MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 810ecd256ce1afe106edf3e2cab6ea9f33840ea71d5b9f1559bf60a5984c6571. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 810ecd256ce1afe106edf3e2cab6ea9f33840ea71d5b9f1559bf60a5984c6571
SHA3-384 hash: 2f2cffc26bce1d4c56d3bd7f5c2e8f7d0f1f8ec753f9b8a8a42ef4ce754a880c1a94bdc4b4614e2dee6b3ecff5750de9
SHA1 hash: d1ca567620ee59113a3c4f122a173cbc6126fd55
MD5 hash: b3e69dea8f7468b2dd53e5917b8a9ec2
humanhash: one-whiskey-spring-twenty
File name:AWB-628976668987877523696529689#.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:675'328 bytes
First seen:2025-11-04 12:06:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:66+kjSJz8y/sr8+SndGnviv50qhwBU3MCjl6yGho0MPDDppO:4m8FSviv50Xm3MC56RhqDpp
Threatray 2'095 similar samples on MalwareBazaar
TLSH T11BE47C2531EB5156C872EBE30FEFFCB6967EF136112EB53634A3128683A1E019D92075
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AWB-628976668987877523696529689#.exe
Verdict:
No threats detected
Analysis date:
2025-11-04 12:07:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6b19bab6-34f4-4452-82a4-87cfb002f744

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/35288/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6909ec729942f1282ecbed6a
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6909ec7a4425b0b1fd13b995/reports/f22a02b5-b9c3-4c56-81f6-8cf234461fb6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/810ecd256ce1afe106edf3e2cab6ea9f33840ea71d5b9f1559bf60a5984c6571
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-04T05:48:00Z UTC
Last seen:
2025-11-05T09:20:00Z UTC
Hits:
~1000
Detections:
Trojan.MSIL.Agent.sb PDM:Trojan.Win32.Generic Backdoor.Win32.Blakken.sb Trojan.MSIL.Inject.sb Trojan-Spy.Noon.HTTP.ServerRequest Trojan.Win32.SpeedBit.sb Trojan.Win32.Agent.sb HEUR:Trojan.MSIL.Taskun.gen Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Taskun.sb Trojan.MSIL.Crypt.sb Trojan-Dropper.Win32.Injector.sb
Link:
https://opentip.kaspersky.com/810ecd256ce1afe106edf3e2cab6ea9f33840ea71d5b9f1559bf60a5984c6571/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1070f210-29df-48d2-bd13-4fef16c648a4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1807692
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/810ecd256ce1afe106edf3e2cab6ea9f33840ea71d5b9f1559bf60a5984c6571
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.34 Win 32 Exe x86
Link:
https://app.malva.re/file/b3e69dea8f7468b2dd53e5917b8a9ec2
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/810ecd256ce1afe106edf3e2cab6ea9f33840ea71d5b9f1559bf60a5984c6571/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/810ecd256ce1afe106edf3e2cab6ea9f33840ea71d5b9f1559bf60a5984c6571
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-11-04 12:10:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qehm2jlm4gx6cbxn6prmvnxkt4zyidvhdvnz6fkzx5qklgcmmvyq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
xworm
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
099aab7e93cc90414b63769dba429546e4f98953f1c8304f6b8109e6fa0a824e
Formbook
2fb4fd8f482e50ae5fb82247c94247c33ff6d60224d293ac98a568b819959965
Formbook
4123bedccc18eee83aa4c7d8e1b64191ddde5fc234bd3c1cbd7f998571e47112
Formbook
9d854ef77324e13432f5a59bdc1551e6425c8a5c533ee15a7e497e886636d30a
Formbook
c34753d6a802dcb3570354a7ecc7e930d957a28cca0d63e698ac0c0cbe67e6cc
Formbook
error
Formbook
+ 2'085 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:te56 discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/251104-paandasjdn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/90691f0e-55f5-4961-920c-df092d1a6eae
Unpacked files
SH256 hash:
810ecd256ce1afe106edf3e2cab6ea9f33840ea71d5b9f1559bf60a5984c6571
MD5 hash:
b3e69dea8f7468b2dd53e5917b8a9ec2
SHA1 hash:
d1ca567620ee59113a3c4f122a173cbc6126fd55
Link:
https://www.unpac.me/results/90b9640c-1335-4515-bb13-a5cd778e5635/
SH256 hash:
c60c6c759be78f5e56d2628ac7a0679639cc5033d15f8b8563f2f2f7c9b18b3e
MD5 hash:
86b6d529bfcb37163f7e00c6ce7caa45
SHA1 hash:
8ead7567669d618ee47a1a316cf8ce5c2239baf1
Link:
https://www.unpac.me/results/90b9640c-1335-4515-bb13-a5cd778e5635/
SH256 hash:
2669cc696477acff3fef096bcb17f0715f7ea6baef9032390c6a84a2cfb38b58
MD5 hash:
853e44a0f337f481a270443f69d1e7f8
SHA1 hash:
ea6bc65a3b155fd5b568f4567e41e7b713eac0c8
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/90b9640c-1335-4515-bb13-a5cd778e5635/
SH256 hash:
65905ee3589ae10b46abe9e22aedf1351c10b15c6f9ac3fe914e7e52caedced8
MD5 hash:
cdd2773bc382ec08ab5eca0b43c2657d
SHA1 hash:
f106c43ff2ff3e66842d40a58a5a23ef2ce04724
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/90b9640c-1335-4515-bb13-a5cd778e5635/
Parent samples :
2fb4fd8f482e50ae5fb82247c94247c33ff6d60224d293ac98a568b819959965
810ecd256ce1afe106edf3e2cab6ea9f33840ea71d5b9f1559bf60a5984c6571
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/810ecd256ce1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/810ecd256ce1afe106edf3e2cab6ea9f33840ea71d5b9f1559bf60a5984c6571

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 810ecd256ce1afe106edf3e2cab6ea9f33840ea71d5b9f1559bf60a5984c6571

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35288/

Comments