MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 911ab907376843edb05b47e615e37582276cc4af2b676727af7d61831d9fd044. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 19


Intelligence 19 IOCs YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 911ab907376843edb05b47e615e37582276cc4af2b676727af7d61831d9fd044
SHA3-384 hash: 00404b45bdd04ba5aa6b1058b01adb18066cb5f2df1bfc1c5a7cce1b525d3671a6824b4580779a6a2ee327b58adcc6ca
SHA1 hash: c952a9c3bd78641b3118c633837a3028730a6566
MD5 hash: 22f951c3f6fabe1c08e8c906dda9699f
humanhash: shade-football-connecticut-chicken
File name:SecuriteInfo.com.Win32.Malware-gen.31592574
Download: download sample
Signature Formbook
Create hunting rule
File size:737'792 bytes
First seen:2025-11-04 02:28:38 UTC
Last seen:2025-11-04 11:52:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 21371b611d91188d602926b15db6bd48 (70 x Formbook, 33 x AgentTesla, 20 x RemcosRAT)
ssdeep 12288:Kz7hU5I5yuNHIgzSFKxWltRohBfSTso93U/azayibDBNaezoyZwGK9GD+pxkhw:Kf+iN57Gtene3wSih0ezoz4w
Threatray 2'061 similar samples on MalwareBazaar
TLSH T1E8F422851A81A961E200A3308833CC5599783D606F06D73A872CFE7FBC75397E96775E
TrID 39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6)
38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe FormBook UPX
File size (compressed) :737'792 bytes
File size (de-compressed) :1'244'160 bytes
Format:win32/pe
Unpacked file: 480eba71b028d39614cfb7d3f83e75358348d256f8d27e687a4a85ba7499a1a4

Intelligence

File Origin
# of uploads :
5
# of downloads :
118
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.Malware-gen.31592574
Verdict:
No threats detected
Analysis date:
2025-11-04 02:30:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1b968429-bf7d-4ca3-90bc-1331d5c34986

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/35201/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690964df9942f1282ecbd5f1
Tags:
autoit virus spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit compiled-script formbook microsoft_visual_cc packed packed packed unsafe upx virus
Link:
https://www.filescan.io/uploads/690964f84425b0b1fd12e94e/reports/7889d6c6-f42e-47a3-adc3-caf65d29f865/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/911ab907376843edb05b47e615e37582276cc4af2b676727af7d61831d9fd044
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-03T20:53:00Z UTC
Last seen:
2025-11-06T00:25:00Z UTC
Hits:
~1000
Detections:
Trojan-Spy.Noon.HTTP.ServerRequest Trojan-Dropper.Win32.Dorifel.sbd Trojan.Win32.Zenpak.sb PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb Trojan.Win32.Inject.sb Trojan-Spy.Win32.Noon.bnjr Trojan.Win32.Agent.sb Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Strab.sb VHO:Trojan-Spy.Win32.Noon.bnjs
Link:
https://opentip.kaspersky.com/911ab907376843edb05b47e615e37582276cc4af2b676727af7d61831d9fd044/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22f6d490-98bb-4a77-a5af-f2ff765fe794
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/911ab907376843edb05b47e615e37582276cc4af2b676727af7d61831d9fd044
Verdict:
Malware
YARA:
5 match(es)
Tags:
AutoIt Decompiled Executable PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86
Link:
https://app.malva.re/file/22f951c3f6fabe1c08e8c906dda9699f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/911ab907376843edb05b47e615e37582276cc4af2b676727af7d61831d9fd044/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/911ab907376843edb05b47e615e37582276cc4af2b676727af7d61831d9fd044
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2025-11-04 02:31:47 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=senlsbzxnbb63mc3i7tbly3vqitwzrfpfntwoj5ppvqyghm72bca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01d5ee39bc1c92fd89ac108357bbd155e92fb8ca03876846cfa8ce393b8552f1
Formbook
20be309bf6b73157d6ffcacabfe2a4140c5270390836f2d06cc638fed98877fb
Formbook
2dcb2fd846c048795d1a3d059ce923bd53e26373db8bd324ec9f4c213f730be1
Formbook
344a1d112d40622af871c3a370b4706dade1e3d164ea551d3b0e7a8e223d120a
Formbook
44d76c2813cbcbbc38602cf85005884c492f6eb76fbdac3e8279633d75fc5a0d
Formbook
4c43b309ba3f6388617f713f68150812c71bf42bbb6de40399082fca221bc336
Formbook
75dfbb18396808592a7b46045f58a499b13169b13c75efa51f5c715d1d3f03e2
Formbook
7adce544b62e952c35eda61e57a188834b85bade02d1112ac2e8cf910bcb5903
Formbook
ccdf673390e032a11978be52ef503088dde4018bcf938522f848fee747715153
Formbook
error
Formbook
+ 2'051 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan upx
Link:
https://tria.ge/reports/251104-cyjvqsat8d/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
UPX packed file
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6e17c0e9-9c10-466a-92e5-6b710b61efec
Unpacked files
SH256 hash:
911ab907376843edb05b47e615e37582276cc4af2b676727af7d61831d9fd044
MD5 hash:
22f951c3f6fabe1c08e8c906dda9699f
SHA1 hash:
c952a9c3bd78641b3118c633837a3028730a6566
Link:
https://www.unpac.me/results/9a4ff326-2718-4f1f-ae82-94016db51237/
SH256 hash:
480eba71b028d39614cfb7d3f83e75358348d256f8d27e687a4a85ba7499a1a4
MD5 hash:
d9f03f7ae6ead75190b91448bc0d7e27
SHA1 hash:
f473f27ed0365dbb4c43c624be4c264d62702a87
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/9a4ff326-2718-4f1f-ae82-94016db51237/
Parent samples :
911ab907376843edb05b47e615e37582276cc4af2b676727af7d61831d9fd044
480eba71b028d39614cfb7d3f83e75358348d256f8d27e687a4a85ba7499a1a4
SH256 hash:
7bc02e40d267f0806ccbe4ddf692cf7e30e15aea70d7459a62be513ef77c43fa
MD5 hash:
64bb70052b94833bae8c6c2ed8355480
SHA1 hash:
3c5b9df2ff518b5026fa23510781e3d1cd15cd5a
Link:
https://www.unpac.me/results/9a4ff326-2718-4f1f-ae82-94016db51237/
SH256 hash:
4d0a2ce8f92ff91418249e57777e408c8129b090965f10baef979494f0793572
MD5 hash:
416dbb334ecbc16a85b532066f12240d
SHA1 hash:
8f34f4e13c28732bbc279ee38f5ea4e5d68540df
Link:
https://www.unpac.me/results/9a4ff326-2718-4f1f-ae82-94016db51237/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/911ab9073768/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/911ab907376843edb05b47e615e37582276cc4af2b676727af7d61831d9fd044

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_Win_ETW_Bypass_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Windows ETW Bypass Detection Rule - 2025
Reference:https://cyfare.net/
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:win_upx_packed
Create hunting rule
Author:Reedus0
Description:Rule for detecting UPX packed malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Formbook

Executable exe 911ab907376843edb05b47e615e37582276cc4af2b676727af7d61831d9fd044

(this sample)

Formbook

Executable exe 480eba71b028d39614cfb7d3f83e75358348d256f8d27e687a4a85ba7499a1a4

  
Dropping
SHA256 480eba71b028d39614cfb7d3f83e75358348d256f8d27e687a4a85ba7499a1a4
  
Dropping
MD5 d9f03f7ae6ead75190b91448bc0d7e27
Cape
Cape
https://www.capesandbox.com/analysis/35201/

Comments