MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f9b01b88c7faf63239a79405c1f7c5521b9cfd1934c659a8c56345ad1549d17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 7 File information Comments

SHA256 hash:	5f9b01b88c7faf63239a79405c1f7c5521b9cfd1934c659a8c56345ad1549d17
SHA3-384 hash:	bc7a87578eec36707e6f37775800986c4a028358fc03f8815b9082526218833e52c683a58a74ddc0e441aa6cd6c0df61
SHA1 hash:	c52457cf9bbb53841abc1b291d7dbf01a70d58d9
MD5 hash:	763f68a401d716378a6a55afef4b85c4
humanhash:	fanta-vegan-oranges-robin
File name:	Documents-00003899909.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	822'784 bytes
First seen:	2025-09-26 16:10:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:mMrXaa8X8N3MG5PSzDSgIW/BmjHLxS1dne5NcM7rmoQnqzh7u:Laa8X8VPSztIZZate4QUqF
Threatray	1'508 similar samples on MalwareBazaar
TLSH	T11205020433E9EB06D4BB47F40570D3B54B7A6E987512E30A8EE6ACDF3C3AB411A09657
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	Anonymous
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Documents-00003899909.exe

Verdict:

No threats detected

Analysis date:

2025-09-26 16:14:00 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9f9f9ee6-79f1-40a2-ab01-3953b570dc2c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/29182/

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68d6bb4491dd51f6514f17f7

Tags:

virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/68d6bb65674d5fd6aa0dc749/reports/54ff6654-0763-4f92-a780-1430f5065c9e/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/5f9b01b88c7faf63239a79405c1f7c5521b9cfd1934c659a8c56345ad1549d17

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-24T11:55:00Z UTC

Last seen:

2025-09-24T11:55:00Z UTC

Hits:

~100

Detections:

Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Taskun.gen VHO:Backdoor.Win32.Agent.gen Trojan-PSW.Win32.Stealer.sb PDM:Trojan.Win32.Generic Trojan-Spy.Noon.HTTP.ServerRequest HEUR:Trojan.MSIL.Agent.gen Backdoor.Agent.HTTP.C&C

Link:

https://opentip.kaspersky.com/5f9b01b88c7faf63239a79405c1f7c5521b9cfd1934c659a8c56345ad1549d17/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/178b9e5d-f3ff-4fed-ac5c-d0f2e9ce9ba7

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5f9b01b88c7faf63239a79405c1f7c5521b9cfd1934c659a8c56345ad1549d17

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.16 Win 32 Exe x86

Link:

https://app.malva.re/file/763f68a401d716378a6a55afef4b85c4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5f9b01b88c7faf63239a79405c1f7c5521b9cfd1934c659a8c56345ad1549d17/

Verdict:

Malicious

Threat:

Family.FORMBOOK

Link:

https://tip.neiki.dev/file/5f9b01b88c7faf63239a79405c1f7c5521b9cfd1934c659a8c56345ad1549d17

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2025-09-24 11:41:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 36 (75.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l6nqdoemp6xwgi42pfafyh34kuq3tt6rsngglgumky2fvukutulq._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/250926-tnm8va1sgy/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Formbook payload

Formbook

Formbook family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/53e10c15-3ca7-4120-9fe3-9ff7d1bff846

Unpacked files

SH256 hash:

5f9b01b88c7faf63239a79405c1f7c5521b9cfd1934c659a8c56345ad1549d17

MD5 hash:

763f68a401d716378a6a55afef4b85c4

SHA1 hash:

c52457cf9bbb53841abc1b291d7dbf01a70d58d9

Link:

https://www.unpac.me/results/4faa62b2-3d23-4e22-b041-34aa83942d56/

SH256 hash:

feedb7303826398294857da13e3fe35025bfcccfd46db52676ab09c66de557e1

MD5 hash:

dccc4ed75acf20968a8bfaacb543fafa

SHA1 hash:

19c09155ce56b607c3e908b9cb84d471cb9e5bb4

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/4faa62b2-3d23-4e22-b041-34aa83942d56/

SH256 hash:

7c9057b64be09cc21e5df9b997b2aca6464b79b804fcab4eee7848cda8225d4a

MD5 hash:

910707ba0ca2796879872c67488df2e8

SHA1 hash:

58908fcde2802d0ac3c31789b7008b63f734a8b4

Link:

https://www.unpac.me/results/4faa62b2-3d23-4e22-b041-34aa83942d56/

SH256 hash:

cdb8ac92c7a341ee1ead563bf7b48a244d580acfb30704043b6d4b24ea5ccf09

MD5 hash:

07ca79c30cd50df8c68d115eebd52475

SHA1 hash:

a70c058086cd6156059b9947aee5bcd3f75f3336

Link:

https://www.unpac.me/results/4faa62b2-3d23-4e22-b041-34aa83942d56/

SH256 hash:

fc9c54b98aec7168e62c5664a5d33560019251eb4671d4ccd6214030fb2160d1

MD5 hash:

fef0eb0bc2f23c169ca4b2dc5860eab9

SHA1 hash:

dd6aa6478d3dfcc686c32c5c2c82b0ec1471dfe4

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/4faa62b2-3d23-4e22-b041-34aa83942d56/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5f9b01b88c7f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5f9b01b88c7faf63239a79405c1f7c5521b9cfd1934c659a8c56345ad1549d17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/29182/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample