MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e4867e381ff15f43c6ee783765cfda338d224b5b2fb8388ade6f9b54819bae7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 9 File information Comments

SHA256 hash:	6e4867e381ff15f43c6ee783765cfda338d224b5b2fb8388ade6f9b54819bae7
SHA3-384 hash:	37d4f422692abeba36e0a3a7d9aefdce8ebc867605c46c10729edc9c80a3447e186bf5d35020a31bc18d6c87b17a3389
SHA1 hash:	522829d284c7854c1b00dfa355b09e0fd09ac403
MD5 hash:	37e148eb693a941f286c340c0d847573
humanhash:	eleven-fanta-echo-asparagus
File name:	6e4867e381ff15f43c6ee783765cfda338d224b5b2fb8388ade6f9b54819bae7
Download:	download sample
Signature	Formbook Create hunting rule
File size:	761'344 bytes
First seen:	2025-11-06 11:24:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	21371b611d91188d602926b15db6bd48 (70 x Formbook, 33 x AgentTesla, 20 x RemcosRAT)
ssdeep	12288:Zz7hU5I5yuNHIgzSFKxWltRohBfSTso93UEY+9nqrKY74CdtLhuYjJNVio3zi6p2:Zf+iN57Gtene3Hh9nYKYNd9io3zi6pbC
Threatray	2'091 similar samples on MalwareBazaar
TLSH	T16BF422519AD1D894C8117336C826CD6445787AB1AD16763DC73EE2AF3C32382BE1A72F
TrID	39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6) 38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	adrian__luca
Tags:	exe FormBook UPX

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	761'344 bytes
File size (de-compressed) :	1'268'224 bytes
Format:	win32/pe
Unpacked file:	313386d99a89a5f9ab94206e9b951a2f8ed5d968a6b5d821c927ee5f3f83585f

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6e4867e381ff15f43c6ee783765cfda338d224b5b2fb8388ade6f9b54819bae7

Verdict:

No threats detected

Analysis date:

2025-11-06 20:49:39 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3478f405-2a1d-4d1b-ab77-31807dbdb642

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/36167/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690c85a15a5ed7864e237da8

Tags:

autoit virus spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Labled as:

Cerbu.Generic

Link:

https://www.hybrid-analysis.com/sample/6e4867e381ff15f43c6ee783765cfda338d224b5b2fb8388ade6f9b54819bae7

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-27T12:53:00Z UTC

Last seen:

2025-11-03T00:11:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/6e4867e381ff15f43c6ee783765cfda338d224b5b2fb8388ade6f9b54819bae7/results?tab=lookup

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4cfe2fb6-7f05-4591-afd1-c898a3e667b9

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6e4867e381ff15f43c6ee783765cfda338d224b5b2fb8388ade6f9b54819bae7

Verdict:

Malware

YARA:

5 match(es)

Tags:

AutoIt Decompiled Executable PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/37e148eb693a941f286c340c0d847573

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6e4867e381ff15f43c6ee783765cfda338d224b5b2fb8388ade6f9b54819bae7/

Threat name:

Win32.Trojan.Cerbu

Status:

Malicious

First seen:

2025-10-27 13:09:35 UTC

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nzegpy4b74k7ipdo46bxmxh5um4nejfvwl5yhcfn4343ksazxltq._file

Verdict:

malicious

Label(s):

formbook

Formbook

611800d260a261ca41759e9c79312cdabe2529bc8fe362f296b348c5fa1a5c09

Formbook

7adce544b62e952c35eda61e57a188834b85bade02d1112ac2e8cf910bcb5903

Formbook

8faac78f80a1ae49c5c8d4272d7ec9d6aa9676b94a31c634a2786a9a2d802e34

Formbook

b486ec0314eabf1bd79a42201829893561d949978e264bcaec545ba7f1b25f10

Formbook

c8eb86820e2bb79b01f13912d9dc05afe153c0eb4465aa6ccdcb4bff68b2c343

Formbook

cf7b3427dd7cb3cd41edafb409f7ad0649735e69311db73ec1546c7b25b37e58

Formbook

e5a80ce04f2119cef25fc5aafaa36c0ec6319724dcc4676c90aa04eddeeafb73

Formbook

f4a2ff30755f15ff9c9e1ea5fdabd00f3c2755bb9d28829390833b07fc1cdce1

Formbook

+ 2'081 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery rat spyware stealer trojan upx

Link:

https://tria.ge/reports/251106-njg85szrew/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

Formbook payload

Formbook

Formbook family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/31951e2d-afee-4520-9101-e823a5e62450

Unpacked files

SH256 hash:

6e4867e381ff15f43c6ee783765cfda338d224b5b2fb8388ade6f9b54819bae7

MD5 hash:

37e148eb693a941f286c340c0d847573

SHA1 hash:

522829d284c7854c1b00dfa355b09e0fd09ac403

Link:

https://www.unpac.me/results/99ac5207-aff7-45ff-8d1b-d165d81bcd83/

SH256 hash:

313386d99a89a5f9ab94206e9b951a2f8ed5d968a6b5d821c927ee5f3f83585f

MD5 hash:

db6b71175ab4911eafcb668e81ae5110

SHA1 hash:

aa40605b5f92d3e2b30da0569ef603439f458d4a

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/99ac5207-aff7-45ff-8d1b-d165d81bcd83/

Parent samples :

6e4867e381ff15f43c6ee783765cfda338d224b5b2fb8388ade6f9b54819bae7
313386d99a89a5f9ab94206e9b951a2f8ed5d968a6b5d821c927ee5f3f83585f

SH256 hash:

6d22e71b6d3c76857a7fc7941b1facff35b76295e2f9678b2df24ffda738abbe

MD5 hash:

280bada417847aeb9385a0e7e198d5a0

SHA1 hash:

689a8845e1f64394e745c2b52e3e0e088c524ce1

Link:

https://www.unpac.me/results/99ac5207-aff7-45ff-8d1b-d165d81bcd83/

SH256 hash:

641cc1c21aaa03a2ca94f57b514c98a5ebd6374fdd1646d87273011942766744

MD5 hash:

6d71fb8b7569cc7374cd014da7c28690

SHA1 hash:

08ee46bc4191f8855ed7ac215414151e77dcfad3

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/99ac5207-aff7-45ff-8d1b-d165d81bcd83/

Parent samples :

e5a80ce04f2119cef25fc5aafaa36c0ec6319724dcc4676c90aa04eddeeafb73
cf7b3427dd7cb3cd41edafb409f7ad0649735e69311db73ec1546c7b25b37e58
6e4867e381ff15f43c6ee783765cfda338d224b5b2fb8388ade6f9b54819bae7
313386d99a89a5f9ab94206e9b951a2f8ed5d968a6b5d821c927ee5f3f83585f
971420c75858816fd7d63e31fd1caa66d69bc64a4d7b9c7b3d14cae787909b67

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.94

Link:

https://yomi.yoroi.company/submissions/6e4867e381ff15f43c6ee783765cfda338d224b5b2fb8388ade6f9b54819bae7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	kevoreilly
Description:	Formbook Payload

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Formbook

exe 6e4867e381ff15f43c6ee783765cfda338d224b5b2fb8388ade6f9b54819bae7

(this sample)

Formbook

exe 313386d99a89a5f9ab94206e9b951a2f8ed5d968a6b5d821c927ee5f3f83585f

Cape

https://www.capesandbox.com/analysis/36167/

Dropping

SHA256 313386d99a89a5f9ab94206e9b951a2f8ed5d968a6b5d821c927ee5f3f83585f

Dropping

MD5 db6b71175ab4911eafcb668e81ae5110

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample