MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a13dd5d13e094fa6d10b545dd72855d21143c478ebb5bb589f7334767cd4d34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 8 File information Comments

SHA256 hash:	5a13dd5d13e094fa6d10b545dd72855d21143c478ebb5bb589f7334767cd4d34
SHA3-384 hash:	2dbdedd7f871fc0d18a388e26cc8218cf9fdf81aea2f278d1b634dbcb72fc2576454386cd6e4c2e9eae5e679b093c678
SHA1 hash:	932b15bd3f1b86ccd1876290ae22e4bfdae97c85
MD5 hash:	1937fb5bd932b6b9ed707d764c567f27
humanhash:	glucose-wyoming-muppet-tango
File name:	5a13dd5d13e094fa6d10b545dd72855d21143c478ebb5bb589f7334767cd4d34
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'194'496 bytes
First seen:	2025-12-08 14:36:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	91d07a5e22681e70764519ae943a5883 (126 x Formbook, 32 x a310Logger, 27 x AgentTesla)
ssdeep	24576:Otb20pkaCqT5TBWgNQ7aKtJM4bC+GjfiFCnb6A:7Vg5tQ7aKlZkeCb5
TLSH	T13E45CF1363DE8361C3725273BA257701AEBF782506A1F96B2FD8093DF920162525EB73
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/58a20029-05e9-44e8-955f-56fc017b73f9/

Malware family:

n/a

ID:

File name:

5a13dd5d13e094fa6d10b545dd72855d21143c478ebb5bb589f7334767cd4d34

Verdict:

No threats detected

Analysis date:

2025-12-08 15:14:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c2d454c0-3c4f-4704-8435-ce6ff772d664

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/43079/

Detection(s):

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6936e283db58e1a2c22b8280

Tags:

autoit emotet

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/5a13dd5d13e094fa6d10b545dd72855d21143c478ebb5bb589f7334767cd4d34

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-10T05:21:00Z UTC

Last seen:

2025-12-10T07:15:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/5a13dd5d13e094fa6d10b545dd72855d21143c478ebb5bb589f7334767cd4d34/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/011856fe-5777-4425-8a90-4a328986595c

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5a13dd5d13e094fa6d10b545dd72855d21143c478ebb5bb589f7334767cd4d34

Verdict:

Malware

YARA:

7 match(es)

Tags:

AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/1937fb5bd932b6b9ed707d764c567f27

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a13dd5d13e094fa6d10b545dd72855d21143c478ebb5bb589f7334767cd4d34/

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2025-11-10 09:06:44 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 36 (80.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lij52xit4ckpu3iqwvc524ufluqripchr25vxnmj64zuoz6nju2a._file

Verdict:

malicious

Label(s):

autoit

formbook

Similar samples:

error

Formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/251208-rywlvscr8w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Formbook payload

Formbook

Formbook family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/56a40cf4-5407-46fa-a8c0-6bfeca783cc1

Unpacked files

SH256 hash:

5a13dd5d13e094fa6d10b545dd72855d21143c478ebb5bb589f7334767cd4d34

MD5 hash:

1937fb5bd932b6b9ed707d764c567f27

SHA1 hash:

932b15bd3f1b86ccd1876290ae22e4bfdae97c85

Link:

https://www.unpac.me/results/e1720dbe-6eee-4e59-b0e8-626bc5b0671e/

SH256 hash:

80858ac79c0b8d117c58bf3bae85004fded91c812dd684274a9a7349730d9630

MD5 hash:

2efeda40bedf4271be629571de4798de

SHA1 hash:

67fe925769506d614f3c8d201f10cf44bc4b547e

Link:

https://www.unpac.me/results/e1720dbe-6eee-4e59-b0e8-626bc5b0671e/

SH256 hash:

792b15d3a2e4bda9eb56d5d304340ab833da5eb7fabc6a1e05bec6220a5147ec

MD5 hash:

f6d35bda4f0ed16d0f68cbdd6c112242

SHA1 hash:

e2db2d7f6a21882e0e6a25a55b52811fe16998f3

Link:

https://www.unpac.me/results/e1720dbe-6eee-4e59-b0e8-626bc5b0671e/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5a13dd5d13e0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5a13dd5d13e094fa6d10b545dd72855d21143c478ebb5bb589f7334767cd4d34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	TH_Generic_MassHunt_Win_Malware_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Windows malware mass-hunt rule - 2025
Reference:	https://cyfare.net/

Rule name:	YahLover Create hunting rule
Author:	Kevin Falcoz
Description:	YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/43079/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample