MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f064ec48a75504a979ef910d5a67f31c25acd4a6b86be0ca0598268f4ca6843. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 19

Intelligence 19 IOCs YARA 9 File information Comments

SHA256 hash:	8f064ec48a75504a979ef910d5a67f31c25acd4a6b86be0ca0598268f4ca6843
SHA3-384 hash:	7741f4db5fbb56a606d8fed229d88558ede91b1b17e3d261853dc28fa23b0c453111cec831a09e7322251b451c190bc9
SHA1 hash:	b982c5e3000ed9e9c66ba6b43da51fa78bdf8c34
MD5 hash:	3fff8586600f532c8e22967571ca15fe
humanhash:	undress-texas-equal-apart
File name:	Quotation.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'522'176 bytes
First seen:	2025-09-08 14:54:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1895460fffad9475fda0c84755ecfee1 (299 x Formbook, 52 x AgentTesla, 35 x SnakeKeylogger)
ssdeep	24576:95EmXFtKaL4/oFe5T9yyXYfP1ijXdawBI3OwaD8YpUhHU+JN:9PVt/LZeJbInQRawBI3yD860HU
Threatray	971 similar samples on MalwareBazaar
TLSH	T10E65CF027781C062FFAB95734F9AF22146BD6D260123E52F13683D7DBDB05A1463E6A3
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	exe FormBook Spam-ITA

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Quotation.z

Verdict:

Malicious activity

Analysis date:

2025-09-08 14:56:55 UTC

Tags:

arch-exec

Link:

https://app.any.run/tasks/161f270a-c6f3-4467-8876-a05f9ed2e03f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/26312/

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68beee776e66ba602d792e8f

Tags:

autoit emotet

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context autoit compiled-script findstr fingerprint fingerprint keylogger lolbin microsoft_visual_cc netsh obfuscated regsvr32 threat wscript

Link:

https://www.filescan.io/uploads/68beee80a1a41633174d5990/reports/94f52017-e2a9-4621-b5b6-ef8f542328c9/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/8f064ec48a75504a979ef910d5a67f31c25acd4a6b86be0ca0598268f4ca6843

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-07T20:26:00Z UTC

Last seen:

2025-09-07T20:26:00Z UTC

Hits:

~1000

Detections:

Trojan.Win32.Zenpak.sb PDM:Trojan.Win32.Generic Trojan-Spy.Win32.Noon.sb Trojan.Win32.Strab.sb Trojan.Win32.Inject.sb HEUR:Trojan.Script.AUO.gen

Link:

https://opentip.kaspersky.com/8f064ec48a75504a979ef910d5a67f31c25acd4a6b86be0ca0598268f4ca6843/results?tab=lookup

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a114de19-92ba-4e9b-830f-673beaed60b4

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8f064ec48a75504a979ef910d5a67f31c25acd4a6b86be0ca0598268f4ca6843

Verdict:

Malware

YARA:

7 match(es)

Tags:

AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/3fff8586600f532c8e22967571ca15fe

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8f064ec48a75504a979ef910d5a67f31c25acd4a6b86be0ca0598268f4ca6843/

Verdict:

Malicious

Threat:

Family.FORMBOOK

Link:

https://tip.neiki.dev/file/8f064ec48a75504a979ef910d5a67f31c25acd4a6b86be0ca0598268f4ca6843

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2025-09-08 00:10:41 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r4de5rekovievf467einljt7ghbfvtkknodl4dfalgbgr5gknbbq._file

Verdict:

malicious

Label(s):

formbook

Formbook

336b45d6525d7f84650bedc820b46047a465bb14c2e6f7829a45be9436b363d6

Formbook

344a1d112d40622af871c3a370b4706dade1e3d164ea551d3b0e7a8e223d120a

Formbook

5de40cb80d71ff5cabc77ed1ae871532f78c3a74823c92e0a54ed1a8fd062297

Formbook

75dfbb18396808592a7b46045f58a499b13169b13c75efa51f5c715d1d3f03e2

Formbook

92465a1c7629bb10ce9f67b667871537887a281b66a90dd4d481612111d3dd63

Formbook

aa0227c6018d030ef8e31630cd92673ac3d30f7826a49059b4abfc26c77fd486

Formbook

cb4788741b2c7792c25c956a4c2dab349fed2e93c175cc79c112d6faf95ec8bd

Formbook

error

Formbook

+ 961 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/250908-savv4awpy6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

Formbook payload

Formbook

Formbook family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5f844784-8ca1-4e8c-8973-e4da544a32b7

Unpacked files

SH256 hash:

8f064ec48a75504a979ef910d5a67f31c25acd4a6b86be0ca0598268f4ca6843

MD5 hash:

3fff8586600f532c8e22967571ca15fe

SHA1 hash:

b982c5e3000ed9e9c66ba6b43da51fa78bdf8c34

Link:

https://www.unpac.me/results/0da20c4f-b27a-42e1-9735-7afdeca54360/

SH256 hash:

857b705820a55cccffee01ee09c44158d25bcb2506951ede38ea2c15f639c664

MD5 hash:

fe33d3055b909c6b46c7970773d0d245

SHA1 hash:

2f5897f9e59fecc06524bf263d38ad7bc4798377

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/0da20c4f-b27a-42e1-9735-7afdeca54360/

Parent samples :

336b45d6525d7f84650bedc820b46047a465bb14c2e6f7829a45be9436b363d6
344a1d112d40622af871c3a370b4706dade1e3d164ea551d3b0e7a8e223d120a
8f064ec48a75504a979ef910d5a67f31c25acd4a6b86be0ca0598268f4ca6843
b51ddf9600f7c0fc2a33a333fd7aac65eb2b3cd066a8153fd61a3b212c068ca7
6a020132c224fcca5502520620cc49dc82bd68330ae2312656f586c5e33ee602

SH256 hash:

ffe02523af00b56db1d65db0c43f197080d6007a48efc8c8e204584578e7a92c

MD5 hash:

d8ffb96fb8b990ac709a8c4f2f53bf96

SHA1 hash:

df3bb220fe24a83d35d11368ed1829834746e6db

Link:

https://www.unpac.me/results/0da20c4f-b27a-42e1-9735-7afdeca54360/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8f064ec48a75/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8f064ec48a75504a979ef910d5a67f31c25acd4a6b86be0ca0598268f4ca6843

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/26312/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample