MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 931ca0a82eeccadb3fd1078b372777109e1cf23c92f98e72e63d13c2c290bb37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 18

Intelligence 18 IOCs YARA 21 File information Comments

SHA256 hash:	931ca0a82eeccadb3fd1078b372777109e1cf23c92f98e72e63d13c2c290bb37
SHA3-384 hash:	ea69391960fbb7053c9c72545fd75af4eb75037762c14a6838f20ae60a10653f386521033927e4cec707d994eaf9eb99
SHA1 hash:	f3676df91ae80daf9263728f0640a37656f26d28
MD5 hash:	14f877a5bafb97e34801b9a2f8a9e898
humanhash:	glucose-beryllium-tennessee-steak
File name:	SecuriteInfo.com.Trojan.Remcos.650.11911.3300
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'894'912 bytes
First seen:	2026-01-07 14:33:46 UTC
Last seen:	2026-01-07 15:23:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f8bf7b54f582b47a2308f7e0b43974d9 (2 x RemcosRAT, 2 x Formbook)
ssdeep	24576:1DUyD7vMf1/iw0/GUhikiJaHj9D/Q9ofR/yMKbXRxmIbF1THo:1tTDhUJaD9LF6PDjmIbbTHo
TLSH	T17495C062A3905433D5735A389C2BA375042EBE101E1BA486FEED9E4C8F776817DE1393
TrID	26.4% (.EXE) Win64 Executable (generic) (10522/11/4) 25.1% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 16.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 11.3% (.EXE) Win32 Executable (generic) (4504/4/1) 5.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

formbook

ID:

File name:

SecuriteInfo.com.Trojan.Remcos.650.11911.3300

Verdict:

Malicious activity

Analysis date:

2026-01-07 14:36:03 UTC

Tags:

delphi formbook stealer xloader

Link:

https://app.any.run/tasks/62a892b0-4e03-435b-b60d-f8cc400d0f33

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/48071/

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=695e6ee8f50945831dfe538e

Tags:

emotet micro blic

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file

Creating a process from a recently created file

Sending a custom TCP request

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug borland_delphi fingerprint keylogger packed

Link:

https://www.filescan.io/uploads/695e6ee787e75cdd5af6b86e/reports/31e98272-4d0f-4460-923a-5380bec1b38c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/931ca0a82eeccadb3fd1078b372777109e1cf23c92f98e72e63d13c2c290bb37

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-07T08:50:00Z UTC

Last seen:

2026-01-08T04:36:00Z UTC

Hits:

~10

Detections:

Trojan-Spy.Win32.Noon.sb Trojan-Dropper.Win32.Injector.sb Trojan.Win32.SpeedBit.sb Trojan.Win32.Agent.sb HEUR:Backdoor.Win32.Remcos.gen HEUR:Backdoor.Win32.Agent.gen Backdoor.Win32.Blakken.sb

Link:

https://opentip.kaspersky.com/931ca0a82eeccadb3fd1078b372777109e1cf23c92f98e72e63d13c2c290bb37/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d258cf4e-8fda-4251-8546-ba778c6499b9

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/931ca0a82eeccadb3fd1078b372777109e1cf23c92f98e72e63d13c2c290bb37

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/14f877a5bafb97e34801b9a2f8a9e898

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/931ca0a82eeccadb3fd1078b372777109e1cf23c92f98e72e63d13c2c290bb37/

Verdict:

Malicious

Threat:

Family.FORMBOOK

Link:

https://tip.neiki.dev/file/931ca0a82eeccadb3fd1078b372777109e1cf23c92f98e72e63d13c2c290bb37

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2026-01-07 14:34:17 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=smokbkbo5tfnwp6ra6ftoj3xccpbz4r4sl4y44xghuj4fquqxm3q._file

Verdict:

malicious

Label(s):

dbatloader

formbook

Similar samples:

error

Formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:pe02 discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/260107-rxh95shv9f/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Executes dropped EXE

Formbook payload

Formbook

Formbook family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/fc447544-98c0-4696-82fd-1087ed13939a

Unpacked files

SH256 hash:

931ca0a82eeccadb3fd1078b372777109e1cf23c92f98e72e63d13c2c290bb37

MD5 hash:

14f877a5bafb97e34801b9a2f8a9e898

SHA1 hash:

f3676df91ae80daf9263728f0640a37656f26d28

Link:

https://www.unpac.me/results/58bb9a06-a774-4f42-9b00-e6d4b714e349/

SH256 hash:

7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

MD5 hash:

c116d3604ceafe7057d77ff27552c215

SHA1 hash:

452b14432fb5758b46f2897aeccd89f7c82a727d

Link:

https://www.unpac.me/results/58bb9a06-a774-4f42-9b00-e6d4b714e349/

SH256 hash:

0421211389d0de69a1ab24415c6b83cf1725e3643752a2858cdeb6baacd15638

MD5 hash:

26c425142b1f3c102b50aabb70e398f4

SHA1 hash:

3c492535e29b9c4522b09deed19ed168fd05bbc9

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

FormBook

Windows_Trojan_Formbook

Formbook

Link:

https://www.unpac.me/results/58bb9a06-a774-4f42-9b00-e6d4b714e349/

Parent samples :

931ca0a82eeccadb3fd1078b372777109e1cf23c92f98e72e63d13c2c290bb37
06052b42027916a8eb6ba0a4dc83929a23c8ac430749e524802b0b9fee7cf109

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/931ca0a82eec/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/931ca0a82eeccadb3fd1078b372777109e1cf23c92f98e72e63d13c2c290bb37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	TH_Win_ETW_Bypass_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Windows ETW Bypass Detection Rule - 2025
Reference:	https://cyfare.net/