MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5aa4328001eb57a54a716ba3c7f0fa7f6b8c390828ea8b33a3c85dfb2838a512. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5aa4328001eb57a54a716ba3c7f0fa7f6b8c390828ea8b33a3c85dfb2838a512
SHA3-384 hash: 3ae187540e611b1d02a134de7d97cb6a7995437d6f4ba2b8a2583b8fbf3a96dd3869bf87b2a1f135d20e6d73b12bba08
SHA1 hash: 01b7ff030b7dd9b780674a9a87d1ecbe8c35c00c
MD5 hash: f31cb277c670f9afe7458699724eb870
humanhash: glucose-failed-paris-jig
File name:msedge_elf.dll
Download: download sample
Signature Formbook
Create hunting rule
File size:1'549'824 bytes
First seen:2025-12-23 09:36:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 51573b5e350d818866d94a5d6dc9477b (1 x Formbook)
ssdeep 24576:BDrdBZDSJuq5CtQibDuIJBKH1s1OnGjqVdU4iIVrmGWOtQ2KcF1fMz7D+H:B3dBZDjfuuKHiOnCIVrj/KcF1fC+
Threatray 2'397 similar samples on MalwareBazaar
TLSH T1A775BE16E3D802A8E537DA74CB656232D6B178064F71A9CF0699D7192F33ED0AB3B311
TrID 66.6% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Malware family:
formbook
Create hunting rule
ID:
1
File name:
1.zip
Verdict:
Malicious activity
Analysis date:
2025-12-23 09:25:25 UTC
Tags:
auto generic arch-exec formbook xloader stealer phishing
Link:
https://app.any.run/tasks/222171ec-61df-4f12-8efe-7665e840d8a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45827/
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694a6294a6c88bb4cc23f0a6
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context masquerade microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/694a6290e8abb702f805eb94/reports/e50102c9-8118-48b6-9ca2-8576b80e8d9c/overview
Verdict:
Suspicious
Labled as:
W64/Agent.LPL.gen
Link:
https://www.hybrid-analysis.com/sample/5aa4328001eb57a54a716ba3c7f0fa7f6b8c390828ea8b33a3c85dfb2838a512
Verdict:
Malicious
File Type:
dll x64
First seen:
2025-12-23T04:58:00Z UTC
Last seen:
2025-12-25T07:07:00Z UTC
Hits:
~10000
Detections:
VHO:Trojan.Win64.Agent.gen Trojan-Spy.Noon.HTTP.ServerRequest Trojan.Win32.Inject.sb PDM:Trojan.Win32.Generic HEUR:Trojan.Win64.Generic
Link:
https://opentip.kaspersky.com/5aa4328001eb57a54a716ba3c7f0fa7f6b8c390828ea8b33a3c85dfb2838a512/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/de7612ef-690b-4b5d-a00b-c38363a452d9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1838144
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1838144 Sample: msedge_elf.dll.exe Startdate: 23/12/2025 Architecture: WINDOWS Score: 100 57 www.kickersketch.com 2->57 59 www.cdqvc.com 2->59 61 4 other IPs or domains 2->61 69 Suricata IDS alerts for network traffic 2->69 71 Antivirus detection for URL or domain 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 3 other signatures 2->75 11 loaddll64.exe 1 2->11         started        signatures3 process4 process5 13 rundll32.exe 11->13         started        16 cmd.exe 1 11->16         started        18 rundll32.exe 11->18         started        20 17 other processes 11->20 signatures6 93 Writes to foreign memory regions 13->93 95 Allocates memory in foreign processes 13->95 97 Injects a PE file into a foreign processes 13->97 22 ngen.exe 13->22         started        25 rundll32.exe 16->25         started        27 ngen.exe 18->27         started        29 ngen.exe 20->29         started        31 ngen.exe 20->31         started        33 ngen.exe 20->33         started        35 2 other processes 20->35 process7 signatures8 77 Maps a DLL or memory area into another process 22->77 79 Unusual module load detection (module proxying) 22->79 37 UMo2zmwN.exe 22->37 injected 81 Writes to foreign memory regions 25->81 83 Allocates memory in foreign processes 25->83 85 Injects a PE file into a foreign processes 25->85 40 ngen.exe 25->40         started        43 7nS58ugqFymWXI.exe 27->43 injected process9 dnsIp10 63 cdqvc.com 178.63.45.142, 49710, 80 HETZNER-ASDE Germany 37->63 65 kickersketch.com 66.235.200.171, 49718, 49719, 49721 CLOUDFLARENETUS United States 37->65 67 2 other IPs or domains 37->67 45 msra.exe 13 37->45         started        48 msra.exe 37->48         started        91 Maps a DLL or memory area into another process 40->91 50 bEPsBqYM4Xat.exe 40->50 injected 52 msra.exe 43->52         started        signatures11 process12 signatures13 99 Tries to steal Mail credentials (via file / registry access) 45->99 101 Tries to harvest and steal browser information (history, passwords, etc) 45->101 103 Modifies the context of a thread in another process (thread injection) 45->103 105 Maps a DLL or memory area into another process 45->105 54 msra.exe 50->54         started        process14 signatures15 87 Unusual module load detection (module proxying) 54->87 89 Switches to a custom stack to bypass stack traces 54->89
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5aa4328001eb57a54a716ba3c7f0fa7f6b8c390828ea8b33a3c85dfb2838a512
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/f31cb277c670f9afe7458699724eb870
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5aa4328001eb57a54a716ba3c7f0fa7f6b8c390828ea8b33a3c85dfb2838a512/
Verdict:
Malicious
Threat:
Trojan-Spy.Win32.Inject
Link:
https://tip.neiki.dev/file/5aa4328001eb57a54a716ba3c7f0fa7f6b8c390828ea8b33a3c85dfb2838a512
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-12-23 08:07:59 UTC
File Type:
PE+ (Dll)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lksdfaab5nl2kstrnor4p4h2p5vyyoiifdviwm5dzbo7wkbyuuja._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0d2d887adcdf6309c4532e75ddb508db33402c7a488c3e2b8943c6721dab6708
Formbook
89c232f0c040e54ae9568871262eadec3164ef6ccd10529792c7b949f98b25f4
Formbook
a0eccda897494935b1c7ce5193df8a89ea92d033c80152ff7fe9cc8215f67302
Formbook
ac1bdadf98761eed39833d096c732ca61ede04535ecced46d1f662f9dab206f6
Formbook
cdecb17866aa95ae171740ba4fc9b73b0f7a75ee817119fbe423b074c2c3e8a6
Formbook
dcde5a9fe61b7c32e735373629754ff429eadb1701165c4dcbe0ebd03374615e
Formbook
error
Formbook
fec34000664e9453638769da3413cddb271e791cbc5f8fb9c7697aeec8133f33
Formbook
+ 2'387 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/251223-nnqq3svqfz/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7aafc832-0191-4cb8-b5f2-90b4dacf82f9
Unpacked files
SH256 hash:
5aa4328001eb57a54a716ba3c7f0fa7f6b8c390828ea8b33a3c85dfb2838a512
MD5 hash:
f31cb277c670f9afe7458699724eb870
SHA1 hash:
01b7ff030b7dd9b780674a9a87d1ecbe8c35c00c
Link:
https://www.unpac.me/results/d1bbba4f-74a6-4a80-988d-6f91dbd91e56/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5aa4328001eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5aa4328001eb57a54a716ba3c7f0fa7f6b8c390828ea8b33a3c85dfb2838a512

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_Win_ETW_Bypass_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Windows ETW Bypass Detection Rule - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5aa4328001eb57a54a716ba3c7f0fa7f6b8c390828ea8b33a3c85dfb2838a512

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/45827/

Comments