MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b50cbb52c090dd0bddb9d9cf1801147fef289051354e618344e27a1375c63f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 18

Intelligence 18 IOCs YARA 6 File information Comments

SHA256 hash:	5b50cbb52c090dd0bddb9d9cf1801147fef289051354e618344e27a1375c63f0
SHA3-384 hash:	a09e9235d6355d1c419fcbf90c9dc1efb88333bf2e31bb63cd9f7258a3db68cdf968e67c4293bd59bc5c269d032199e7
SHA1 hash:	90cc0e31c491042e09672ccb601e7d2adb073790
MD5 hash:	2f849364ad3e3dc9a8283f973e2a2686
humanhash:	mississippi-equal-echo-alpha
File name:	MV GRT SHIPPING SETS DOCs _QTE SPEC HBL#09-2925..PDF.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	759'808 bytes
First seen:	2025-09-09 13:13:23 UTC
Last seen:	2025-09-15 06:57:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	12288:xQIV5g5XrIbPkWyh/zxjcVJWJubm3KiaL3o+R3xpyw35Oco77I/FxWfv40CYtTlO:xN5gmkWWxjQULaLXNxQwJO4//ivf7
Threatray	975 similar samples on MalwareBazaar
TLSH	T1A2F40114226ADA0AC1A58FB40A72D3F81B68AF9DE452C607CFDE7EDFF439B501951381
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

MV GRT SHIPPING SETS DOCs _QTE SPEC HBL#09-2925..PDF.exe

Verdict:

Malicious activity

Analysis date:

2025-09-09 13:34:23 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/4518a535-5b88-4096-938e-a5491adcec40

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/26477/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68c0282d6e66ba602d796810

Tags:

virus msil sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/68c028cde8645594692437bd/reports/07a66fe6-0935-492c-84d5-967233e96740/overview

Verdict:

Malicious

Labled as:

Genie.8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/5b50cbb52c090dd0bddb9d9cf1801147fef289051354e618344e27a1375c63f0

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-09T03:57:00Z UTC

Last seen:

2025-09-09T03:57:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/5b50cbb52c090dd0bddb9d9cf1801147fef289051354e618344e27a1375c63f0/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/562af576-3681-4f6d-8b46-f4d9cc4a8c77

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5b50cbb52c090dd0bddb9d9cf1801147fef289051354e618344e27a1375c63f0

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.43 Win 32 Exe x86

Link:

https://app.malva.re/file/2f849364ad3e3dc9a8283f973e2a2686

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5b50cbb52c090dd0bddb9d9cf1801147fef289051354e618344e27a1375c63f0/

Threat name:

ByteCode-MSIL.Backdoor.FormBook

Status:

Malicious

First seen:

2025-09-09 08:32:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lnimxnjmbeg5bpo3twopdaari77pfcifcnkomgbujyt2cn24mpya._file

Verdict:

malicious

Label(s):

unc_loader_037

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/250909-qjb38sskx7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of SetThreadContext

Formbook payload

Formbook

Formbook family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/52e760e8-dc9c-4e98-afa7-bc20cc0b97ad

Unpacked files

SH256 hash:

5b50cbb52c090dd0bddb9d9cf1801147fef289051354e618344e27a1375c63f0

MD5 hash:

2f849364ad3e3dc9a8283f973e2a2686

SHA1 hash:

90cc0e31c491042e09672ccb601e7d2adb073790

Link:

https://www.unpac.me/results/3528230d-d120-4b03-9d56-ca80f2b4ba40/

SH256 hash:

db41273af4dbc288f2caebe4e95ae722a2940200af535f69ccfbfd7dd55381f4

MD5 hash:

5eb373f68d66f0b334512417f7efd9b1

SHA1 hash:

478828de69ccec76a3b58044b6020f39912b3de3

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/3528230d-d120-4b03-9d56-ca80f2b4ba40/

SH256 hash:

12dda0cd3b378fbced3071df357733426bb09e47c31fcc3ba6273650f67895dc

MD5 hash:

773c55854eb467033abb78bc2b667f80

SHA1 hash:

54bfd694185cd257abb4ee6b477dba12b971b9b9

Link:

https://www.unpac.me/results/3528230d-d120-4b03-9d56-ca80f2b4ba40/

SH256 hash:

1b7c512b49723c564c5f549753febc320e90d606cae29768831b32e353b20ec4

MD5 hash:

eec6fc2a98bc860e57dba42bc26e8e8a

SHA1 hash:

e736e4807e736959d6c9ef2bbdfb83302d70632f

Link:

https://www.unpac.me/results/3528230d-d120-4b03-9d56-ca80f2b4ba40/

SH256 hash:

93aab256ce2322a36b2dc0ec60eba2f848f1ecacc92364f3499746475112af45

MD5 hash:

741e29aaac98de069c8c3218070ccfa4

SHA1 hash:

6578b96d17a722fc81f3431e9b42592459e086f1

Link:

https://www.unpac.me/results/3528230d-d120-4b03-9d56-ca80f2b4ba40/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5b50cbb52c09/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.95

Link:

https://yomi.yoroi.company/submissions/5b50cbb52c090dd0bddb9d9cf1801147fef289051354e618344e27a1375c63f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 5b50cbb52c090dd0bddb9d9cf1801147fef289051354e618344e27a1375c63f0

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/26477/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample