MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b76f76b9ed250c6fa30cd2bb8228329829c4fac161dcd1058b7a640bffd2601. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b76f76b9ed250c6fa30cd2bb8228329829c4fac161dcd1058b7a640bffd2601
SHA3-384 hash: b9c89f6b77250128dc9b3ff4c32c5ebf74c322dc6ddce48b31495a171033abc54fdb355149799b028432854ae311001d
SHA1 hash: e8968df90ac1b191cb35092b2fd97cc3c7e76766
MD5 hash: b26bc87dc07222dff80c81e595dc69ce
humanhash: hawaii-burger-comet-juliet
File name:PO--0130356-501 PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:972'288 bytes
First seen:2026-01-21 09:07:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'795 x AgentTesla, 19'693 x Formbook, 12'274 x SnakeKeylogger)
ssdeep 24576:KItdg9gFSYkgBNUIPXlLYqgdrJTG6sId9V5:nt2Sx1BP1LYvl66z
Threatray 2'508 similar samples on MalwareBazaar
TLSH T1BC2512446B98CF12D4D15FF006A1E3B62374AEEBF811D20A8EEE6CEB3464F516954393
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/02d7b07a-48b2-4588-91f3-f0772c6b26e4/
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PO--0130356-501 PDF.exe
Verdict:
No threats detected
Analysis date:
2026-01-21 09:12:35 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/8bec5d67-cd84-4031-a761-dc7f49e78890

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/49625/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69709796f3cf908ba506f5cc
Tags:
malware
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
asyncrat formbook krypt packed
Link:
https://www.filescan.io/uploads/6970978f55805a763fecbee2/reports/d12bfc83-493d-4f1d-a44e-9c23777a2837/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6b76f76b9ed250c6fa30cd2bb8228329829c4fac161dcd1058b7a640bffd2601
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-21T03:33:00Z UTC
Last seen:
2026-01-21T21:37:00Z UTC
Hits:
~100
Detections:
Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Agensla.gen Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb
Link:
https://opentip.kaspersky.com/6b76f76b9ed250c6fa30cd2bb8228329829c4fac161dcd1058b7a640bffd2601/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0698c789-ffef-4cb9-a1ba-08d577e69bb1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1854720
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1854720 Sample: PO--0130356-501 PDF.exe Startdate: 21/01/2026 Architecture: WINDOWS Score: 100 33 www.030060669.xyz 2->33 35 www.visbodytech.com 2->35 37 17 other IPs or domains 2->37 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 53 5 other signatures 2->53 11 PO--0130356-501 PDF.exe 3 2->11         started        signatures3 51 Performs DNS queries to domains with low reputation 33->51 process4 file5 31 C:\Users\user\...\PO--0130356-501 PDF.exe.log, ASCII 11->31 dropped 14 PO--0130356-501 PDF.exe 11->14         started        17 PO--0130356-501 PDF.exe 11->17         started        process6 signatures7 63 Maps a DLL or memory area into another process 14->63 19 epWrHggSdEan.exe 14->19 injected process8 dnsIp9 39 www.taivo.life 104.207.66.126, 49736, 49737, 49738 WINNE-IPV4-1US United States 19->39 41 spexiuminfotech.in 162.214.80.18, 49755, 49756, 49757 UNIFIEDLAYER-AS-1US United States 19->41 43 11 other IPs or domains 19->43 22 RMActivate_ssp_isv.exe 13 19->22         started        process10 signatures11 55 Tries to steal Mail credentials (via file / registry access) 22->55 57 Tries to harvest and steal browser information (history, passwords, etc) 22->57 59 Modifies the context of a thread in another process (thread injection) 22->59 61 3 other signatures 22->61 25 chrome.exe 22->25         started        27 firefox.exe 22->27         started        process12 process13 29 WerFault.exe 4 25->29         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6b76f76b9ed250c6fa30cd2bb8228329829c4fac161dcd1058b7a640bffd2601
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.30 Win 32 Exe x86
Link:
https://app.malva.re/file/b26bc87dc07222dff80c81e595dc69ce
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b76f76b9ed250c6fa30cd2bb8228329829c4fac161dcd1058b7a640bffd2601/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/6b76f76b9ed250c6fa30cd2bb8228329829c4fac161dcd1058b7a640bffd2601
Threat name:
ByteCode-MSIL.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2026-01-21 07:26:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
24 of 37 (64.86%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nn3po2462jimn6rqzuv3qiudfgbjyt5mcyo42ecyw6tebp75eyaq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
44ece3fd771b241e7adb7b8a46317aa0dce39aa4b815912805de4dc6ff631ae4
Formbook
5c0bdefeb2e965c9cb1aa42e28b84b31e11693b4438c47e97be98fb1b496d940
Formbook
69ae2e849e4b148f879630ae9e3a4f991602cc6a658dd732dd775c31839d69ce
Formbook
c6aa56afa7a6941d9bb8786b07e192ea996d3a133c992285b58349cc5c204561
Formbook
d80e5353fa1942cb04ab1f9616e401835a42d292e4b4630a79340f1776eebe8b
Formbook
eb4f9a361af2fec77bcdea8b68e5aaf3d8e0ebbac245623975e99cf2a73861b3
Formbook
f4160d848ce8fc3d06604dbed868251d960839dc351673a5aec208ba48ebfc7e
Formbook
f9926b77fd47dffc66e6f22e4ecd4d0f1b1b3e4b768064bb22b64be3094569f6
Formbook
+ 2'498 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/260121-k36jasdy2c/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Unpacked files
SH256 hash:
6b76f76b9ed250c6fa30cd2bb8228329829c4fac161dcd1058b7a640bffd2601
MD5 hash:
b26bc87dc07222dff80c81e595dc69ce
SHA1 hash:
e8968df90ac1b191cb35092b2fd97cc3c7e76766
Link:
https://www.unpac.me/results/b5702108-d6c9-4d1b-b50c-4fcf7d941488/
SH256 hash:
88065777c01820c18775b3a10b46d66631f18ed914d4a707db306eedaab0ddaf
MD5 hash:
a0a8c88c586d61855f740bbeb0b70453
SHA1 hash:
052556ebe11f35e977e529d8188bb4b3942a5f77
Link:
https://www.unpac.me/results/b5702108-d6c9-4d1b-b50c-4fcf7d941488/
SH256 hash:
faff694395a2c87253e891ea455604163751c4156a5ad2f01c4d5191ac1bc665
MD5 hash:
3277d3bc3d7b6b642bf697146bfdca81
SHA1 hash:
19df437b553432f72d5a8f3d4bca70399937b7cf
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b5702108-d6c9-4d1b-b50c-4fcf7d941488/
SH256 hash:
4c1c565207f0075b849c8069918d3acd1561ccbb6f2aef7073d45de6dab29452
MD5 hash:
3d6fd4cfb478847ec5b4e1a18fd7e5ab
SHA1 hash:
6cdf4a9f2139b11944a4333e520315233b67d5df
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/b5702108-d6c9-4d1b-b50c-4fcf7d941488/
Parent samples :
6b76f76b9ed250c6fa30cd2bb8228329829c4fac161dcd1058b7a640bffd2601
60ef1afae839bd774d59f78c2866dad57a397db6f1c3a8432d3daa39985e040c
470ce68595ae8ca768012d0ec974f0099d2bfb4995d6d8547df82c7186752853
98d3d28d8ed5c914a3be450d61d663cd23c46f56fc733b5f5c3d8cb82d87ecdc
13d86cd98fa20c90ce941d9e3088a00abef85faed0695ca7bcf3434a704dd810
269de0e65190026ded5ec7b2a27ca655722c107bcaa7072fb09a8240ff29c233
SH256 hash:
0d921debae4656f5a8405741b68ed5606dc8fe4ac5dfac49d396aa5c999d56ca
MD5 hash:
6bda1209052b33446b7a36d8a32da7bd
SHA1 hash:
cf1bb5ac2305f1a42f72fb1a322762ed6ceb2146
Link:
https://www.unpac.me/results/b5702108-d6c9-4d1b-b50c-4fcf7d941488/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b76f76b9ed2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/6b76f76b9ed250c6fa30cd2bb8228329829c4fac161dcd1058b7a640bffd2601

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6b76f76b9ed250c6fa30cd2bb8228329829c4fac161dcd1058b7a640bffd2601

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/49625/

Comments