MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ac566e9a69e4bd338cfa6665c04a954c891fc5c09698ae85a40d9565796f481. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 19


Intelligence 19 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ac566e9a69e4bd338cfa6665c04a954c891fc5c09698ae85a40d9565796f481
SHA3-384 hash: 223e5e0ee882f787a1523a509655a5c120fa2f6aa7194fe9f42230408c7382ec1cc663ca110eeac665c2e66257d90e12
SHA1 hash: 499c60519ebb622e7736e5035bcdca7bf404905b
MD5 hash: 35ecf5e29556e566664ec7aec3a13e2b
humanhash: magnesium-montana-xray-carolina
File name:G0zICT7BrvSkguq.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:757'760 bytes
First seen:2025-12-02 08:50:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:u57Pa3viM5ikbW1i/nANnq7/NdNPFk5B38vWsZi6c9xHC:Ua/B5iWVnAYFdMP38vWsZiJDC
Threatray 2'267 similar samples on MalwareBazaar
TLSH T191F402479E88DA13F4A153FA6D73CA7827662E4DE021E79E4BEB4CCB78503124DCC265
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/b8274b0d-d767-4bad-b271-b23ead983c85/
Malware family:
n/a
ID:
1
File name:
_6ac566e9a69e4bd338cfa6665c04a954c891fc5c09698ae85a40d9565796f481.exe
Verdict:
No threats detected
Analysis date:
2025-12-02 09:10:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9bcfdf4e-5509-4d89-815e-92c91b90083f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/42142/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692ea866264b106bd645e9f9
Tags:
virus micro msil
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/692ea852b3f6e5a2384b740a/reports/20fbce4d-21af-4703-85cb-51b1dd7e0606/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6ac566e9a69e4bd338cfa6665c04a954c891fc5c09698ae85a40d9565796f481
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-01T13:42:00Z UTC
Last seen:
2025-12-03T16:03:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic Trojan.MSIL.Taskun.sb HEUR:Trojan-PSW.Win32.Convagent.gen HEUR:Trojan.MSIL.Agent.gen Trojan-PSW.Win32.Stealer.sb HEUR:Backdoor.Win32.Convagent.gen Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb
Link:
https://opentip.kaspersky.com/6ac566e9a69e4bd338cfa6665c04a954c891fc5c09698ae85a40d9565796f481/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b91a554-bfd6-4289-99df-9cd677a1f381
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1824227
Signature
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1824227 Sample: G0zICT7BrvSkguq.exe Startdate: 02/12/2025 Architecture: WINDOWS Score: 100 34 www.wboxes.com 2->34 36 www.trainsandbeyond.com 2->36 38 10 other IPs or domains 2->38 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected FormBook 2->48 50 Yara detected AntiVM3 2->50 52 2 other signatures 2->52 11 G0zICT7BrvSkguq.exe 3 2->11         started        signatures3 process4 file5 32 C:\Users\user\...behaviorgraph0zICT7BrvSkguq.exe.log, ASCII 11->32 dropped 62 Tries to delay execution (extensive OutputDebugStringW loop) 11->62 64 Injects a PE file into a foreign processes 11->64 66 Unusual module load detection (module proxying) 11->66 15 G0zICT7BrvSkguq.exe 11->15         started        signatures6 process7 signatures8 68 Maps a DLL or memory area into another process 15->68 18 uFJHk8XfZwO73.exe 15->18 injected process9 process10 20 ktmutil.exe 13 18->20         started        signatures11 54 Tries to steal Mail credentials (via file / registry access) 20->54 56 Tries to harvest and steal browser information (history, passwords, etc) 20->56 58 Modifies the context of a thread in another process (thread injection) 20->58 60 4 other signatures 20->60 23 uTCwwDE8.exe 20->23 injected 26 chrome.exe 20->26         started        28 firefox.exe 20->28         started        process12 dnsIp13 40 daycareclinic.online 119.18.52.59, 49703, 49704, 49705 PUBLIC-DOMAIN-REGISTRYUS India 23->40 42 www.dvtmwvm.info 154.89.156.31, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 23->42 44 7 other IPs or domains 23->44 30 WerFault.exe 4 26->30         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6ac566e9a69e4bd338cfa6665c04a954c891fc5c09698ae85a40d9565796f481
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.38 Win 32 Exe x86
Link:
https://app.malva.re/file/35ecf5e29556e566664ec7aec3a13e2b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ac566e9a69e4bd338cfa6665c04a954c891fc5c09698ae85a40d9565796f481/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/6ac566e9a69e4bd338cfa6665c04a954c891fc5c09698ae85a40d9565796f481
Threat name:
Win32.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-12-02 08:50:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nlcwn2ngtzf5gogpuztfybfjktejd7c4bfuyv2c2idmvmv4w6saq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
6ac566e9a69e4bd338cfa6665c04a954c891fc5c09698ae85a40d9565796f481
Formbook
70f1abf1a366530426cb0afa916a8a3c2402fee0349f6784447afeac70167263
Formbook
93d8f58337eb1309d7fadafe6707dde3a7d20d65870d05a689b3c2f264e61193
Formbook
d04519a5f28662179a347bfff8fb1a96984b9019d097cab9d6903069129370fb
Formbook
db603d2938218ca0b95c604a319858d625907401a9317fafce65d916c7858347
Formbook
error
Formbook
f700d8f24641f9310d77efafa721c329d43b1b568fa5c122cb624de9a8708968
Formbook
f7f0d0bcd56c2b929b687aa0c15305be4f71495d0b1ce5609fed155ddb0c016c
Formbook
+ 2'257 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/251202-krz75sdn2t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9e507905-e2b1-471d-96fe-d8c206d8b3fb
Unpacked files
SH256 hash:
6ac566e9a69e4bd338cfa6665c04a954c891fc5c09698ae85a40d9565796f481
MD5 hash:
35ecf5e29556e566664ec7aec3a13e2b
SHA1 hash:
499c60519ebb622e7736e5035bcdca7bf404905b
Link:
https://www.unpac.me/results/64c49ff1-e530-47bf-9af6-6a47817523e0/
SH256 hash:
7821cbedfbe50e06d5cca09ede0a2a7652bf12f2990d5d4f9e9a17871328f031
MD5 hash:
03fdb3e069529a061be292414a36c942
SHA1 hash:
2bad5c2e2700665c1f7e96e1585a2373d735cda8
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/64c49ff1-e530-47bf-9af6-6a47817523e0/
Parent samples :
68358632af8885e3e550eb075c1bc1b2f38e2366fc8e2c19c8fb065865b174c3
6ac566e9a69e4bd338cfa6665c04a954c891fc5c09698ae85a40d9565796f481
SH256 hash:
a9e691518ea41e0fe1421582a29347b5629e6e32cbe927084b96f3e8a04e4cd9
MD5 hash:
be2396fecdca1b5d136666bfcc43c3b1
SHA1 hash:
966f9d6443e9117a6f7eff42d76e52113b7d9f49
Link:
https://www.unpac.me/results/64c49ff1-e530-47bf-9af6-6a47817523e0/
SH256 hash:
759fef22a55b54473f6197bce93ea2867433a21fdb3cb75f04878668ea08c9bf
MD5 hash:
aaaec90b3cd2ab7b69273c5890d2ecfb
SHA1 hash:
a4a3d38a5199769908eeb1fc76fb69318df1566d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/64c49ff1-e530-47bf-9af6-6a47817523e0/
SH256 hash:
5a0f8ec4059f384e432b10d4d678e3e4f8c2b723216e4e459750007750c33610
MD5 hash:
a1218cabacfb26cca116843ee698174a
SHA1 hash:
39f36bf72b177b4f7dbb99ae161e31aa2f2da065
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/64c49ff1-e530-47bf-9af6-6a47817523e0/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6ac566e9a69e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/6ac566e9a69e4bd338cfa6665c04a954c891fc5c09698ae85a40d9565796f481

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6ac566e9a69e4bd338cfa6665c04a954c891fc5c09698ae85a40d9565796f481

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/42142/

Comments