MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d9d5763e3a3e02b4e14ea6f7a15ba7ec82ec9a61e51e65b4b7a2489ff01e563. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 19

Intelligence 19 IOCs YARA 8 File information Comments

SHA256 hash:	9d9d5763e3a3e02b4e14ea6f7a15ba7ec82ec9a61e51e65b4b7a2489ff01e563
SHA3-384 hash:	afde2f337b4717db35ab92c6dc33b63925a8bb45c64c12e8f71077325cab290014a0453bd579b616a508c18f7ba045e8
SHA1 hash:	0dbe525ea1118ba2342192c1b1c702161d88f93e
MD5 hash:	5f0434759b304feb29fcdc576643b076
humanhash:	salami-lactose-lithium-two
File name:	RFQ25101.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'194'496 bytes
First seen:	2025-11-14 02:16:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0f7552f9514e3a32a8dc8a5a9d9c89a7 (12 x Formbook, 2 x SnakeKeylogger, 1 x a310Logger)
ssdeep	24576:Ftb20pkaCqT5TBWgNjVYv3FMdFRB92azR16A:2Vg5tjVYv1MdFRB0ar5
TLSH	T17A45CF1273DEC361C3B25273BA16B701BE7F782506A5F96B2FD4093DE920162521EA73
TrID	50.4% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 19.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.5% (.EXE) Win32 Executable (generic) (4504/4/1) 3.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe FormBook upx-dec

abuse_ch

UPX decompressed file, sourced from SHA256 a261dd696014b1ee8348bef04980efda5d762a6563a08c0256d5f09fec1a8cd7

UPX unpacked

This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.

File size (compressed) :	709'120 bytes
File size (de-compressed) :	1'194'496 bytes
Format:	win32/pe
Packed file:	a261dd696014b1ee8348bef04980efda5d762a6563a08c0256d5f09fec1a8cd7

Intelligence

File Origin

# of uploads :

# of downloads :

157

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RFQ25101.exe

Verdict:

No threats detected

Analysis date:

2025-11-14 02:16:57 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c6fc91e5-33e6-465d-a843-bec96a39102c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/38163/

Detection(s):

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

PUA.Win.Packer.Embedpe-3

PUA.Win.Packer.AcprotectUltraprotect-1

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69169132434cd67b17c10ea7

Tags:

autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Sending a custom TCP request

Сreating synchronization primitives

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug autoit compiled-script fingerprint installer-heuristic keylogger microsoft_visual_cc packed phishing

Link:

https://www.filescan.io/uploads/69169130219b4496562afe0e/reports/5b27f5ed-b0cd-4fe7-96f7-cb78513dcd5e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9d9d5763e3a3e02b4e14ea6f7a15ba7ec82ec9a61e51e65b4b7a2489ff01e563

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-13T23:42:00Z UTC

Last seen:

2025-11-14T00:02:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Generic Trojan.Win32.Zenpak.sb HEUR:Trojan.Script.AUO.gen Trojan-Dropper.Win32.Dorifel.sbd Trojan.Win32.Agent.sb Trojan-Spy.Win32.Noon.sb Trojan.Win32.Strab.sb Trojan.Win32.Inject.sb Trojan.Win32.Auzenpak.sb

Link:

https://opentip.kaspersky.com/9d9d5763e3a3e02b4e14ea6f7a15ba7ec82ec9a61e51e65b4b7a2489ff01e563/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5cae542c-abf7-47aa-8b14-9618450e98c7

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1813942

Signature

Antivirus / Scanner detection for submitted sample

Binary is likely a compiled AutoIt script file

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Unusual module load detection (module proxying)

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9d9d5763e3a3e02b4e14ea6f7a15ba7ec82ec9a61e51e65b4b7a2489ff01e563

Verdict:

Malware

YARA:

7 match(es)

Tags:

AutoIt Decompiled Executable PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/5f0434759b304feb29fcdc576643b076

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9d9d5763e3a3e02b4e14ea6f7a15ba7ec82ec9a61e51e65b4b7a2489ff01e563/

Verdict:

Malicious

Threat:

Family.FORMBOOK

Link:

https://tip.neiki.dev/file/9d9d5763e3a3e02b4e14ea6f7a15ba7ec82ec9a61e51e65b4b7a2489ff01e563

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2025-11-14 02:17:22 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=twovoy7dupqcwtqu5jxxufn2p3ec5sngdzi6mw2lpisit7yb4vrq._file

Verdict:

malicious

Label(s):

formbook

autoit

Similar samples:

error

Formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/251114-cqwjkaej4v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

Formbook payload

Formbook

Formbook family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3e9c6d0b-2790-428c-a9bd-0e77bd8f1f36

Unpacked files

SH256 hash:

9d9d5763e3a3e02b4e14ea6f7a15ba7ec82ec9a61e51e65b4b7a2489ff01e563

MD5 hash:

5f0434759b304feb29fcdc576643b076

SHA1 hash:

0dbe525ea1118ba2342192c1b1c702161d88f93e

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/6c43f92a-e8b8-4d14-9ca4-9101289bef19/

Parent samples :

a261dd696014b1ee8348bef04980efda5d762a6563a08c0256d5f09fec1a8cd7
9d9d5763e3a3e02b4e14ea6f7a15ba7ec82ec9a61e51e65b4b7a2489ff01e563

SH256 hash:

98bb3ca9e2a85f3b71fe13294a39ccb3189a17f28097c5f026f36679dc230154

MD5 hash:

77528bae1111971b41d3681df549560a

SHA1 hash:

d9aa223ca3c066dae6c684be7cb980dff347c1ce

Link:

https://www.unpac.me/results/6c43f92a-e8b8-4d14-9ca4-9101289bef19/

SH256 hash:

ad116036888cc73def067eca55aa69ce1ec29b38531c9bab0b5819590b8de64b

MD5 hash:

90501ad67cea5e8b6f609f02962aeed9

SHA1 hash:

21da4cbff4d90bf50563380359e0f40238f6dec4

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/6c43f92a-e8b8-4d14-9ca4-9101289bef19/

Parent samples :

a261dd696014b1ee8348bef04980efda5d762a6563a08c0256d5f09fec1a8cd7
9d9d5763e3a3e02b4e14ea6f7a15ba7ec82ec9a61e51e65b4b7a2489ff01e563
893576f28b34077d76e44f7d0e0d02f7b8c78d893ae89a08d8b4fa07ea2a8769
7f6ac170b73b1c27c617cca5490db211a67f7d1d82e6e934956984efedfa16c6
9460bd13bd96c1b8efbcae59113e415108de827470984038d00c266a588a14bd
b62e5c0c5ffa1a2325034f596f1a731660b217bee5497ddf513041ad175c799d

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9d9d5763e3a3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9d9d5763e3a3e02b4e14ea6f7a15ba7ec82ec9a61e51e65b4b7a2489ff01e563

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	TH_Generic_MassHunt_Win_Malware_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Windows malware mass-hunt rule - 2025
Reference:	https://cyfare.net/