322e
Formbook
error
Formbook
+ 2'497 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ch13 discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/260608-qd4ajaew7t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Family: Formbook
Formbook payload
Unpacked files
SH256 hash:
5398021213a4e2d98a3eec3b19d4e14458ed62400eaeb3e329c9d287c0ca8b02
MD5 hash:
2615e1fe93b28db838e8537c309cb139
SHA1 hash:
44f557fc30b1e2bf72d75e71e0ffc82e092727dd
Link:
https://www.unpac.me/results/f7e86b8f-fb8d-4f3c-bc4d-8b393f1fe04c/
SH256 hash:
d1b0b21900c45374ce10d85307f47d602248828282533dfea659966dcc655878
MD5 hash:
39d7d930f60709f2505169d90492f122
SHA1 hash:
730b1b97e190cfa09abae420ffd80de3d02c0267
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Link:
https://www.unpac.me/results/f7e86b8f-fb8d-4f3c-bc4d-8b393f1fe04c/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5398021213a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/5398021213a4e2d98a3eec3b19d4e14458ed62400eaeb3e329c9d287c0ca8b02/community
Cape
Cape
https://www.capesandbox.com/analysis/70071/

Comments