MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fd7bd2b8be87e7a7d1f1a35b8e2f115a9393b11684ee7e94b5d66b938906afc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 18

Intelligence 18 IOCs YARA 4 File information Comments

SHA256 hash:	7fd7bd2b8be87e7a7d1f1a35b8e2f115a9393b11684ee7e94b5d66b938906afc
SHA3-384 hash:	d8d8bbd78c2115172b2cdc30b4511b876234a19f3cd9f1b0e983e29d1f602652a2acfbc43beaa653110571fb34449048
SHA1 hash:	e2ca397e5699bc80f4b4e80ef7b044267fc4f7ec
MD5 hash:	68b45b4220514c7e3cc22a9435fccbaf
humanhash:	happy-whiskey-montana-winter
File name:	7fd7bd2b8be87e7a7d1f1a35b8e2f115a9393b11684ee7e94b5d66b938906afc
Download:	download sample
Signature	Formbook Create hunting rule
File size:	920'064 bytes
First seen:	2026-06-08 09:45:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'067 x AgentTesla, 20'020 x Formbook, 12'352 x SnakeKeylogger)
ssdeep	12288:erFc3jdHL/kCer+lh9E2IhUAcJBgpFO11zDP9+inVIuCR6t1tqOyRknk0Hro9+D6:nxgHw9yRcJBgpFO/PIsVIuCRIpMSjEd
TLSH	T1D11512186A4AE607CA9627B40E70F2B4132D2EEEA521D707AFDD6DDBB677F010E04147
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/d782a8ca-4cde-43ae-93e6-faffeb07835f/

Malware family:

formbook

ID:

File name:

7fd7bd2b8be87e7a7d1f1a35b8e2f115a9393b11684ee7e94b5d66b938906afc.exe

Verdict:

Malicious activity

Analysis date:

2026-06-08 09:48:57 UTC

Tags:

auto-reg formbook stealer xloader

Link:

https://app.any.run/tasks/c545ce57-2520-4663-b60f-8679e202242c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/69909/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a268fdeae2f98c00a68cc2a

Tags:

infosteal virus shell micro

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed similar-threat

Link:

https://www.filescan.io/uploads/6a268f81bf16337e43bb2f4e/reports/24b7188d-d53c-4518-a167-e7d32128f3aa/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/7fd7bd2b8be87e7a7d1f1a35b8e2f115a9393b11684ee7e94b5d66b938906afc

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-15T08:28:00Z UTC

Last seen:

2026-06-05T14:57:00Z UTC

Hits:

~100

Detections:

PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Win32.Noon.sb Trojan-Dropper.Win32.Injector.sb HEUR:Trojan.MSIL.Taskun.gen Backdoor.Win32.Androm.sb

Link:

https://opentip.kaspersky.com/7fd7bd2b8be87e7a7d1f1a35b8e2f115a9393b11684ee7e94b5d66b938906afc/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3ec98154-d2c7-465a-900b-76f1612e2eb9

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7fd7bd2b8be87e7a7d1f1a35b8e2f115a9393b11684ee7e94b5d66b938906afc

Gathering data

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/7fd7bd2b8be87e7a7d1f1a35b8e2f115a9393b11684ee7e94b5d66b938906afc/

Verdict:

Malicious

Threat:

Family.FORMBOOK

Link:

https://tip.neiki.dev/file/7fd7bd2b8be87e7a7d1f1a35b8e2f115a9393b11684ee7e94b5d66b938906afc

Threat name:

Win32.Trojan.Acll

Status:

Malicious

First seen:

2026-05-15 12:32:51 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 36 (72.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p7l32k4l5b7hu7i7di23ryxrcwutsoyrnbhop2kllvtlsoeqnl6a._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:be04 discovery execution persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/260608-lrn1jsbx7p/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Family: Formbook

Formbook payload

Unpacked files

SH256 hash:

7fd7bd2b8be87e7a7d1f1a35b8e2f115a9393b11684ee7e94b5d66b938906afc

MD5 hash:

68b45b4220514c7e3cc22a9435fccbaf

SHA1 hash:

e2ca397e5699bc80f4b4e80ef7b044267fc4f7ec

Link:

https://www.unpac.me/results/fdb2eef3-47ed-4898-9383-5d03d08aba00/

SH256 hash:

595edda002741a5cb81e707e91acb346508d84dd14b9ebbff6c23235827d1a96

MD5 hash:

14dc5d27158baea6a5b45ef560112202

SHA1 hash:

2b40f79650a5867742ba97082e8aa3577e598ed6

Link:

https://www.unpac.me/results/fdb2eef3-47ed-4898-9383-5d03d08aba00/

SH256 hash:

363ee51fc02f20cb206039434758c3afa1c71bc7d316c6db4a39b0d310ab92f9

MD5 hash:

afe085b7324d72673eef749ff5f21a49

SHA1 hash:

a86f1039a8877804b1b2c99aed91312846cd40e5

Link:

https://www.unpac.me/results/fdb2eef3-47ed-4898-9383-5d03d08aba00/

SH256 hash:

1d2546f54c2e0236f49eb733160c4fc49828d612416c7e09379aa23f5df01e4e

MD5 hash:

02dcd52eaed5e2133ebffc427d7befcc

SHA1 hash:

96911e8c81efaa5875390ac27b136c09b570fe3b

Detections:

win_formbook_w0

win_formbook_g0

win_formbook_auto

FormBook

Link:

https://www.unpac.me/results/fdb2eef3-47ed-4898-9383-5d03d08aba00/

Parent samples :

0cfbc10a408c5747c977cbac7e92bee4aaac42f6fb8d3d73b6e3b0de05208ba0
0ff8a207bf56f8ad568fe2ccf540cab84a202c04aa1dbe691b6202c98b39f806
b09ba69fa3bf6102addb87e1c01b51a310509a96a66775bb1cacd94ec3c6875e
7fd7bd2b8be87e7a7d1f1a35b8e2f115a9393b11684ee7e94b5d66b938906afc
35460d0ed6ddee3f707f73eaacf6e49f09f789bdbf460c21f491ba2ff2bb78ef
63dc260a747b9043efb746b691bfc5a9237d1b152321a901bfe156b33e723c9c
c40f8295708cd278252addbc5f42bc9ee1c221efa8c1bbc2b3e7dbb8f8ea8eb3

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7fd7bd2b8be87e7a7d1f1a35b8e2f115a9393b11684ee7e94b5d66b938906afc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/69909/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample