MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57613c05c430ca628506d91721abd51b0af0cee49e2d94c0fafda3b5c0d9e4c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 22


Intelligence 22 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57613c05c430ca628506d91721abd51b0af0cee49e2d94c0fafda3b5c0d9e4c4
SHA3-384 hash: e3328a3fb052aba80fbd3953dd57c871a4c7c053a585534f295f365868f502d4929f6d2b6c402110c0744e303d7a9cc1
SHA1 hash: a47c334f21c4aa266fbd7fa435e9c9ba7ff0bca0
MD5 hash: b4b67dda46c13d8a031fb67a7219b9aa
humanhash: georgia-arkansas-earth-cola
File name:AsfMYqX60k8aEMk.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:562'176 bytes
First seen:2025-12-02 11:02:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:PdnT5qIrXh7T9oXqxmp4I3oXu8YyXQbXC37n2nrh+mau:P9Y+xJZ0pH3XE137n2rcma
TLSH T10DC401585AD8D20BD4661FB46C71E1B02778BEAAED21D10BDFCA2DCFB4BEB484055213
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/519ee29b-10db-4e26-80bf-5566ce2527df/
Malware family:
formbook
Create hunting rule
ID:
1
File name:
AsfMYqX60k8aEMk.exe
Verdict:
Malicious activity
Analysis date:
2025-12-02 11:03:26 UTC
Tags:
formbook stealer xloader
Link:
https://app.any.run/tasks/793c6725-ed33-4c46-947e-6734c8ad1c04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/42155/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692ec743264b106bd645f68c
Tags:
phishing virus krypt msil
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/692ec7399da4f3a3b7bddff7/reports/df361909-6486-44f3-af8c-cf327edd8f5f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/57613c05c430ca628506d91721abd51b0af0cee49e2d94c0fafda3b5c0d9e4c4
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-02T05:01:00Z UTC
Last seen:
2025-12-04T09:19:00Z UTC
Hits:
~1000
Detections:
Trojan-Dropper.Win32.Injector.sb Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic Backdoor.Win32.Blakken.sb Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Taskun.sb Trojan.Win32.SpeedBit.sb Trojan.MSIL.Agent.sb HEUR:Backdoor.MSIL.Remcos.gen Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb
Link:
https://opentip.kaspersky.com/57613c05c430ca628506d91721abd51b0af0cee49e2d94c0fafda3b5c0d9e4c4/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b1f089d-2a18-4fc5-b6e7-6c11af9cab78
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1824296
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1824296 Sample: AsfMYqX60k8aEMk.exe Startdate: 02/12/2025 Architecture: WINDOWS Score: 100 29 www.ypesama.com 2->29 31 www.usionconsultingpro.digital 2->31 33 2 other IPs or domains 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 7 other signatures 2->41 11 AsfMYqX60k8aEMk.exe 3 2->11         started        signatures3 process4 file5 27 C:\Users\user\...\AsfMYqX60k8aEMk.exe.log, ASCII 11->27 dropped 51 Tries to detect virtualization through RDTSC time measurements 11->51 53 Injects a PE file into a foreign processes 11->53 55 Unusual module load detection (module proxying) 11->55 57 Switches to a custom stack to bypass stack traces 11->57 15 AsfMYqX60k8aEMk.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 32 1 15->18 injected process9 process10 20 chkdsk.exe 18->20         started        signatures11 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 49 2 other signatures 20->49 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/57613c05c430ca628506d91721abd51b0af0cee49e2d94c0fafda3b5c0d9e4c4
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.33 Win 32 Exe x86
Link:
https://app.malva.re/file/b4b67dda46c13d8a031fb67a7219b9aa
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/57613c05c430ca628506d91721abd51b0af0cee49e2d94c0fafda3b5c0d9e4c4/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/57613c05c430ca628506d91721abd51b0af0cee49e2d94c0fafda3b5c0d9e4c4
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-12-02 09:20:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k5qtyboegdfgfbig3elsdk6vdmfpbtxetywzjqh27wr3lqgz4tca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ms04 discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/251202-m49cpatrcj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/27e5390c-9c86-4bd4-af93-b1d8e630e881
Unpacked files
SH256 hash:
57613c05c430ca628506d91721abd51b0af0cee49e2d94c0fafda3b5c0d9e4c4
MD5 hash:
b4b67dda46c13d8a031fb67a7219b9aa
SHA1 hash:
a47c334f21c4aa266fbd7fa435e9c9ba7ff0bca0
Link:
https://www.unpac.me/results/d52fdbd4-da36-465c-83f5-022ba46b6a31/
SH256 hash:
11457ae90d0a9aec0de65937ac4b6eb06416719b86dbebb2d7fd70fcf803ecfe
MD5 hash:
82fc1f2664434d280daa062bdd0064de
SHA1 hash:
204677e40464a121d41aae3233fe778a5e0ccd7a
Link:
https://www.unpac.me/results/d52fdbd4-da36-465c-83f5-022ba46b6a31/
SH256 hash:
2b6bb8b4756dcc0935c3a6e511145d1ff2f687e7a95748daf0c1919d65559807
MD5 hash:
caca86d518a291547de5ad3af8d5fc2f
SHA1 hash:
89eccee46ed994cb7820bf166d02f6be7e54e056
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d52fdbd4-da36-465c-83f5-022ba46b6a31/
SH256 hash:
e1fd6332ad3ce4d96908b2a06a09d9de735766fad7e2201cc03d6d6048a5830e
MD5 hash:
bbeb858b95bab80a021316200c5cdd59
SHA1 hash:
cafa69e6b87c1933068fcd6f23a1e2dd45e35497
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/d52fdbd4-da36-465c-83f5-022ba46b6a31/
Parent samples :
f7f0d0bcd56c2b929b687aa0c15305be4f71495d0b1ce5609fed155ddb0c016c
db603d2938218ca0b95c604a319858d625907401a9317fafce65d916c7858347
57613c05c430ca628506d91721abd51b0af0cee49e2d94c0fafda3b5c0d9e4c4
f9c83ec244d6aec4d5b7cc876d549aee379869f915d6f6090ec1a3b0b6b5e09a
4fd046bbda84dc11d4ab1d6f0213688a04d52822e309e26b847775d6f9b2f42c
2816037e426bbf07de2d4d8c2c8ef7090911e1d7406b6b23933a5e422c65f108
5bb13fbfde91572211a407659086170c3db3b4879445b63858a27fadd26cf1f4
fee4fb5400d2ce1a0d1dc244a6be6d38dd9c5452d792c1c57bf60690d673b9b7
e0de35a5fec9c05ce9af1308aa54988c1ca9f24a9b0c341ad97b62e72d984e46
9d1638b1dd03a382ff17a517be8a43281799bdc7af7b485a5e3c494712663634
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/57613c05c430/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/57613c05c430ca628506d91721abd51b0af0cee49e2d94c0fafda3b5c0d9e4c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 57613c05c430ca628506d91721abd51b0af0cee49e2d94c0fafda3b5c0d9e4c4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/42155/

Comments