MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7212a9cb63a6703ad235ebb4db18d5c7eab2d5a3e13dfced075daf4c440f0900. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Formbook


Vendor detections: 19


Intelligence 19 IOCs YARA 4 File information Comments

SHA256 hash: 7212a9cb63a6703ad235ebb4db18d5c7eab2d5a3e13dfced075daf4c440f0900
SHA3-384 hash: 8b25cc64b6e0eafc5d123674f030da6a4cbd13f699e2717b92b70f8d76ef77b8faffb45c81c915740855d2b9ebda0cc4
SHA1 hash: 6fe4d55cb024c87c9196d7f9f138cb5d61e2a8cb
MD5 hash: 075eb78eeae6f23401e6f41a024dc50a
humanhash: mississippi-jersey-twenty-xray
File name:PO_1400083954_PDF.bat
Download: download sample
Signature Formbook
File size:1'074'176 bytes
First seen:2026-07-02 14:45:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'079 x AgentTesla, 20'051 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 24576:ua6UwLYBmZfik5agJer4/3Y3vatIkjQzLMg2K:ua69LYAd9BB/3hIyiMtK
Threatray 2'946 similar samples on MalwareBazaar
TLSH T169351264236DD703D4B34BF409B1E63853B83E99A522D20B9ED57DDFB83A39066143A3
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe FormBook

Intelligence


File Origin
# of uploads :
1
# of downloads :
140
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-07-02 14:57:48 UTC
Tags:
auto-reg formbook xloader

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
70%
Tags:
micro spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a service
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-02T06:38:00Z UTC
Last seen:
2026-07-02T09:38:00Z UTC
Hits:
~10
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1936794 Sample: PO_1400083954_PDF.bat.exe Startdate: 02/07/2026 Architecture: WINDOWS Score: 100 63 www.asiaticlife.com 2->63 65 ax-0003.ax-dc-msedge.net 2->65 67 6 other IPs or domains 2->67 75 Multi AV Scanner detection for submitted file 2->75 77 Yara detected FormBook 2->77 79 Yara detected UAC Bypass using CMSTP 2->79 81 12 other signatures 2->81 11 PO_1400083954_PDF.bat.exe 1 6 2->11         started        15 powershell.exe 19 2->15         started        17 explorer.exe 2->17         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 53 C:\Users\user\AppData\...\TcEvgBqjLQRz.exe, PE32 11->53 dropped 55 C:\Users\...\TcEvgBqjLQRz.exe:Zone.Identifier, ASCII 11->55 dropped 57 C:\Users\user\AppData\...\dlrxjlz1oid.ps1, ASCII 11->57 dropped 59 C:\Users\...\PO_1400083954_PDF.bat.exe.log, ASCII 11->59 dropped 99 Creates autostart registry keys with suspicious values (likely registry only malware) 11->99 101 Creates an autostart registry key pointing to binary in C:\Windows 11->101 103 Injects a PE file into a foreign processes 11->103 105 Unusual module load detection (module proxying) 11->105 22 PO_1400083954_PDF.bat.exe 11->22         started        25 TcEvgBqjLQRz.exe 3 15->25         started        27 conhost.exe 15->27         started        61 ax-0003.ax-dc-msedge.net 150.171.29.12, 443, 49710 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS United States 17->61 107 System process connects to network (likely due to code injection or exploit) 17->107 29 TcEvgBqjLQRz.exe 2 20->29         started        31 conhost.exe 20->31         started        file6 signatures7 process8 signatures9 83 Maps a DLL or memory area into another process 22->83 33 dmvRuSUpKypU3R.exe 22->33 injected 85 Multi AV Scanner detection for dropped file 25->85 87 Injects a PE file into a foreign processes 25->87 89 Unusual module load detection (module proxying) 25->89 35 TcEvgBqjLQRz.exe 25->35         started        37 TcEvgBqjLQRz.exe 29->37         started        process10 process11 39 dxdiag.exe 13 33->39         started        signatures12 91 Tries to steal Mail credentials (via file / registry access) 39->91 93 Tries to harvest and steal browser information (history, passwords, etc) 39->93 95 Deletes itself after installation 39->95 97 5 other signatures 39->97 42 Y8C2mfR274.exe 39->42 injected 45 chrome.exe 39->45         started        47 firefox.exe 39->47         started        49 explorer.exe 39->49         started        process13 dnsIp14 69 www.urbanxis.site 159.198.70.130, 49706, 49707, 49708 NAMECHEAP-NET-NamecheapIncUS United States 42->69 71 asiaticlife.com 167.235.222.200, 49700, 80 HETZNER-ASDE Germany 42->71 73 www.lullora.pro 104.21.41.100, 49701, 49703, 49704 CLOUDFLARENET-CloudflareIncUS Canada 42->73 51 WerFault.exe 45->51         started        process15
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.47 Win 32 Exe x86
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Status:
Malicious
First seen:
2026-07-02 14:46:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
16 of 36 (44.44%)
Threat level:
  5/5
Result
Malware family:
formbook
Score:
  10/10
Tags:
family:formbook adware collection discovery execution persistence rat spyware stealer trojan
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Family: Formbook
Formbook payload
Unpacked files
SH256 hash:
7212a9cb63a6703ad235ebb4db18d5c7eab2d5a3e13dfced075daf4c440f0900
MD5 hash:
075eb78eeae6f23401e6f41a024dc50a
SHA1 hash:
6fe4d55cb024c87c9196d7f9f138cb5d61e2a8cb
SH256 hash:
013b3d82852b836c2a9cb2fa584510f2fe50ddc017d4117d1aa87ccba1f10ca3
MD5 hash:
98754dfabbd22dd9fd74b4592705fc6c
SHA1 hash:
140bdc0820a0e85c6573fbc3f7bfc43ab460e2d0
SH256 hash:
772f4b2dcc6f81d25cebc3e3e8b1a96e2f97e517b1dfaa3de383ac6f3c3a5048
MD5 hash:
7a2c0fcbb4ff334866623015f2a29fae
SHA1 hash:
ad0b3b08d5b672ed109f8d7eb528d42f59788d70
SH256 hash:
7ecd7c30d8c497605b65361b1adb3c6403db4729d7eea85e970fc3671c0fafd4
MD5 hash:
e952791def60b421a969a57881a9a54a
SHA1 hash:
38a67d10d00bfd092638e9f9a5f5042b1f4f028b
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7212a9cb63a6703ad235ebb4db18d5c7eab2d5a3e13dfced075daf4c440f0900

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments