MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cd04e6c9e273dda6da56883af6f2f2653feb111b60d5b2af02e021d5256e8fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cd04e6c9e273dda6da56883af6f2f2653feb111b60d5b2af02e021d5256e8fa
SHA3-384 hash: 68edc2de6cc266654ce232c4af88520eea1822cc8ab7d1330dd147c2a6421232afeb9328ded143a96fe687e3a524c578
SHA1 hash: de5e5c05ee56b8398afaa55f910eecbaf22dba68
MD5 hash: 2fbcf35c1bde07f3f9e62adaf44d5292
humanhash: saturn-vegan-sink-sweet
File name:Documents_008765.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:748'544 bytes
First seen:2025-10-01 09:23:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:UuaCcFzCllTv7YuftgA3xPXjrly1QWGJdFDB7NZcJBk+A89t+3gXMkSKMJtN:U3zIrsufVPzrl6idFDB7ncJe+NU3gXmt
Threatray 1'659 similar samples on MalwareBazaar
TLSH T1B8F41242236AEA03C0A21FB46970E37557A49D9CA516E3479FFEBCFF79387402805297
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter pr0xylife
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Documents_008765.exe
Verdict:
No threats detected
Analysis date:
2025-10-01 09:27:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ad96194a-b830-4e47-bff2-101cd680c045

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29677/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68dcf30e7d643f33eab90af6
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin packed tracker
Link:
https://www.filescan.io/uploads/68dcf310674d5fd6aa124188/reports/3714d69c-e605-4880-88b1-4f670d88557a/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/6cd04e6c9e273dda6da56883af6f2f2653feb111b60d5b2af02e021d5256e8fa
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-01T07:43:00Z UTC
Last seen:
2025-10-01T15:02:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/6cd04e6c9e273dda6da56883af6f2f2653feb111b60d5b2af02e021d5256e8fa/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8c4bd829-7b81-4df7-9048-b4a6ad4f4383
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6cd04e6c9e273dda6da56883af6f2f2653feb111b60d5b2af02e021d5256e8fa
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6cd04e6c9e273dda6da56883af6f2f2653feb111b60d5b2af02e021d5256e8fa/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-10-01 07:32:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ntie43e6e465u3nfncb263zpezj75mirwygvwkxqfybb2usw5d5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
3189a2a8530b26f87a47c614fd895e197d7fd0fc0900ae8551b44114b277dec8
Formbook
59ef1e380a7c0446b18002015e9060252a2cc9716affd3ddb51fabdb7d6c9a42
Formbook
5f9b01b88c7faf63239a79405c1f7c5521b9cfd1934c659a8c56345ad1549d17
Formbook
95c305c5d89970d7d4fbbe0649543d2286d21c678af50ef80ceebb360b0a3cbf
Formbook
ae8ef5ed53654de05a32d157f76dfbdc2e734f842c3b815ec2ef5f37fd24f157
Formbook
bce46d675d57b09b2bf85f109ab3cdd12c7894519b8ba37426601dd18eb03671
Formbook
c55443835b9da7ef3fd8e804969c806713c352c5fbdbe8e673e348f9588e7189
Formbook
error
Formbook
fc039ad25b39ddf44318da5677c76c4273df5b74c5f9988985d7458c816c4dbc
Formbook
+ 1'649 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/251001-lcpnjawkw6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/01de89df-d063-4682-b337-bc56a2c58566
Unpacked files
SH256 hash:
6cd04e6c9e273dda6da56883af6f2f2653feb111b60d5b2af02e021d5256e8fa
MD5 hash:
2fbcf35c1bde07f3f9e62adaf44d5292
SHA1 hash:
de5e5c05ee56b8398afaa55f910eecbaf22dba68
Link:
https://www.unpac.me/results/fdee161b-a82b-4fa4-a486-0bede8104c8d/
SH256 hash:
bf1d1dc30e0d2881a7ab0381ee9cb7d3c1d9e1d610409c36616ca236cfc2c516
MD5 hash:
525601a401becc5a686b6aef61a7df34
SHA1 hash:
008aba98aa11e6ac31e839a6f519a5a2d07a1405
Link:
https://www.unpac.me/results/fdee161b-a82b-4fa4-a486-0bede8104c8d/
SH256 hash:
7c9057b64be09cc21e5df9b997b2aca6464b79b804fcab4eee7848cda8225d4a
MD5 hash:
910707ba0ca2796879872c67488df2e8
SHA1 hash:
58908fcde2802d0ac3c31789b7008b63f734a8b4
Link:
https://www.unpac.me/results/fdee161b-a82b-4fa4-a486-0bede8104c8d/
SH256 hash:
b4b0557d5a5e8fd09f3424dfa5d2799965ae228a480612c863428b34d068cdcb
MD5 hash:
8bf1283e6c04f5e9b14c04e6db8f0665
SHA1 hash:
b8a2908f8d0ba67c10b58398388d67cfd56d8851
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/fdee161b-a82b-4fa4-a486-0bede8104c8d/
SH256 hash:
c52c78d7885d051ca38e62ee25f4cf8304fce125b85dcb5737b9948ef906c503
MD5 hash:
336221973d9c8c059915a6c6dd541a45
SHA1 hash:
d9fe1cc84a2e8ec39d2823d67b3f7cfea082b50d
Link:
https://www.unpac.me/results/fdee161b-a82b-4fa4-a486-0bede8104c8d/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6cd04e6c9e27/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/6cd04e6c9e273dda6da56883af6f2f2653feb111b60d5b2af02e021d5256e8fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29677/

Comments