MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61099a560e22642077a83120c7bdda1092f4040d7139e2ac03e030a329994266. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	61099a560e22642077a83120c7bdda1092f4040d7139e2ac03e030a329994266
SHA3-384 hash:	6b48bec4f7ecb048c5bdcfdaca23241de6a6b5ebfd1886935da9dfa77c9c56150eeace55d58971b14defd7e35c29fc37
SHA1 hash:	7b143844543b153631edfe85ed26572d5b7d02fd
MD5 hash:	7a9e4607a89bb858b6dcf559a2c6fb8a
humanhash:	social-low-jersey-two
File name:	61099a560e22642077a83120c7bdda1092f4040d7139e2ac03e030a329994266
Download:	download sample
Signature	Formbook Create hunting rule
File size:	988'160 bytes
First seen:	2026-02-05 15:16:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'795 x AgentTesla, 19'692 x Formbook, 12'274 x SnakeKeylogger)
ssdeep	24576:KvW69ClNZdZDtn+VK7Jaj2zojQ+h2Pq01XtDmJ8WsovW:KQZZn3hEMPq0BtCJ8
Threatray	2'835 similar samples on MalwareBazaar
TLSH	T18825F2582B06D117CE5197384AB1F7F86A5C5EEAB800E3135FDCBEAFB969D1A4C40092
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/8ffa53e8-d013-4ea7-99b9-f67b4c7bd283/

Malware family:

formbook

ID:

File name:

61099a560e22642077a83120c7bdda1092f4040d7139e2ac03e030a329994266

Verdict:

Malicious activity

Analysis date:

2026-02-05 17:56:53 UTC

Tags:

formbook stealer xloader

Link:

https://app.any.run/tasks/c7b778ff-4b3e-4c5c-b598-1639697e972e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/51972/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6984b483ae5379bb6609c288

Tags:

agenttesla infosteal

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/61099a560e22642077a83120c7bdda1092f4040d7139e2ac03e030a329994266

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-16T00:54:00Z UTC

Last seen:

2026-01-30T05:43:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/61099a560e22642077a83120c7bdda1092f4040d7139e2ac03e030a329994266/results?tab=lookup

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/20c74aa9-7615-4695-b805-2e7dd2a2bcc8

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/61099a560e22642077a83120c7bdda1092f4040d7139e2ac03e030a329994266

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.22 Win 32 Exe x86

Link:

https://app.malva.re/file/7a9e4607a89bb858b6dcf559a2c6fb8a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/61099a560e22642077a83120c7bdda1092f4040d7139e2ac03e030a329994266/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2026-01-16 07:11:25 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 36 (69.44%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=meezuvqoejsca55igeqmppo2ccjpibanoe46flad4aykgkmzijta._file

Verdict:

malicious

Label(s):

formbook

Formbook

3f57d382a91d317a9534cdc957cd87407f5515c8950320987338dddb4899aeb8

Formbook

62641672222e838c59836451c910b29233433eb80581fc7f3672de2b6a33b365

Formbook

8225196d0848e0f36d4ecc8c8ef8ae592c5d172570dd4cd5aa13fbc2daae2fd3

Formbook

da99e5e90a490e93120bd11d5bdb6226ad5e6fa21c10d5514b97d09b56dcc403

Formbook

dcba50a5be328e080a5496812c9c9d0d2f3bda66372fb376b716997e6323c16d

Formbook

ebc963782a30a3e6cc360a6e4fda16d2acac2de13ee0d8db863082e699dabd5a

Formbook

ee68d6bc31aa1661dfdbf95b66fccba4ec8678ee2b6f384d8f51cab0608e81df

Formbook

f05c22a1efc4ae70839768e6d0d22057eadd708c8da4e3fc8de7376267e8bca4

Formbook

+ 2'825 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:tu90 discovery execution rat spyware stealer trojan

Link:

https://tria.ge/reports/260205-sn66aahx7a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Formbook payload

Formbook

Formbook family

Unpacked files

SH256 hash:

61099a560e22642077a83120c7bdda1092f4040d7139e2ac03e030a329994266

MD5 hash:

7a9e4607a89bb858b6dcf559a2c6fb8a

SHA1 hash:

7b143844543b153631edfe85ed26572d5b7d02fd

Link:

https://www.unpac.me/results/c76617c4-5cbb-4275-82a6-8687f09b9678/

SH256 hash:

11fe0446a3ee4f3fbb1b0e8453f6c15f72f2d288cbf4462b10ff3f8739f6f3c6

MD5 hash:

50deae66f99ecd42ccf09115d4c94cca

SHA1 hash:

090bf618089f3c633ab697bd1feb0ad5feb61798

Link:

https://www.unpac.me/results/c76617c4-5cbb-4275-82a6-8687f09b9678/

SH256 hash:

56814e9bc2b333d210e2d6249b603863d8b38e0386eb1c505cfc61ba70f308de

MD5 hash:

e009e43b05d3f88ac3982fa6f07303a5

SHA1 hash:

6123dd8784250aa33867bdbebe11d36f3708b685

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/c76617c4-5cbb-4275-82a6-8687f09b9678/

SH256 hash:

aa4a94ed4db230e947bb3ce902930b400a1b80fac3d26d79dc001886b6b41fb5

MD5 hash:

be1f695d03b51640f168785c4270bccc

SHA1 hash:

509fdbe0b9410f9308f0a8e259daeb55dd0f49de

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

FormBook

Windows_Trojan_Formbook

Formbook

Link:

https://www.unpac.me/results/c76617c4-5cbb-4275-82a6-8687f09b9678/

Parent samples :

1471b20910e2fcde628fd2b3d93885a78c6088a210c6fe8855ebd0274a457da9
a8fa5220308aa1c661186f1aa5aaa6858295d68a782efe4429018fbe41c74997
4f175db08cdf7003dfedf93074abaaebb774b5852346e93161517c909d3a0cee
61099a560e22642077a83120c7bdda1092f4040d7139e2ac03e030a329994266
428d59a68ebf5f9cfdacfab35823e7f4838c53da200072abe7a07c9cb139557d
2b42f648d1f3c2eea55de8351293b7e66b5c2d0ecbedd7d0ed86602aa55b9dd0

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/61099a560e22642077a83120c7bdda1092f4040d7139e2ac03e030a329994266

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/51972/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample