MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5aba751eb2960c7d48d35d6e906f34107febb06c0a1c82ff20e5ef127a06ea49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments

SHA256 hash: 5aba751eb2960c7d48d35d6e906f34107febb06c0a1c82ff20e5ef127a06ea49
SHA3-384 hash: f75ef29dd1e158baf0e309da92f623a768ab16827f6273cc6a2698690154b74e024ebe2dd5546bac1bc1287e6bafa9b0
SHA1 hash: a773f0198deabb8866ed3fd8f42a8e479fd1f7f0
MD5 hash: 1c97d75c6bbdcbc64127b412ec793ef0
humanhash: thirteen-kitten-cat-uniform
File name:Purchase Order.exe
Download: download sample
Signature Formbook
File size:578'048 bytes
First seen:2026-06-30 05:47:58 UTC
Last seen:2026-06-30 05:51:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'076 x AgentTesla, 20'044 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 12288:qwrrfZoTOnk5ywPDbEH0wPd4EJGbiIVvEcwOQCGi1ie7:pRoqnk8wHm9J0VKcwwdie
Threatray 2'435 similar samples on MalwareBazaar
TLSH T101C4012467EC8F31EABE277DF5B060024375B176B403EB9D69D9A0AD1433B818E513A7
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe FormBook

Intelligence


File Origin
# of uploads :
2
# of downloads :
149
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_5aba751eb2960c7d48d35d6e906f34107febb06c0a1c82ff20e5ef127a06ea49.exe
Verdict:
Suspicious activity
Analysis date:
2026-06-30 05:49:57 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 dropper exploit formbook masquerade
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-29T21:41:00Z UTC
Last seen:
2026-07-01T03:54:00Z UTC
Hits:
~100
Detections:
VHO:Trojan.MSIL.Convagent.gen PDM:Trojan.Win32.Generic HEUR:Exploit.MSIL.ChecksumController.gen
Result
Threat name:
DonutLoader, FormBook
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Yara detected DonutLoader
Yara detected FormBook
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1935387 Sample: Purchase Order.exe Startdate: 30/06/2026 Architecture: WINDOWS Score: 100 30 www.swerx.xyz 2->30 32 www.zzwksw.com 2->32 34 22 other IPs or domains 2->34 50 Suricata IDS alerts for network traffic 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 58 8 other signatures 2->58 10 Purchase Order.exe 1 2->10         started        signatures3 56 Performs DNS queries to domains with low reputation 30->56 process4 file5 28 C:\Users\user\...\Purchase Order.exe.log, CSV 10->28 dropped 60 Maps a DLL or memory area into another process 10->60 14 Mn7MuwLKM5N.exe 10->14 injected signatures6 process7 process8 16 upnpcont.exe 13 14->16         started        signatures9 42 Tries to steal Mail credentials (via file / registry access) 16->42 44 Tries to harvest and steal browser information (history, passwords, etc) 16->44 46 Modifies the context of a thread in another process (thread injection) 16->46 48 4 other signatures 16->48 19 6Mh8WMpt9lYeKG.exe 16->19 injected 22 chrome.exe 16->22         started        24 firefox.exe 16->24         started        process10 dnsIp11 36 k003.brwwww.com 120.89.68.66, 49707, 49708, 49709 POWERLINE-AS-APPOWERLINEDATACENTERHK Hong Kong SAR China 19->36 38 www.casino-x-kkgvbwu.top 45.88.106.25, 49754, 49755, 49756 PODAONNL Netherlands 19->38 40 12 other IPs or domains 19->40 26 WerFault.exe 4 22->26         started        process12
Gathering data
Verdict:
Malicious
Threat:
Exploit.MSIL.ChecksumController
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Status:
Malicious
First seen:
2026-06-30 00:43:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Result
Malware family:
formbook
Score:
  10/10
Tags:
family:donutloader family:formbook discovery loader rat spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
ConfuserEx .NET packer
Detects DonutLoader
Family: DonutLoader
Family: Formbook
Formbook payload
Unpacked files
SH256 hash:
5aba751eb2960c7d48d35d6e906f34107febb06c0a1c82ff20e5ef127a06ea49
MD5 hash:
1c97d75c6bbdcbc64127b412ec793ef0
SHA1 hash:
a773f0198deabb8866ed3fd8f42a8e479fd1f7f0
SH256 hash:
a71a6627ebdda576ec5e8d8e72018ed90f3b1d00d56a89de126183d8cbbfa66c
MD5 hash:
e4d23891864d41f44e6db278386414fe
SHA1 hash:
4fd75e392c15e7310c515eaef97b929a919a42d3
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5aba751eb2960c7d48d35d6e906f34107febb06c0a1c82ff20e5ef127a06ea49

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments