MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 585a0ca32449865172fbf22bf372bd32b7c7348b399a4b68053296a410bbf66c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 18

Intelligence 18 IOCs YARA 19 File information Comments

SHA256 hash:	585a0ca32449865172fbf22bf372bd32b7c7348b399a4b68053296a410bbf66c
SHA3-384 hash:	b7ae6e9dac5e33d8622097170975a007d0bf1cbadf0fe7e6d6ff99259142f2bb39c77663cbeb269f6a9b31e0b257f527
SHA1 hash:	15667fc0c632abe4f4de98386b2a5a172d6367ff
MD5 hash:	1b858cfa211e7ad9a256e90642393610
humanhash:	blossom-hot-freddie-don
File name:	Ust_Yazı Yakiasık Maliyet Fiyat istemi_ihtiyaclistesi_1062945_Teknik sartname.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'039'360 bytes
First seen:	2026-05-15 08:02:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'936 x AgentTesla, 19'833 x Formbook, 12'310 x SnakeKeylogger)
ssdeep	24576:j1ILMrHY8oW5V3nfIP32XUog4I+dUDX21BXRs/bV7fzk5sL2:hILMrY6VXfW2rI+KDXKOV7fzbL2
Threatray	139 similar samples on MalwareBazaar
TLSH	T11C2512686EA8E107C59257340E71F1B4177E2EDEE420D6579FE96ECBF97AB000D18283
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

146

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/3ca7e21b-8357-44b2-bf18-12fb0bb616e7/

Malware family:

n/a

ID:

File name:

_585a0ca32449865172fbf22bf372bd32b7c7348b399a4b68053296a410bbf66c.exe

Verdict:

Malicious activity

Analysis date:

2026-05-15 08:05:37 UTC

Tags:

auto-reg

Link:

https://app.any.run/tasks/00f1e3de-7f88-4b39-a44a-1082dd42ca0a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/66000/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen5.33381.7251.7250.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a06d35846d6967b3d906e7d

Tags:

micro shell msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook packed unsafe vbnet

Link:

https://www.filescan.io/uploads/6a06d356df14f1cb2ad7008e/reports/9dc03330-76d5-4c5f-aa72-12c58fe35026/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/585a0ca32449865172fbf22bf372bd32b7c7348b399a4b68053296a410bbf66c

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-12T08:47:00Z UTC

Last seen:

2026-05-16T19:32:00Z UTC

Hits:

~100

Detections:

Trojan.MSIL.Dnoper.sb Trojan.MSIL.Inject.sb Trojan-Spy.Win32.Noon.sb Trojan-Spy.Noon.HTTP.ServerRequest Trojan-Dropper.Win32.Injector.sb PDM:Trojan.Win32.Generic Backdoor.Win32.Androm.sb Trojan.Win32.Agent.sb HEUR:Trojan.MSIL.Injuke.gen

Link:

https://opentip.kaspersky.com/585a0ca32449865172fbf22bf372bd32b7c7348b399a4b68053296a410bbf66c/results?tab=lookup

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/21746411-3875-4347-8775-ea0f6995e6d7

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1913891

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

AI detected malicious Powershell script

Antivirus detection for URL or domain

Bypasses PowerShell execution policy

Creates an autostart registry key pointing to binary in C:\Windows

Creates autostart registry keys with suspicious values (likely registry only malware)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Suricata IDS alerts for network traffic

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Unusual module load detection (module proxying)

Yara detected AntiVM3

Yara detected FormBook

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/585a0ca32449865172fbf22bf372bd32b7c7348b399a4b68053296a410bbf66c

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.27 Win 32 Exe x86

Link:

https://app.malva.re/file/1b858cfa211e7ad9a256e90642393610

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/585a0ca32449865172fbf22bf372bd32b7c7348b399a4b68053296a410bbf66c/

Verdict:

Malicious

Threat:

Family.FORMBOOK

Link:

https://tip.neiki.dev/file/585a0ca32449865172fbf22bf372bd32b7c7348b399a4b68053296a410bbf66c

Threat name:

Win32.Trojan.Ravartar

Status:

Malicious

First seen:

2026-05-12 12:11:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

29 of 36 (80.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lbnazizejgdfc4x36iv7g4v5gk34onelhgnew2afgklkief36zwa._file

Verdict:

malicious

Label(s):

xworm

Formbook

2af9816b540cfa33d8d62d8d84d1881d3d3c4f250d92c9d046df3469458f56a5

Formbook

4d2d2c6efbb042ae0af1b79c8cc52237998ec70df56afd418abbacc48d9d3395

Formbook

6b15d702539c47fd54a63bda4d309e06d3c0b92d150f61c0b8b65eae787680be

Formbook

85cffbf528025f8a8af7935e9e1ef285a9da23cb8f454b78143ab2960d339a15

Formbook

903ec037859ba0e1d5c456ffaeb9f1a5c4b111e6bb4e5d62f583a7bc68d88f09

Formbook

d93a5d602961d1d23e77b613866be9056abe8f5c833776a20a2635fbbad772d8

Formbook

efd00cb99be98e761546c2c362cd5d01502fb036dbeb64679fb7d41e8d1da1dd

Formbook

error

Formbook

+ 129 additional samples on MalwareBazaar

Gathering data

Unpacked files

SH256 hash:

585a0ca32449865172fbf22bf372bd32b7c7348b399a4b68053296a410bbf66c

MD5 hash:

1b858cfa211e7ad9a256e90642393610

SHA1 hash:

15667fc0c632abe4f4de98386b2a5a172d6367ff

Link:

https://www.unpac.me/results/a19d0315-5e80-4a26-ac35-bf3d9bd5d0d2/

SH256 hash:

1e12cbf761f2bfcfc4da87760b0bc26496c3b567943a3300f329e846e564fc3c

MD5 hash:

aa092061eb5a8ac3f68fdffad159b2c6

SHA1 hash:

5b6b56f9a40942dae8b852bd7ee03f941b5a7742

Link:

https://www.unpac.me/results/a19d0315-5e80-4a26-ac35-bf3d9bd5d0d2/

SH256 hash:

bc182f2d934b3e8f2d8c93739d8c8383e60223af16c62359a10831f76d9d168a

MD5 hash:

e01f8eac49eefbab201ec555dc9ae891

SHA1 hash:

9539cb2e684aded0ee0d1213b1d2679220bef72d

Link:

https://www.unpac.me/results/a19d0315-5e80-4a26-ac35-bf3d9bd5d0d2/

SH256 hash:

ca3361dc717ba306b4eb73b541b756d2934ac22304b16a31404a733a0dc12feb

MD5 hash:

cb32d6234f1c8dbaac6ed5277eb81055

SHA1 hash:

cdd9b01e6b1478d9837aafef91c761f41162bb07

Link:

https://www.unpac.me/results/a19d0315-5e80-4a26-ac35-bf3d9bd5d0d2/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/585a0ca32449/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/585a0ca32449865172fbf22bf372bd32b7c7348b399a4b68053296a410bbf66c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	TH_Win_ETW_Bypass_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Windows ETW Bypass Detection Rule - 2025
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 585a0ca32449865172fbf22bf372bd32b7c7348b399a4b68053296a410bbf66c

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/66000/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample