MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fd14899e5c4f9446e6889bf93319de3cfa25265af9458397759a6083e27fc65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fd14899e5c4f9446e6889bf93319de3cfa25265af9458397759a6083e27fc65
SHA3-384 hash: d637318d3a1cb75d329958ab3ce8d117afe27737df1870497675791f02e4f1aa1e549fcbb797e50b9addbfbd012237bf
SHA1 hash: 8e4a2dddd512e9cd06d04dc1b21190d0c1d83b06
MD5 hash: 91c23ab2ef39e7c57e05755cd07ec49d
humanhash: seventeen-vermont-ack-ack
File name:SecuriteInfo.com.Win32.MalwareX-gen.56948145
Download: download sample
Signature Formbook
Create hunting rule
File size:756'224 bytes
First seen:2025-08-07 06:06:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:deDNpTHKj4ICEACqFLVKYxlAvoILfDWncM6d5M7uF0EPaghkG72rc//xINZVdOD9:d2NtHKsIC5CqFLVBaVYc5YuF0q5b5cZK
Threatray 4'032 similar samples on MalwareBazaar
TLSH T138F4231D35ECCF25D49887F56631E23913356C6EA831CA168EF66EDB3116BA0CB58F02
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
meterpreter
Create hunting rule
ID:
1
File name:
56a28391d309102557fcf9bc34351a50b49054282f2007851dcbc4e825e7c37a.exe
Verdict:
Malicious activity
Analysis date:
2025-08-06 23:02:30 UTC
Tags:
python github loader networm amus evasion snake keylogger miner meterpreter backdoor payload metasploit stealer wannacry ransomware auto generic purelogsstealer masslogger neshta quasar rat modiloader njrat dbatloader bladabindi phishing koiloader formbook pyinstaller banker grandoreiro phorpiex framework agenttesla vidar anydesk rmm-tool remcos amadey lumma valley loki xmrig coinminer lclipper clipper sality telegram cryptolocker screenconnect rdp asyncrat goproxy pythonstealer smtp possible-phishing clickfix sage purecrypter xred delphi emmenhtal ims-api gcleaner xloader
Link:
https://app.any.run/tasks/eca15521-57e8-4e77-830a-0616c3644631

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19406/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.56948145.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6894427f1e8a59ee04e6e9fc
Tags:
micro spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap obfuscated packed packed reconnaissance roboski stego
Link:
https://www.filescan.io/uploads/6894427c397fd3ce6fa048cf/reports/9e1efc56-2629-4259-aec5-5e5c6b79e271/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5fd14899e5c4f9446e6889bf93319de3cfa25265af9458397759a6083e27fc65
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38dd3a82-434d-4852-9180-918c186bfb63
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5fd14899e5c4f9446e6889bf93319de3cfa25265af9458397759a6083e27fc65
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fd14899e5c4f9446e6889bf93319de3cfa25265af9458397759a6083e27fc65/
Threat name:
ByteCode-MSIL.Trojan.DarkCloud
Create hunting rule
Status:
Malicious
First seen:
2025-08-07 00:05:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l7iurgpfyt4ui3tirg7zgmm54ph2eutfv6kfqolxlgtaqprh7rsq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
1583f581b4aed3b58c6dfaa9e8934acb0afbfe12ebc7a5c99ee8757242b4f7fa
Formbook
6bfefb0f3b8a878aec69c3d830824c3bf7d5181ffd6d6e88dc4a8d793370c233
Formbook
8b4e5f9c54d037c26559bf5c120c1a8a6f4a9c214c4f20ac44368857ac1bf260
Formbook
a148126bd00fc6170aefb6728c2792f592d94306efe6c21557132c71c668d6a1
Formbook
+ 4'022 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250807-gt67pacq9t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b8b21bb3-2ea4-42d2-a2dd-475cbc277bef
Unpacked files
SH256 hash:
5fd14899e5c4f9446e6889bf93319de3cfa25265af9458397759a6083e27fc65
MD5 hash:
91c23ab2ef39e7c57e05755cd07ec49d
SHA1 hash:
8e4a2dddd512e9cd06d04dc1b21190d0c1d83b06
Link:
https://www.unpac.me/results/4e4feaa3-1424-4088-81f6-bf95a4a56e8e/
SH256 hash:
6e5ae0f729a327bceefc2a7ada433ecb62251d3ffb41ea483dc7391e643dfd0f
MD5 hash:
9793092e9b13d76e3efe1fa1503759ef
SHA1 hash:
178c8b83c18aae0b3e1845c65b06d3dad71c310b
Link:
https://www.unpac.me/results/4e4feaa3-1424-4088-81f6-bf95a4a56e8e/
SH256 hash:
160224e5c71c3a694b976650855666d30bed6d813b29bb1017afeec69eeb720e
MD5 hash:
613230121fb1734d16e2e7e4f4d8d793
SHA1 hash:
1ffcdaa0b5eef2ce61dd0845af6c657773518d95
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4e4feaa3-1424-4088-81f6-bf95a4a56e8e/
SH256 hash:
dc938ea15a9847461561589a5e520721e4cd54c435dacd13cbdd0840b15e88a2
MD5 hash:
b350e2b0ec02cf642dcacd824413695f
SHA1 hash:
b987018b77a844c3f34d541a03705030778d22d9
Link:
https://www.unpac.me/results/4e4feaa3-1424-4088-81f6-bf95a4a56e8e/
SH256 hash:
5e8c64f07ff0a0e62af1274b86a3a171881ae1f02967043ada5c97e29ee8502c
MD5 hash:
50a8bbe48e41e6fa24a55f1da233f0f1
SHA1 hash:
bc2238639e5f7e906c89d7d99d6d73333b327b2a
Link:
https://www.unpac.me/results/4e4feaa3-1424-4088-81f6-bf95a4a56e8e/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5fd14899e5c4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5fd14899e5c4f9446e6889bf93319de3cfa25265af9458397759a6083e27fc65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 5fd14899e5c4f9446e6889bf93319de3cfa25265af9458397759a6083e27fc65

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3597799/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/19406/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments