MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63abc40cb0e4c179daf5e149d679c13fb1d0711bab011fc38656d90512db0b63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63abc40cb0e4c179daf5e149d679c13fb1d0711bab011fc38656d90512db0b63
SHA3-384 hash: 61ad5cc4d1236fd36bd814942d09eb1ce45df4ec172439a3a868610fe04946fe7017e4292b9ae80320061790b7e579c4
SHA1 hash: f977a8008b2d73f51572dbeeab188d1e81011a41
MD5 hash: 0e3b8c126a75990809b454a9e99c3c92
humanhash: vermont-summer-louisiana-pasta
File name:63abc40cb0e4c179daf5e149d679c13fb1d0711bab011fc38656d90512db0b63
Download: download sample
Signature Formbook
Create hunting rule
File size:1'304'064 bytes
First seen:2025-12-08 15:32:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1895460fffad9475fda0c84755ecfee1 (341 x Formbook, 90 x AgentTesla, 56 x a310Logger)
ssdeep 24576:y5EmXFtKaL4/oFe5T9yyXYfP1ijXdamcPGTebtwIna2/3XbeT:yPVt/LZeJbInQRamcPGsZXr
Threatray 2'229 similar samples on MalwareBazaar
TLSH T15855BE0233818067FF5799334E5AE2215ABD6D260127E51F13A8397EB9B0271137F7A7
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
AutoIt
Details
AutoIt
extracted scripts and files
Link:
https://research.acce.ciphertechsolutions.com/results/412b8a54-c0f2-4e4e-bd1c-ca3ed21bd3a8/
Malware family:
n/a
ID:
1
File name:
63abc40cb0e4c179daf5e149d679c13fb1d0711bab011fc38656d90512db0b63
Verdict:
No threats detected
Analysis date:
2025-12-09 01:18:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a481e8d9-5af4-40e0-8f44-dc8b98a98365

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/43555/
Detection(s):
SecuriteInfo.com.Win32.Trojan.Agent.35E5V6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6936f071db58e1a2c22b94a1
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
DNS request
Connection attempt
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/63abc40cb0e4c179daf5e149d679c13fb1d0711bab011fc38656d90512db0b63
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-24T09:46:00Z UTC
Last seen:
2025-12-10T11:09:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/63abc40cb0e4c179daf5e149d679c13fb1d0711bab011fc38656d90512db0b63/results?tab=lookup
Gathering data
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/63abc40cb0e4c179daf5e149d679c13fb1d0711bab011fc38656d90512db0b63
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86
Link:
https://app.malva.re/file/0e3b8c126a75990809b454a9e99c3c92
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63abc40cb0e4c179daf5e149d679c13fb1d0711bab011fc38656d90512db0b63/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2025-11-24 18:57:55 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
28 of 36 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mov4idfq4taxtwxv4fe5m6obh6y5a4i3vmar7q4gk3mqkew3bnrq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
032da2dc5566a0ea6335acb9a28dcd6d6083778614a8a7a2e0066a5baeeea2b5
Formbook
15923a9fc38c609142edebb4ff10369d18d53b82986c41b7d98c5037c191db06
Formbook
3efcddb7816f217e80f9ce4391d5bfa7256908d9336d1d12c1adb947af454d1b
Formbook
47f572b79047a00288b5160b8c466127c1fb187f4d7ab99a1865b2f41468d547
Formbook
60a8f087ea808e50d83e20099aa2fbedcd15bfb580f1524db4dc9e4a757d32d5
Formbook
6f78f41f127a47b73306a3c9f4d07fea0c2acb977e85bcc7055a171b44cd3646
Formbook
8261528703bade8ae4c6c3b7ff181aaaedf5c12e1c2ab9064cf12326a251cbbd
Formbook
85ad935b3f04ac7a537e4cf51894c03ed4764343f3b0d8c56657d9137d8e451e
Formbook
a2f35eb0011a96c25e98bccd89fa4f9ab9ab94e02ef9b0262ef455a72eb569a2
Formbook
e33e0044cb8cab8031d12c9e4cd922d81efeb5276dd5898ee2ef8b9cbdf28ddd
Formbook
+ 2'219 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/251208-szgd1azjal/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fdba947d-b26c-4fee-a956-84d268db53a9
Unpacked files
SH256 hash:
63abc40cb0e4c179daf5e149d679c13fb1d0711bab011fc38656d90512db0b63
MD5 hash:
0e3b8c126a75990809b454a9e99c3c92
SHA1 hash:
f977a8008b2d73f51572dbeeab188d1e81011a41
Link:
https://www.unpac.me/results/b66351a6-5423-4530-961c-12ba4cb572ac/
SH256 hash:
bd10b7d9aaf0db28a78f26831ac947b15f354a6322a986c50c89861af7f0512e
MD5 hash:
d1625de83588adc61e6fcc1ac4b23706
SHA1 hash:
dae6ea90cf21bca5149f7440cdff0081b44e666e
Link:
https://www.unpac.me/results/b66351a6-5423-4530-961c-12ba4cb572ac/
SH256 hash:
828816d67a86cb0a3b30f54cca49097595565b8ef37f04746a6718d6dcc193db
MD5 hash:
ba9bf0a2f988639bea330e155ea0ff0a
SHA1 hash:
7b13a8b37dea0e4d5eda42fc8ece7d8d609eb4e0
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/b66351a6-5423-4530-961c-12ba4cb572ac/
Parent samples :
5f2ed559648203a404d265f63274ea1ae0885facaa08a1ab1daa0679fef08eb6
a2f35eb0011a96c25e98bccd89fa4f9ab9ab94e02ef9b0262ef455a72eb569a2
d88ff5ebb0a0e4c01d567b41864162cd9b473a7d21dad63a356260eabad31a80
63abc40cb0e4c179daf5e149d679c13fb1d0711bab011fc38656d90512db0b63
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63abc40cb0e4c179daf5e149d679c13fb1d0711bab011fc38656d90512db0b63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/43555/

Comments