MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ac86c15c30281142e6079a462dabd0d542de4e4396b9708a8da7edd5062c2d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ac86c15c30281142e6079a462dabd0d542de4e4396b9708a8da7edd5062c2d0
SHA3-384 hash: 1a8bbf234f9a9ce5d05599ec3f5addae7a6a0c59a0b1c3c190bd1d0d0211d62efaf18290eafbce63b6d50ee96710841b
SHA1 hash: ea3c1cb1cad8680c06b162fb5c697da691fb7c25
MD5 hash: 18cd5ae8087ac26f58faabfa001f3ad9
humanhash: november-nine-purple-washington
File name:NSR-002-QUO-KOPA25106865-01.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:749'568 bytes
First seen:2025-11-10 09:00:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'841 x AgentTesla, 19'773 x Formbook, 12'296 x SnakeKeylogger)
ssdeep 12288:0a08HV9L293ycsgd5mpKD9WaGDph74wqdSyZk/m0jLs3TvUKW4ip5xsKn/NDxKKN:0m9LM3yxRpJNph7vqdQ/Ds3bTWbxbnG2
TLSH T15CF401643319D517E86697B859B1E3B423797EA9AA01D3CB9FD87DCFB8B0F404821213
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NSR-002-QUO-KOPA25106865-01.exe
Verdict:
No threats detected
Analysis date:
2025-11-10 09:10:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eb8ee19f-f69f-47b8-9258-042f84203f33

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/36664/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6911aa27e2c9ded75d78f377
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7ac86c15c30281142e6079a462dabd0d542de4e4396b9708a8da7edd5062c2d0
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-03T22:46:00Z UTC
Last seen:
2025-11-11T12:57:00Z UTC
Hits:
~1000
Detections:
Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Trojan-Spy.MSIL.Noon.gen
Link:
https://opentip.kaspersky.com/7ac86c15c30281142e6079a462dabd0d542de4e4396b9708a8da7edd5062c2d0/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/964367ad-044e-4026-bc59-3cbb7851c2b3
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7ac86c15c30281142e6079a462dabd0d542de4e4396b9708a8da7edd5062c2d0
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.40 Win 32 Exe x86
Link:
https://app.malva.re/file/18cd5ae8087ac26f58faabfa001f3ad9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ac86c15c30281142e6079a462dabd0d542de4e4396b9708a8da7edd5062c2d0/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/7ac86c15c30281142e6079a462dabd0d542de4e4396b9708a8da7edd5062c2d0
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2025-11-04 05:28:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=plegyfodakariltapgsgfwv5bvkc3zhehfvzocfi3j7n2udcylia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
xworm
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251110-kzbjravrgz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/66262749-d7b6-4785-892e-711cc208a41a
Unpacked files
SH256 hash:
7ac86c15c30281142e6079a462dabd0d542de4e4396b9708a8da7edd5062c2d0
MD5 hash:
18cd5ae8087ac26f58faabfa001f3ad9
SHA1 hash:
ea3c1cb1cad8680c06b162fb5c697da691fb7c25
Link:
https://www.unpac.me/results/ff2f2938-1cbd-4e69-8212-0744a0a9de29/
SH256 hash:
af26ee533c8f0f8da5b08fcf050592aa09abb9c64e4c4a195cc32fce01dbf018
MD5 hash:
9c806e3429c46c64578c67b7f518085d
SHA1 hash:
41f7a963b82e9528fe07910cf920838eaf4affd0
Link:
https://www.unpac.me/results/ff2f2938-1cbd-4e69-8212-0744a0a9de29/
SH256 hash:
d6dc2203aee5fc7d0461aac3e3fcb7f3b1674c16329b15bb86b9c82620a3a7b1
MD5 hash:
f8a8c05d81e6101b4b18f67a608ec728
SHA1 hash:
67f10c16b0deeb234e2564b48ca050338d67ccef
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ff2f2938-1cbd-4e69-8212-0744a0a9de29/
SH256 hash:
f807ca17f2d453195f174a19bdaa6b2555bd311703196f92c188e23745752da0
MD5 hash:
b0dc1c834fd3ec0428112a9258f40a17
SHA1 hash:
e5d20e42b786ea57795c97ac0fa2ebf9d9d3395c
Link:
https://www.unpac.me/results/ff2f2938-1cbd-4e69-8212-0744a0a9de29/
SH256 hash:
5756d9750dfea95e1a04b78de642203c7f3ac10c114679dc26fe963331fd0090
MD5 hash:
92dbf90453c4a0ad9ff72dfe4942e5da
SHA1 hash:
6b6538681f4c2f420382cb653e115f22f104ad07
Link:
https://www.unpac.me/results/ff2f2938-1cbd-4e69-8212-0744a0a9de29/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ac86c15c302/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ac86c15c30281142e6079a462dabd0d542de4e4396b9708a8da7edd5062c2d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7ac86c15c30281142e6079a462dabd0d542de4e4396b9708a8da7edd5062c2d0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/36664/

Comments