MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aace9b82b5a361f9fe0ea0d6d0ea6e141cca7ff9761e0d7a2665fd7752a54ffa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 19 File information Comments

SHA256 hash:	aace9b82b5a361f9fe0ea0d6d0ea6e141cca7ff9761e0d7a2665fd7752a54ffa
SHA3-384 hash:	68e34a86a792d331e1a7987aabbaa72e2b2f50417036bf41e3ae241fdbb13ee5775dfa35693349bbba576bee78b2fb15
SHA1 hash:	19b5b0886080866ca41f01a9206b55a27db51fcb
MD5 hash:	dec4bd91ceb8db198d4d611c75b80c9a
humanhash:	whiskey-single-freddie-minnesota
File name:	ungziped_file
Download:	download sample
Signature	Formbook Create hunting rule
File size:	743'424 bytes
First seen:	2025-08-11 06:19:24 UTC
Last seen:	2025-08-14 11:06:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:xvNfgPpAZU65v5daUQbr8sJRFuK/4wx5Fnu1vbNU9su9hvf9Z29mpmD:xvNfghAZU65v5lQLJRt/4w1uRGK+hvfM
Threatray	4'123 similar samples on MalwareBazaar
TLSH	T137F423AB3699CA36C8FD6B721431F27013B6AD9DC022E3164EE1ECDFB501B995D1A740
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SKQ31295069325MD.exe

Verdict:

No threats detected

Analysis date:

2025-08-05 08:57:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6520280d-47df-4027-8f3b-68b68eaf8af2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/20045/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6891c7951e8a59ee04e57de9

Tags:

shell spawn sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Sending a custom TCP request

Сreating synchronization primitives

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/aace9b82b5a361f9fe0ea0d6d0ea6e141cca7ff9761e0d7a2665fd7752a54ffa

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/66a91ad4-e7e1-49a6-8651-d0e370440d7e

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/aace9b82b5a361f9fe0ea0d6d0ea6e141cca7ff9761e0d7a2665fd7752a54ffa

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable PDB Path PE (Portable Executable) SOS: 0.28 Win 32 Exe x86

Link:

https://app.malva.re/file/dec4bd91ceb8db198d4d611c75b80c9a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aace9b82b5a361f9fe0ea0d6d0ea6e141cca7ff9761e0d7a2665fd7752a54ffa/

Verdict:

Malicious

Threat:

VHO:Trojan-PSW.MSIL.Agensla

Link:

https://tip.neiki.dev/file/aace9b82b5a361f9fe0ea0d6d0ea6e141cca7ff9761e0d7a2665fd7752a54ffa

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2025-08-05 07:28:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 36 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vlhjxavvunq7t7qoudlnb2tocqomu77zoypa26rgmx6xouvfj75a._file

Verdict:

malicious

Label(s):

unc_loader_037

Formbook

858a1f71c14ad346a95146debe2df736b00654d971bb884e6932db16404ab973

Formbook

87839de578611fa6fd31f537bf3107e7b7471ee271dc458372ba6efd962f4056

Formbook

95ea7cad1f5295a05a2084c870724c860063568375f9ac5ea4cfcda022486915

Formbook

+ 4'113 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery execution rat spyware stealer trojan

Link:

https://tria.ge/reports/250811-g5mbnaz1cz/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Formbook payload

Formbook

Formbook family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6002c919-ea95-4c12-98aa-ef111e963490

Unpacked files

SH256 hash:

aace9b82b5a361f9fe0ea0d6d0ea6e141cca7ff9761e0d7a2665fd7752a54ffa

MD5 hash:

dec4bd91ceb8db198d4d611c75b80c9a

SHA1 hash:

19b5b0886080866ca41f01a9206b55a27db51fcb

Link:

https://www.unpac.me/results/bbdeae72-39e1-43d0-8e76-437aa2ee2a03/

SH256 hash:

8635254a2408c0507dc57fb41ce63b25962cfc32771b4ce26c6a0f76e4588a12

MD5 hash:

3fde82ed69546a02792bbc9fb68c7335

SHA1 hash:

1280390ad0deae78beae1986f954e6750bf57b55

Link:

https://www.unpac.me/results/bbdeae72-39e1-43d0-8e76-437aa2ee2a03/

SH256 hash:

2f2a721779a41819dd8e36a4fe4f4a282b8727919dfce970496f5cfba8b89e2a

MD5 hash:

0ddd2fd65907e074e291bed0fa34515b

SHA1 hash:

2a4bcea843da537a6e61419b4c9f0983ec820cdb

Link:

https://www.unpac.me/results/bbdeae72-39e1-43d0-8e76-437aa2ee2a03/

SH256 hash:

6231ca045bdb78f90fa4e09e65da692ac4500afff87a00e5772f2a1f3f6b0df5

MD5 hash:

29f1ab351d39eab7ed8eaa2aabc35327

SHA1 hash:

22d8514fc711323c0426c3f5b35c9b37d884c9f3

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/bbdeae72-39e1-43d0-8e76-437aa2ee2a03/

Parent samples :

95ea7cad1f5295a05a2084c870724c860063568375f9ac5ea4cfcda022486915
0f35ba4092a1137650826b2cd0eff36eeb58a51c09fb1210199948a2b03a48f3
87839de578611fa6fd31f537bf3107e7b7471ee271dc458372ba6efd962f4056
f1072b6f2cef8a84384f1d3d5f64905640d41be85aa4966cbf6ada530be721ac
908ea4e10ff30ea0fb4dd724fdb19e1f9c491b443c90cf0957ed6216ff5d800e
6fd471d3b5a60eb2827287c5b805a12d8e4147c5c2ce85585b3e2748a10e6226
9975b81e9f8b7bf220475765a809c03d9462b60f27a06de2b5d867152aca5dad
abf0f414ebeb55c4ee464be758b9f279cebf0779ff269b7ecfe74267797fd251
ab0e1d7e551816ee2e46dfd74c50906118da48af18c6f8d2d91071310cbb7dbe
e4b64ae324a75568f82dd940c4017726c020051668cbb1832e88f4e806abe4e4
576ac760ec2be7d545c01b834dfa888a824f54fc8d68518a64a198e8c30a29aa
8d472caf596f0d5c7a9d1fc2bfc371f55eca7016ffe249409da702227f60a0a2
7e41a89cc3189d021b07d2c2cdcfbf151f498447e73b3539be37bbfa24586fbe
858a1f71c14ad346a95146debe2df736b00654d971bb884e6932db16404ab973
aace9b82b5a361f9fe0ea0d6d0ea6e141cca7ff9761e0d7a2665fd7752a54ffa

SH256 hash:

d4d57160e5d12860bd53767cbee3d7db7f8b23eaf8bbe1c21654992e111816a4

MD5 hash:

e9d0a57288e8535e4de41efed2092434

SHA1 hash:

28185d6f833396935b71697638d796482886c93f

Link:

https://www.unpac.me/results/bbdeae72-39e1-43d0-8e76-437aa2ee2a03/

SH256 hash:

4e68463959e9295134cd8a945b461600d638034eea86578c082362e87f2f9f28

MD5 hash:

77ff53e7dcb6fb00114d8e0025812ca3

SHA1 hash:

3bd2efd255107094977e28f64a351c2a714690a4

Link:

https://www.unpac.me/results/bbdeae72-39e1-43d0-8e76-437aa2ee2a03/

SH256 hash:

a559ed3d00cea2692ddc7d4e5ce674275b9bfd87bdc55056e5ceaf62ad9e6e1d

MD5 hash:

0ad5cdd74fcbd8519e47de5f5b5bfe89

SHA1 hash:

45b7a5a6782b03c20be2d0bb46704fe86f5bc2e4

Link:

https://www.unpac.me/results/bbdeae72-39e1-43d0-8e76-437aa2ee2a03/

SH256 hash:

b322ea899eb48a10a0a6db100c6ee8d410355435bafdfdedab2de1fed45305d8

MD5 hash:

a4a87e307ad7a3ddaf209a1a4bab7cfc

SHA1 hash:

7af08237ff1c3dae9b9e09c0ba7294390fc77d8b

Link:

https://www.unpac.me/results/bbdeae72-39e1-43d0-8e76-437aa2ee2a03/

SH256 hash:

1bbf0181a363a94c8ca224de542a62392aa6a9ab08d30b464859f9e7d7a7bdb2

MD5 hash:

508179f76be01be3298059c7e4f1536f

SHA1 hash:

97bb4d557e762807f832423476d829e6f83d19e4

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/bbdeae72-39e1-43d0-8e76-437aa2ee2a03/

Parent samples :

6bfefb0f3b8a878aec69c3d830824c3bf7d5181ffd6d6e88dc4a8d793370c233
f1c4b423031489d5ea36e682f729f981789e020dccca81ea7b2bfceef1ee62cd
fb114b07eab8c5dd7faf8dc1b15f79cda7043f283f17c2c89797c57112d926d1
aace9b82b5a361f9fe0ea0d6d0ea6e141cca7ff9761e0d7a2665fd7752a54ffa

SH256 hash:

7cb374919cae131883b1e2a87ce05ee638e75b5a2f63efdb05c56a1ed20150eb

MD5 hash:

0ec805fbd1af686b7673ffff8c0fdd6b

SHA1 hash:

c9247e661de2e510237f8d3e4d4033bfdf71e26d

Link:

https://www.unpac.me/results/bbdeae72-39e1-43d0-8e76-437aa2ee2a03/

SH256 hash:

bec85b176452d06e3a90112279293258dc6d4110dd409af3c51f1075eb731cd0

MD5 hash:

68791dc0d3c6e3d6db3f51fce04b460a

SHA1 hash:

d9feaf7aced13928717d5acca50b9578ca4b55d2

Link:

https://www.unpac.me/results/bbdeae72-39e1-43d0-8e76-437aa2ee2a03/

SH256 hash:

925a1a1a78e549a04cea0a7926b89e819397fb03416bc6e81a9a8096129149aa

MD5 hash:

f7f98a58703504c2cdca3ecf6ef0a413

SHA1 hash:

dd7605120969dfef4b1199bd354c0ddcd80063b9

Link:

https://www.unpac.me/results/bbdeae72-39e1-43d0-8e76-437aa2ee2a03/

SH256 hash:

1b71cd68671c01f792511c7b14ced4406d7aa747f33d7ad0faed90d5d5c3b154

MD5 hash:

b8667a00f081e9e392569f1a0b0b962a

SHA1 hash:

f821904b22621c808090ed06467fac78d618317d

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/bbdeae72-39e1-43d0-8e76-437aa2ee2a03/

SH256 hash:

cd5cb124451f102c575a69653a68065b2763544f2fc8d0e8402faf1b361819f7

MD5 hash:

a4c10d69283529fb438f9c8c8ef66955

SHA1 hash:

7c5fea184d079cc5d66418637fb7393a079e290b

Link:

https://www.unpac.me/results/bbdeae72-39e1-43d0-8e76-437aa2ee2a03/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/aace9b82b5a3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aace9b82b5a361f9fe0ea0d6d0ea6e141cca7ff9761e0d7a2665fd7752a54ffa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	Formbook Create hunting rule
Author:	kevoreilly
Description:	Formbook Payload

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe aace9b82b5a361f9fe0ea0d6d0ea6e141cca7ff9761e0d7a2665fd7752a54ffa

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/20045/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample